| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The syncthing application can, but does not have to, be used for
synchronizing end user data. Hence, the user data access is made
optional through the support of the syncthing_*_user_content booleans.
Also, the syncthing_config_home_t type is renamed to
syncthing_xdg_config_t to be aligned with the XDG setup. An alias
is put in place to allow for a transitional period before
syncthing_config_home_t is completely phaded out.
Changes since v2:
- Fix typo in call to userdom_user_content_access_template
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
| |
The xscreensaver application currently has the privileges to read user
content, to display images stored in the users' home directory. We now
grant this through xdg_pictures_t access, and make the generic user
content access optional.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The wireshark application does not need full manage rights on user
content. Hence, we make these privileges optional through support of the
wireshark_*_user_content booleans.
To allow wireshark to read recorded network traffic, wireshark is
granted read access on the downloads location.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
| |
The postfix virtual domain does not always need full manage rights on
the users' home directories and content. We make these rights optional
through the postfix_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The openoffice domain should not have full manage rights on all user
content. Instead, it is granted manage rights on the documents
(xdg_documents_t) while the other privileges are made optional through
the openoffice_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The java_domain attribute covers many java related domains.
Historically, the privileges on the java domain have been quite open,
including the access to the users' personal files. However, this should
not be the case at all times - some administrators might want to reduce
this scope, and only grant specific domains (rather than the generic
java ones) the necessary accesses.
In this patch, the manage rights on the user content is moved under
support of specific java-related booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
IRC clients do not need to have manage rights on user content at all
times. We make this optional, under the support of the
irc_{read,manage}_{generic,all}_user_content booleans.
To enable simple IRC-based upload/downloads, the irc_t domain does get
manage rights on the xdg_downloads_t type (~/Downloads).
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
| |
the i18n_input domains (be it iiimd or htt_server) do not always need
read access on user domains. Make these privileges optional under the
i18n_input_read_generic_user_content boolean.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The GnuPG application does not require access to users data in all
situations. When used through plugins it only accesses user temporary
data for instance. However, in most cases, access to end user data is
still preferred.
Hence, the read- and manage rights on the generic user content is moved
under support of the right booleans, but with a default value allowing
these privileges.
Changes since v2:
- Fix typo, use xdg_read_data_files rather than
xdg_read_data_home_files
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The firstboot service does not really need user content access in the
majority of cases. It is meant to initialize the system after first
boot, which is primarily a non-user-related service approach.
To still support the off cases where user content access is needed, the
necessarily privileges are made optional through support of the
firstboot_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cron has two modus operandi for handling cron jobs: either the cron jobs
run in the generic cronjob_t domain, or they run in the users' main
domain.
The generic cronjob_t domain had manage rights on the user content. With
this change, this is made optional under support of the necessary
booleans (cron_{read,manage}_{generic,all}_user_content).
Changes since v2:
- Keep userdom_exec_user_home_content_files in main block as it
contains a tunable definition so cannot be nested within another
tunable block
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thunderbird makes use of the ~/.cache/thunderbird location for its
application cache data. The other XDG main locations do not seem to be
used actively, although it does require read access on the
~/.local/share location.
The standard manage rights on the user content are removed and replaced
with the tunable blocks. Manage rights on the temporary user files is
retained as it is used for drafting e-mails.
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The telepathy domain already had some support for the XDG-style
locations (cache, config and data). In this patch the rules are updated
to use the XDG-style approach (naming) as well as include the necessary
file transitions.
Changes since v2:
- Add telepathy_mission_control_home_t as required type in the role
declaration
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
| |
The pulseaudio domain was configured to use the ~/.config/pulse/
location as pulseaudio_home_t. With the introduction of the XDG-based
types, this can now be switched to pulseaudio_xdg_config_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mplayer application, and its accompanying mencoder application,
should not by default hold manage rights on the end user data. Instead,
the mplayer_t domain gets read access on music and videos, while
mencoder_t gets manage access on music and videos.
The manage rights on the user content is then moved under the support of
the booleans (*_read_generic_user_content, *_read_all_user_content,
*_manage_generic_user_content and *_manage_all_user_content). The
booleans are made available for both domains (so one set for mplayer and
one set for mencoder).
Changes since v1:
- Moved tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mozilla-style browsers, such as Firefox, should not by default have
manage rights on end user content. These privileges are now moved under
the support of the booleans
(mozilla_{read,manage}_{generic,all}_user_content), with read access
being enabled by default on the generic user content.
The browsers are granted manage rights on the Downloads/ location
through the xdg_manage_downloads() privileges.
Additionally, these browsers do use the ~/.cache/mozilla location for
their user-specific application cache data. Hence, the
mozilla_xdg_cache_t type is introduced and the necessary privileges
are provided for the mozilla- and mozilla plugin domains.
