selinux-refpolicy/policy/modules/system/xdg.if

1273 lines
28 KiB
Plaintext
Raw Normal View History

freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
## <summary>
## Freedesktop standard locations (formerly known as X Desktop Group)
## </summary>
########################################
## <summary>
## Mark the selected type as an xdg_cache_type
## </summary>
## <param name="type">
## <summary>
## Type to give the xdg_cache_type attribute to
## </summary>
## </param>
#
interface(`xdg_cache_content',`
gen_require(`
attribute xdg_cache_type;
')
typeattribute $1 xdg_cache_type;
userdom_user_home_content($1)
')
########################################
## <summary>
## Mark the selected type as an xdg_config_type
## </summary>
## <param name="type">
## <summary>
## Type to give the xdg_config_type attribute to
## </summary>
## </param>
#
interface(`xdg_config_content',`
gen_require(`
attribute xdg_config_type;
')
typeattribute $1 xdg_config_type;
userdom_user_home_content($1)
')
########################################
## <summary>
## Mark the selected type as an xdg_data_type
## </summary>
## <param name="type">
## <summary>
## Type to give the xdg_data_type attribute to
## </summary>
## </param>
#
interface(`xdg_data_content',`
gen_require(`
attribute xdg_data_type;
')
typeattribute $1 xdg_data_type;
userdom_user_home_content($1)
')
########################################
## <summary>
## Read the xdg cache home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_read_cache_files',`
gen_require(`
type xdg_cache_t;
')
read_files_pattern($1, xdg_cache_t, xdg_cache_t)
allow $1 xdg_cache_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
list_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read all xdg_cache_type files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_read_all_cache_files',`
gen_require(`
attribute xdg_cache_type;
')
read_files_pattern($1, xdg_cache_type, xdg_cache_type)
allow $1 xdg_cache_type:file map;
list_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in an xdg_cache directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the file or directory created
## </summary>
## </param>
#
interface(`xdg_cache_filetrans',`
gen_require(`
type xdg_cache_t;
')
userdom_search_user_home_dirs($1)
filetrans_pattern($1, xdg_cache_t, $2, $3, $4)
xdg_create_cache_dirs($1)
')
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_cache_t type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the directory created
## </summary>
## </param>
#
interface(`xdg_generic_user_home_dir_filetrans_cache',`
gen_require(`
type xdg_cache_t;
')
userdom_user_home_dir_filetrans($1, xdg_cache_t, $2, $3)
')
########################################
## <summary>
## Create xdg cache home directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_create_cache_dirs',`
gen_require(`
type xdg_cache_t;
')
allow $1 xdg_cache_t:dir create_dir_perms;
')
########################################
## <summary>
## Manage the xdg cache home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_manage_cache',`
gen_require(`
type xdg_cache_t;
')
manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
manage_files_pattern($1, xdg_cache_t, xdg_cache_t)
allow $1 xdg_cache_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage all the xdg cache home files regardless of their specific type
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_manage_all_cache',`
gen_require(`
attribute xdg_cache_type;
')
manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
manage_files_pattern($1, xdg_cache_type, xdg_cache_type)
allow $1 xdg_cache_type:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Allow relabeling the xdg cache home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_cache',`
gen_require(`
type xdg_cache_t;
')
relabel_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
relabel_files_pattern($1, xdg_cache_t, xdg_cache_t)
relabel_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
relabel_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
relabel_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Allow relabeling the xdg cache home files, regardless of their specific type
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_all_cache',`
gen_require(`
attribute xdg_cache_type;
')
relabel_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
relabel_files_pattern($1, xdg_cache_type, xdg_cache_type)
relabel_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
relabel_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
relabel_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Search through the xdg config home directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_search_config_dirs',`
gen_require(`
type xdg_config_t;
')
search_dirs_pattern($1, xdg_config_t, xdg_config_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read the xdg config home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_read_config_files',`
gen_require(`
type xdg_config_t;
')
read_files_pattern($1, xdg_config_t, xdg_config_t)
allow $1 xdg_config_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
list_dirs_pattern($1, xdg_config_t, xdg_config_t)
read_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read all xdg_config_type files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_read_all_config_files',`
gen_require(`
attribute xdg_config_type;
')
read_files_pattern($1, xdg_config_type, xdg_config_type)
