xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/

policy/modules/services/xserver.fc

@@ -1,6 +1,7 @@
 #
 # HOME_DIR
 #
+HOME_DIR/\.cache/mesa_shader_cache(/.*)?	gen_context(system_u:object_r:mesa_shader_cache_t,s0)
 HOME_DIR/\.dmrc		--	gen_context(system_u:object_r:dmrc_home_t,s0)
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)

policy/modules/services/xserver.if

@@ -138,6 +138,7 @@ interface(`xserver_role',`
 	gen_require(`
 		type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+		type mesa_shader_cache_t;
 	')
 
 	xserver_restricted_role($1, $2)
@@ -167,6 +168,12 @@ interface(`xserver_role',`
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 
+	manage_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+	manage_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+	allow $2 mesa_shader_cache_t:file map;
+	relabel_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+	relabel_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+
 	xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority")
 
 	xserver_read_xkb_libs($2)
@@ -178,17 +185,17 @@ interface(`xserver_role',`
 		xdg_relabel_all_config($2)
 		xdg_manage_all_data($2)
 		xdg_relabel_all_data($2)
-	
+
 		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
 		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
 		xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-	
+
 		xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
 		xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
 		xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
 		xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
 		xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-	
+
 		xdg_manage_documents($2)
 		xdg_relabel_documents($2)
 		xdg_manage_downloads($2)
@@ -199,6 +206,8 @@ interface(`xserver_role',`
 		xdg_relabel_pictures($2)
 		xdg_manage_videos($2)
 		xdg_relabel_videos($2)
+
+		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
 ')
 
@@ -1619,3 +1628,25 @@ interface(`xserver_rw_xdm_keys',`
 
 	allow $1 xdm_t:key { read write setattr };
 ')
+
+########################################
+## <summary>
+##	Read and write the mesa shader cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_mesa_shader_cache',`
+	gen_require(`
+		type mesa_shader_cache_t;
+	')
+
+	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	allow $1 mesa_shader_cache_t:file map;
+
+	xdg_search_cache_dirs($1)
+')

policy/modules/services/xserver.te

@@ -229,6 +229,9 @@ userdom_user_home_content(xsession_log_t)
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
+type mesa_shader_cache_t;
+xdg_cache_content(mesa_shader_cache_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
 	init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
@@ -693,6 +696,12 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
+manage_dirs_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t)
+manage_files_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t)
+allow xserver_t mesa_shader_cache_t:file map;
+xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
+xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
+
 domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
 allow xserver_t xauth_home_t:file read_file_perms;