implement x_client_domain replacement

refpolicy/policy/global_tunables

@@ -322,7 +322,7 @@ gen_tunable(user_ping,false)
 # Strict policy specific
 #
 
-ifdef(`targeted_policy',`',`
+ifdef(`strict_policy',`
 ## <desc>
 ## <p>
 ## Allow gpg executable stack
@@ -344,6 +344,14 @@ gen_tunable(allow_ssh_keysign,false)
 ## </desc>
 gen_tunable(allow_user_mysql_connect,false)
 
+## <desc>
+## <p>
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
+## </desc>
+gen_tunable(allow_write_xshm,false)
+
 ## <desc>
 ## <p>
 ## Allow cdrecord to read various content.

refpolicy/policy/modules/apps/java.if

@@ -49,6 +49,9 @@ template(`java_per_userdomain_template',`
 	type $1_javaplugin_tmp_t;
 	files_tmp_file($1_javaplugin_tmp_t)
 
+	type $1_javaplugin_tmpfs_t;
+	files_tmpfs_file($1_javaplugin_tmpfs_t)
+	
 	########################################
 	#
 	# Local policy
@@ -67,6 +70,13 @@ template(`java_per_userdomain_template',`
 	allow $1_javaplugin_t $1_javaplugin_tmp_t:file create_file_perms;
 	files_filetrans_tmp($1_javaplugin_t,$1_javaplugin_tmp_t,{ file dir })
 
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_javaplugin_t $1_javaplugin_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_filetrans_tmpfs($1_javaplugin_t,$1_javaplugin_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
 	# cjp: rw_dir_perms here doesnt make sense
 	allow $1_javaplugin_t $1_home_t:dir rw_dir_perms;
 	allow $1_javaplugin_t $1_home_t:file rw_file_perms;
@@ -164,21 +174,7 @@ template(`java_per_userdomain_template',`
 		nscd_socket_use($1_javaplugin_t)
 	')
 
-	ifdef(`TODO',`
+	optional_policy(`xserver',`
-	# Manipulate the global font cache
+		xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
-	create_dir_file($1, $2_fonts_cache_t)
-	
-	# Read per user fonts and font config
-	r_dir_file($1, $2_fonts_t)
-	r_dir_file($1, $2_fonts_config_t)
-	
-	# There are some fonts in .gnome2
-	ifdef(`gnome.te', `
-		allow $1 $2_gnome_settings_t:dir { getattr search };
 	')
-	
-	allow $1_javaplugin_t $1_xauth_home_t:file { getattr read };
-	# Connect to X server
-	x_client_domain($1_javaplugin, $2) 
-	') dnl end TODO
 ')

refpolicy/policy/modules/apps/tvtime.if

@@ -51,6 +51,9 @@ template(`tvtime_per_userdomain_template',`
 	type $1_tvtime_tmp_t;
 	files_tmp_file($1_tvtime_tmp_t)
 
+	type $1_tvtime_tmpfs_t;
+	files_tmpfs_file($1_tvtime_tmpfs_t)
+	
 	########################################
 	#
 	# Local policy
@@ -71,7 +74,13 @@ template(`tvtime_per_userdomain_template',`
 	allow $1_tvtime_t $1_tvtime_tmp_t:dir create_dir_perms;
 	allow $1_tvtime_t $1_tvtime_tmp_t:file create_file_perms;
 	files_filetrans_tmp($1_tvtime_t, $1_tvtime_tmp_t, { file dir fifo_file })
-	fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmp_t,{file dir lnk_file fifo_file sock_file })
+
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_tvtime_t $1_tvtime_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_filetrans_tmpfs($1_tvtime_t,$1_tvtime_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 	# Type transition
 	domain_auto_trans($2, tvtime_exec_t, $1_tvtime_t)
@@ -133,7 +142,7 @@ template(`tvtime_per_userdomain_template',`
 		fs_manage_cifs_symlinks($1_tvtime_t)
 	')
 
-	ifdef(`TODO',`
+	optional_policy(`xserver',`
-		x_client_domain($1_tvtime, $1)
+		xserver_user_client_template($1,$1_tvtime_t,$1_tvtime_tmpfs_t)
 	')
 ')

refpolicy/policy/modules/services/ssh.if

@@ -59,11 +59,14 @@ template(`ssh_per_userdomain_template',`
 	domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
 	role $3 types $1_ssh_agent_t;
 
