[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Sun, 24 Jun 2018 01:46:56 -0700 

commit:     f097f60dd8911534016b5e356313096a2bf413df
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:13 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f097f60d

Make xscreensaver user content access optional

The xscreensaver application currently has the privileges to read user
content, to display images stored in the users' home directory. We now
grant this through xdg_pictures_t access, and make the generic user
content access optional.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

 policy/modules/contrib/xscreensaver.te | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/xscreensaver.te 
b/policy/modules/contrib/xscreensaver.te
index 1f581107..e6f5e649 100644
--- a/policy/modules/contrib/xscreensaver.te
+++ b/policy/modules/contrib/xscreensaver.te
@@ -5,6 +5,13 @@ policy_module(xscreensaver, 1.3.0)
 # Declarations
 #
 
+## <desc>
+##     <p>
+##     Grant the xscreensaver domains read access to generic user content
+##     </p>
+## </desc>
+gen_tunable(`xscreensaver_read_generic_user_content', true)
+
 attribute_role xscreensaver_roles;
 attribute_role xscreensaver_helper_roles;
 
@@ -56,11 +63,28 @@ logging_send_syslog_msg(xscreensaver_t)
 miscfiles_read_localization(xscreensaver_t)
 
 userdom_use_user_terminals(xscreensaver_t)
-userdom_read_user_home_content_files(xscreensaver_t)
+
+xdg_read_pictures(xscreensaver_t)
 
 xserver_rw_xsession_log(xscreensaver_t)
 xserver_user_x_domain_template(xscreensaver, xscreensaver_t, 
xscreensaver_tmpfs_t)
 
+tunable_policy(`xscreensaver_read_generic_user_content',`
+       userdom_list_user_tmp(xscreensaver_t)
+       userdom_list_user_home_content(xscreensaver_t)
+       userdom_read_user_home_content_files(xscreensaver_t)
+       userdom_read_user_home_content_symlinks(xscreensaver_t)
+       userdom_read_user_tmp_files(xscreensaver_t)
+',`
+       files_dontaudit_list_home(xscreensaver_t)
+       files_dontaudit_list_tmp(xscreensaver_t)
+
+       userdom_dontaudit_list_user_home_dirs(xscreensaver_t)
+       userdom_dontaudit_list_user_tmp(xscreensaver_t)
+       userdom_dontaudit_read_user_home_content_files(xscreensaver_t)
+       userdom_dontaudit_read_user_tmp_files(xscreensaver_t)
+')
+
 ########################################
 #
 # Helper local policy

Reply via email to