Changes since v1:
- Moved tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
| |
The minidlna domain is meant for the minidlna media server. Hence, its
primary duties is to present pictures, videos and music. With these
types of data in the user home directory now being marked as
xdg_pictures_t, xdg_videos_t and xdg_music_t, the minidlna_t domain is
granted read access to these resources.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
| |
Many of the GNOME domains make full use of all the basic XDG locations.
With the introduction of support for these (~/.cache, ~/.local and
~/.config) the appropriate GNOME XDG type definitions are added, together
with the necessary privileges for accessing these types.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Evolution e-mail client uses all XDG locations, which have been
switched from the regular end user type (user_home_t) toward the XDG
related ones. In this patch, the evolution_t domain now supports
accessing the newly defined types.
Next to the XDG changes, the user content accesses are now also made
optional through the evolution_{read,manage}_{generic,all}_user_content
booleans.
The mail client does have manage rights on the Downloads location.
Changes since v1:
- Moved tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify policy management on the various application domains with
respect to user content access, a template is introduced which generates
four tunable_policy() blocks.
- The *_read_generic_user_content boolean will enable the application
domain to read generic user resources (labeled with user_home_t).
- The *_read_all_user_content boolean does the same, but for all user
resources (those associated with the user_home_content_type attribute).
- The *_manage_generic_user_content boolean enables the application to
manage generic user resources (labeled with user_home_t)
- The *_manage_all_user_content boolean does the same, but for all user
reosurces (those associated with the user_home_content_type attribute).
Although it would be even better to generate the booleans themselves as
well (which is what Gentoo does with this template), it would result in
booleans without proper documentation. Calls such as "semanage boolean
-l" would fail to properly show a description on the boolean - something
Gentoo resolves by keeping this documentation separate in a
doc/gentoo_tunables.xml file.
In this patch, we assume that the calling modules will define the
booleans themselves (with appropriate documentation). The template
checks for the existence of the booleans. This approach is more in
line with how domain-specific booleans are managed up to now.
Changes since v2:
- Fix typo in gen_require (had a closing : instead of ;)
Changes since v1:
- Use in-line XML comment and tunable definition
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To facilitate handling user home content (through the
user_home_content_type attribute) the following interfaces are provided:
- userdom_read_all_user_home_content
- userdom_manage_all_user_home_content
Domains that are granted these privileges are able to read (or manage)
all user home content, so not only the generic one (user_home_t) but all
types that have been assigned the user_home_content_type attribute. This
is more than just user_home_t and the XDG types, so the use should not
be granted automatically.
As part of the larger XDG patch set, these interfaces are called through
the *_read_all_user_content and *_manage_all_user_content booleans which
are by default not enabled.
Changes since v2:
- Fix typo in pattern call
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the introduction of the freedesktop XDG location support in the
policy, end users need to be allowed to manage these locations from their
main user domain.
The necessary privileges are added to the xserver_role() interface, which is
in use by the unconfined user domain as well as the main other user domains
(like user, sysadm and staff).
The necessary file transitions for the directories are added as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce various freedesktop locations, based on the base directory
specification [1]. The new locations are introduced as a separate module
to keep the rules related to these specifications isolated from the main
user domain (which is already one of the biggest modules code-wise).
Right now, two distinct location groups are provided, one being the set
of locations that will have domain-specific types, and one that remains
generic for end users.
The first set of types are:
- XDG Cache location, meant for non-essential cached data. The base type
here is xdg_cache_t, which is generally at $HOME/.cache
- XDG Data location, for user-specific data. The base type here is
xdg_data_t, which is generally at $HOME/.local
- XDG Config location, for user-specific configuration files. The base
type here is xdg_config_t, which is generally at $HOME/.config
The idea here is to provide support for domain-specific files as well.
For instance, Chromium has its user-specific configuration files in
~/.config/chromium, which is then marked as chromium_xdg_config_t.
This allows for isolation of potentially sensitive information from
regular user application domains. Firefox for instance should not be
able to read user configuration data from unrelated applications.
The second set of types are:
- User documents, with xdg_documents_t as the type. This is
generally for the ~/Documents location.
- User downloads, with xdg_downloads_t as the type. This is
generally for the ~/Downloads location.
- User music, with xdg_music_t as the type. This is generally for
the ~/Music location.
- User pictures, with xdg_pictures_t as the type. This is generally
for the ~/Pictures location.
- User videos, with xdg_videos_t as the type. This is generally for
the ~/Videos location.
Alongside the type definitions, a number of access interfaces are
defined to support the use of these types, and for the first set to
enable the necessary file transitions.
[1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Bug: https://bugs.gentoo.org/615300
|
| | |
|
Chris PeBenito
Jason Zaman
Sven Vermeulen
Richard Haines
GitWeb