allow $1 xdg_config_type:file map;
list_dirs_pattern($1, xdg_config_type, xdg_config_type)
read_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in an xdg_config directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the file or directory created
## </summary>
## </param>
#
interface(`xdg_config_filetrans',`
gen_require(`
type xdg_config_t;
')
userdom_search_user_home_dirs($1)
filetrans_pattern($1, xdg_config_t, $2, $3, $4)
xdg_create_config_dirs($1)
')
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_config_t type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the directory created
## </summary>
## </param>
#
interface(`xdg_generic_user_home_dir_filetrans_config',`
gen_require(`
type xdg_config_t;
')
userdom_user_home_dir_filetrans($1, xdg_config_t, $2, $3)
')
########################################
## <summary>
## Create xdg config home directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_create_config_dirs',`
gen_require(`
type xdg_config_t;
')
allow $1 xdg_config_t:dir create_dir_perms;
')
########################################
## <summary>
## Manage the xdg config home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_manage_config',`
gen_require(`
type xdg_config_t;
')
manage_dirs_pattern($1, xdg_config_t, xdg_config_t)
manage_files_pattern($1, xdg_config_t, xdg_config_t)
allow $1 xdg_config_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
manage_sock_files_pattern($1, xdg_config_t, xdg_config_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage all the xdg config home files regardless of their specific type
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_manage_all_config',`
gen_require(`
attribute xdg_config_type;
')
manage_dirs_pattern($1, xdg_config_type, xdg_config_type)
manage_files_pattern($1, xdg_config_type, xdg_config_type)
allow $1 xdg_config_type:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
manage_sock_files_pattern($1, xdg_config_type, xdg_config_type)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Allow relabeling the xdg config home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_config',`
gen_require(`
type xdg_config_t;
')
relabel_dirs_pattern($1, xdg_config_t, xdg_config_t)
relabel_files_pattern($1, xdg_config_t, xdg_config_t)
relabel_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
relabel_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
relabel_sock_files_pattern($1, xdg_config_t, xdg_config_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Allow relabeling the xdg config home files, regardless of their specific type
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_all_config',`
gen_require(`
attribute xdg_config_type;
')
relabel_dirs_pattern($1, xdg_config_type, xdg_config_type)
relabel_files_pattern($1, xdg_config_type, xdg_config_type)
relabel_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
relabel_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
relabel_sock_files_pattern($1, xdg_config_type, xdg_config_type)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read the xdg data home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_read_data_files',`
gen_require(`
type xdg_data_t;
')
read_files_pattern($1, xdg_data_t, xdg_data_t)
allow $1 xdg_data_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
list_dirs_pattern($1, xdg_data_t, xdg_data_t)
read_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Read all xdg_data_type files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_read_all_data_files',`
gen_require(`
attribute xdg_data_type;
')
read_files_pattern($1, xdg_data_type, xdg_data_type)
allow $1 xdg_data_type:file map;
list_dirs_pattern($1, xdg_data_type, xdg_data_type)
read_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in an xdg_data directory
## with an automatic type transition to
## a specified private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="private_type">
## <summary>
## The type of the object to create.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Optional name of the file or directory created
## </summary>
## </param>
#
interface(`xdg_data_filetrans',`
gen_require(`
type xdg_data_t;
')
userdom_search_user_home_dirs($1)
filetrans_pattern($1, xdg_data_t, $2, $3, $4)
xdg_create_data_dirs($1)
')
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_data_t type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the directory created
## </summary>
## </param>
#
interface(`xdg_generic_user_home_dir_filetrans_data',`
gen_require(`
type xdg_data_t;
')
userdom_user_home_dir_filetrans($1, xdg_data_t, $2, $3)
')
########################################
## <summary>
## Create xdg data home directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_create_data_dirs',`
gen_require(`
type xdg_data_t;
')
allow $1 xdg_data_t:dir create_dir_perms;
')
########################################
## <summary>
## Manage the xdg data home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_manage_data',`
gen_require(`
type xdg_data_t;
')
manage_dirs_pattern($1, xdg_data_t, xdg_data_t)
manage_files_pattern($1, xdg_data_t, xdg_data_t)
allow $1 xdg_data_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
manage_sock_files_pattern($1, xdg_data_t, xdg_data_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Manage all the xdg data home files, regardless of their specific type
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_manage_all_data',`
gen_require(`
attribute xdg_data_type;