-	type $1_ssh_keysign_t; #, nscd_client_domain;
+	type $1_ssh_keysign_t;
 	domain_type($1_ssh_keysign_t)
 	domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
 	role $3 types $1_ssh_keysign_t;
 
+	type $1_ssh_tmpfs_t;
+	files_tmpfs_file($1_ssh_tmpfs_t)
+
 	##############################
 	#
 	# $1_ssh_t local policy
@@ -82,6 +85,13 @@ template(`ssh_per_userdomain_template',`
 	allow $1_ssh_t self:msg { send receive };
 	allow $1_ssh_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
 
+	allow $1_ssh_t $1_ssh_tmpfs_t:dir rw_dir_perms;
+	allow $1_ssh_t $1_ssh_tmpfs_t:file manage_file_perms;
+	allow $1_ssh_t $1_ssh_tmpfs_t:lnk_file create_lnk_perms;
+	allow $1_ssh_t $1_ssh_tmpfs_t:sock_file manage_file_perms;
+	allow $1_ssh_t $1_ssh_tmpfs_t:fifo_file manage_file_perms;
+	fs_filetrans_tmpfs($1_ssh_t,$1_ssh_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
 	# Transition from the user domain to the derived domain.
 	domain_auto_trans($2, ssh_exec_t, $1_ssh_t)
 	allow $2 $1_ssh_t:fd use;
@@ -211,6 +221,7 @@ template(`ssh_per_userdomain_template',`
 	')
 
 	optional_policy(`xserver',`
+		xserver_user_client_template($1,$1_ssh_t,$1_ssh_tmpfs_t)
 		xserver_domtrans_user_xauth($1,$1_ssh_t)
 	')
 
@@ -232,15 +243,9 @@ template(`ssh_per_userdomain_template',`
 	# for /bin/sh used to execute xauth
 	dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
 
-	# Inherit and use descriptors from gnome-pty-helper.
-	ifdef(`gnome-pty-helper.te', `allow $1_ssh_t $1_gph_t:fd use;')
-
 	# allow ps to show ssh
 	can_ps($1_t, $1_ssh_t)
 
-	# Connect to X server
-	x_client_domain($1_ssh, $1)
-
 	#allow ssh to access keys stored on removable media
 	# Should we have a boolean around this?
 	files_search_mnt($1_ssh_t)
@@ -608,6 +613,26 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
 	dontaudit $1 sshd_t:tcp_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Connect to SSH daemons over TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_tcp_connect',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:tcp_socket { connectto recvfrom };
+	allow sshd_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')
+
 ########################################
 ## <summary>
 ##	Read ssh server keys

refpolicy/policy/modules/services/xserver.if

@@ -1,5 +1,17 @@
 ## <summary>X Windows Server</summary>
 
+#######################################
+## <summary>
+##	Template to create types and rules common to
+##	all X server domains.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+#
 template(`xserver_common_domain_template',`
 
 	##############################
@@ -404,6 +416,160 @@ template(`xserver_per_userdomain_template',`
 	')
 ')
 