')
manage_dirs_pattern($1, xdg_data_type, xdg_data_type)
manage_files_pattern($1, xdg_data_type, xdg_data_type)
allow $1 xdg_data_type:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
manage_sock_files_pattern($1, xdg_data_type, xdg_data_type)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Allow relabeling the xdg data home files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_data',`
gen_require(`
type xdg_data_t;
')
relabel_dirs_pattern($1, xdg_data_t, xdg_data_t)
relabel_files_pattern($1, xdg_data_t, xdg_data_t)
relabel_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
relabel_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
relabel_sock_files_pattern($1, xdg_data_t, xdg_data_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Allow relabeling the xdg data home files, regardless of their type
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_all_data',`
gen_require(`
attribute xdg_data_type;
')
relabel_dirs_pattern($1, xdg_data_type, xdg_data_type)
relabel_files_pattern($1, xdg_data_type, xdg_data_type)
relabel_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
relabel_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
relabel_sock_files_pattern($1, xdg_data_type, xdg_data_type)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_documents_t type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the directory created
## </summary>
## </param>
#
interface(`xdg_generic_user_home_dir_filetrans_documents',`
gen_require(`
type xdg_documents_t;
')
userdom_user_home_dir_filetrans($1, xdg_documents_t, $2, $3)
')
#########################################
## <summary>
## Manage documents content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_manage_documents',`
gen_require(`
type xdg_documents_t;
')
manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
allow $1 xdg_documents_t:file map;
manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
')
########################################
## <summary>
## Allow relabeling the documents resources
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_documents',`
gen_require(`
type xdg_documents_t;
')
relabel_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
relabel_files_pattern($1, xdg_documents_t, xdg_documents_t)
relabel_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
userdom_search_user_home_dirs($1)
')
#########################################
## <summary>
## Read downloaded content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_read_downloads',`
gen_require(`
type xdg_downloads_t;
')
read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
allow $1 xdg_downloads_t:file map;
list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
#########################################
## <summary>
## Create downloaded content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_create_downloads',`
gen_require(`
type xdg_downloads_t;
')
create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
allow $1 xdg_downloads_t:file map;
create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
#########################################
## <summary>
## Write downloaded content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_write_downloads',`
gen_require(`
type xdg_downloads_t;
')
write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
allow $1 xdg_downloads_t:file map;
list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_downloads_t type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the directory created
## </summary>
## </param>
#
interface(`xdg_generic_user_home_dir_filetrans_downloads',`
gen_require(`
type xdg_downloads_t;
')
userdom_user_home_dir_filetrans($1, xdg_downloads_t, $2, $3)
')
#########################################
## <summary>
## Manage downloaded content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_manage_downloads',`
gen_require(`
type xdg_downloads_t;
')
manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
allow $1 xdg_downloads_t:file map;
manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
')
########################################
## <summary>
## Allow relabeling the downloads resources
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_downloads',`
gen_require(`
type xdg_downloads_t;
')
relabel_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
relabel_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
relabel_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
userdom_search_user_home_dirs($1)
')
#########################################
## <summary>
## Read user pictures content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_read_pictures',`
gen_require(`
type xdg_pictures_t;
')
read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
allow $1 xdg_pictures_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_pictures_t type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the directory created
## </summary>
## </param>
#
interface(`xdg_generic_user_home_dir_filetrans_pictures',`
gen_require(`
type xdg_pictures_t;
')
userdom_user_home_dir_filetrans($1, xdg_pictures_t, $2, $3)
')
#########################################
## <summary>
## Manage pictures content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_manage_pictures',`
gen_require(`
type xdg_pictures_t;
')
manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
allow $1 xdg_pictures_t:file map;
manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
')
########################################
## <summary>
## Allow relabeling the pictures resources
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_pictures',`
gen_require(`
type xdg_pictures_t;
')
relabel_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
relabel_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
relabel_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
userdom_search_user_home_dirs($1)
')
#########################################
## <summary>
## Read user music content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_read_music',`
gen_require(`
type xdg_music_t;
')
read_files_pattern($1, xdg_music_t, xdg_music_t)
allow $1 xdg_music_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
list_dirs_pattern($1, xdg_music_t, xdg_music_t)
read_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_pictures_t type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the directory created
## </summary>
## </param>
#
interface(`xdg_generic_user_home_dir_filetrans_music',`
gen_require(`
type xdg_music_t;
')
userdom_user_home_dir_filetrans($1, xdg_music_t, $2, $3)
')
#########################################
## <summary>
## Manage music content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_manage_music',`
gen_require(`
type xdg_music_t;
')
manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
manage_files_pattern($1, xdg_music_t, xdg_music_t)
allow $1 xdg_music_t:file map;
manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
')
########################################
## <summary>
## Allow relabeling the music resources
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_music',`
gen_require(`
type xdg_music_t;
')
relabel_dirs_pattern($1, xdg_music_t, xdg_music_t)
relabel_files_pattern($1, xdg_music_t, xdg_music_t)
relabel_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
userdom_search_user_home_dirs($1)
')
#########################################
## <summary>
## Read user video content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_read_videos',`
gen_require(`
type xdg_videos_t;
')
read_files_pattern($1, xdg_videos_t, xdg_videos_t)
allow $1 xdg_videos_t:file map;
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_videos_t type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The class of the object to be created.
## </summary>
## </param>
## <param name="filename" optional="true">
## <summary>
## Name of the directory created
## </summary>
## </param>
#
interface(`xdg_generic_user_home_dir_filetrans_videos',`
gen_require(`
type xdg_videos_t;
')
userdom_user_home_dir_filetrans($1, xdg_videos_t, $2, $3)
')
#########################################
## <summary>
## Manage video content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
#
interface(`xdg_manage_videos',`
gen_require(`
type xdg_videos_t;
')
manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
allow $1 xdg_videos_t:file map;
manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
freedesktop location support Introduce various freedesktop locations, based on the base directory specification [1]. The new locations are introduced as a separate module to keep the rules related to these specifications isolated from the main user domain (which is already one of the biggest modules code-wise). Right now, two distinct location groups are provided, one being the set of locations that will have domain-specific types, and one that remains generic for end users. The first set of types are: - XDG Cache location, meant for non-essential cached data. The base type here is xdg_cache_t, which is generally at $HOME/.cache - XDG Data location, for user-specific data. The base type here is xdg_data_t, which is generally at $HOME/.local - XDG Config location, for user-specific configuration files. The base type here is xdg_config_t, which is generally at $HOME/.config The idea here is to provide support for domain-specific files as well. For instance, Chromium has its user-specific configuration files in ~/.config/chromium, which is then marked as chromium_xdg_config_t. This allows for isolation of potentially sensitive information from regular user application domains. Firefox for instance should not be able to read user configuration data from unrelated applications. The second set of types are: - User documents, with xdg_documents_t as the type. This is generally for the ~/Documents location. - User downloads, with xdg_downloads_t as the type. This is generally for the ~/Downloads location. - User music, with xdg_music_t as the type. This is generally for the ~/Music location. - User pictures, with xdg_pictures_t as the type. This is generally for the ~/Pictures location. - User videos, with xdg_videos_t as the type. This is generally for the ~/Videos location. Alongside the type definitions, a number of access interfaces are defined to support the use of these types, and for the first set to enable the necessary file transitions. [1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-03-25 11:56:38 +00:00
')
########################################
## <summary>
## Allow relabeling the videos resources
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`xdg_relabel_videos',`
gen_require(`
type xdg_videos_t;
')
relabel_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
relabel_files_pattern($1, xdg_videos_t, xdg_videos_t)
relabel_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
userdom_search_user_home_dirs($1)
')