+#######################################
+## <summary>
+##	Template for creating sessions on a
+##	prefix X server, with read-only
+##	access to the X server shared
+##	memory segments.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+template(`xserver_ro_session_template',`
+	gen_require(`
+		type $1_xserver_t, $1_xserver_tmp_t, $1_xserver_tmpfs_t;
+	')
+
+	# Xserver read/write client shm
+	allow $1_xserver_t $2:fd use;
+	allow $1_xserver_t $2:shm rw_shm_perms;
+	allow $1_xserver_t $3:file rw_file_perms;
+
+	# Connect to xserver
+	allow $2 $1_xserver_t:unix_stream_socket connectto;
+	allow $2 $1_xserver_t:process signal;
+
+	# Read /tmp/.X0-lock
+	allow $2 $1_xserver_tmp_t:file { getattr read };
+
+	# Client read xserver shm
+	allow $2 $1_xserver_t:fd use;
+	allow $2 $1_xserver_t:shm r_shm_perms;
+	allow $2 $1_xserver_tmpfs_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+##	Template for creating sessions on a
+##	prefix X server, with read and write
+##	access to the X server shared
+##	memory segments.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+template(`xserver_rw_session_template',`
+	gen_require(`
+		type $1_xserver_t, $1_xserver_tmpfs_t;
+	')
+
+	xserver_ro_session_template($1,$2,$3)
+	allow $2 $1_xserver_t:shm rw_shm_perms;
+	allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+')
+
+#######################################
+## <summary>
+##	Template for creating full client sessions
+##	on a user X server.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tmpfs_type">
+##	<summary>
+##	The type of the domain SYSV tmpfs files.
+##	</summary>
+## </param>
+#
+template(`xserver_user_client_template',`
+
+	gen_require(`
+		type xdm_t, xdm_tmp_t;
+		type $1_xauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
+	')
+
+	allow $2 self:shm create_shm_perms;
+	allow $2 self:unix_dgram_socket create_socket_perms;
+	allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+
+	# Read .Xauthority file
+	allow $2 $1_xauth_home_t:file { getattr read };
+
+	# for when /tmp/.X11-unix is created by the system
+	allow $2 xdm_t:fd use;
+	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_tmp_t:dir search;
+	allow $2 xdm_tmp_t:sock_file { read write };
+	dontaudit $2 xdm_t:tcp_socket { read write };
+
+	# Allow connections to X server.
+	files_search_tmp($2)
+
+	miscfiles_read_fonts($2)
+
+	userdom_search_user_home($1,$2)
+	# for .xsession-errors
+	userdom_dontaudit_write_user_home_files($1,$2)
+
+	xserver_ro_session_template(xdm,$2,$3)
+	xserver_rw_session_template($1,$2,$3)
+
+	# Client write xserver shm
+	tunable_policy(`allow_write_xshm',`
+		allow $2 $1_xserver_t:shm rw_shm_perms;
+		allow $2 $1_xserver_tmpfs_t:file rw_file_perms;
+	')
+
+	# for X over a ssh tunnel
+	optional_policy(`ssh',`
+		kernel_tcp_recvfrom($2)
+		ssh_tcp_connect($2)
+	')
+
+	ifdef(`TODO',`
+	# cjp: need to implement the user-specific fonts part
+	read_fonts($2, $1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Transition to a user Xauthority domain.

refpolicy/policy/modules/services/xserver.te

@@ -276,8 +276,7 @@ ifdef(`strict_policy',`
 	auth_domtrans_chk_passwd(xdm_t)
 	auth_domtrans_pam_console(xdm_t)	
 
-	# FIXME:
+	xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-	# xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 
 	tunable_policy(`xdm_sysadm_login',`
 		userdom_xsession_spec_domtrans_all_users(xdm_t)

refpolicy/policy/modules/system/userdomain.if

@@ -245,7 +245,6 @@ template(`base_user_template',`
 	logging_dontaudit_getattr_all_logs($1_t)
 
 	miscfiles_read_localization($1_t)
-	miscfiles_read_fonts($1_t)
 	# for running TeX programs
 	miscfiles_read_tetex_data($1_t)
 	miscfiles_exec_tetex_data($1_t)
@@ -440,6 +439,7 @@ template(`base_user_template',`
 
 	optional_policy(`xserver',`
 		dev_rw_xserver_misc($1_t)
+		xserver_user_client_template($1,$1_t,$1_tmpfs_t)
 		xserver_xsession_entry_type($1_t)
 		xserver_dontaudit_write_log($1_t)
 		xserver_stream_connect_xdm($1_t)
@@ -474,27 +474,9 @@ template(`base_user_template',`
 
 	can_resmgrd_connect($1_t)
 
-	# Use X
-	x_client_domain($1, $1)
-
 	ifdef(`xdm.te', `
 		allow $1_t xdm_var_lib_t:file r_file_perms;
 	')
-
-	# start read_fonts()
-	# cjp: these types come in from fontconfig
-	# Manipulate the global font cache
-	create_dir_file($1, $1_fonts_cache_t)
-
-	# Read per user fonts and font config
-	r_dir_file($1, $1_fonts_t)
-	r_dir_file($1, $1_fonts_config_t)
-
-	# There are some fonts in .gnome2
-	ifdef(`gnome.te', `
-	allow $1 $2_gnome_settings_t:dir { getattr search };
-	')
-	# end read_fonts()
 	') dnl endif TODO
 
 ')
@@ -1390,6 +1372,39 @@ template(`userdom_dontaudit_read_user_home_files',`
 	dontaudit $2 $1_home_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write user home files.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to write user home files.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+template(`userdom_dontaudit_write_user_home_files',`
+	gen_require(`
+		type $1_home_t;
+	')
+
+	dontaudit $2 $1_home_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Read user home subdirectory symbolic links.