userdomain: introduce interfaces for user runtime

2016-06-02 00:08:56 +08:00 · 2016-06-02 00:08:56 +08:00 · 89d07b3266
parent cff5a53cde
commit 89d07b3266
1 changed files with 206 additions and 0 deletions
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -298,6 +298,7 @@ interface(`userdom_manage_tmp_role',`
 	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
 	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
 	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+	userdom_user_runtime_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
 ')

 #######################################
@ -2740,6 +2741,211 @@ interface(`userdom_search_user_runtime_root',`
 	files_search_pids($1)
 ')

+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	runtime root dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_root_dirs',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	allow $1 user_runtime_root_t:dir manage_dir_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir manage_dir_perms;
+	userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on user runtime dir
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_mounton_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Relabel to user runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabelto_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Create objects in the pid directory
+##	with an automatic type transition to
+##	the user runtime root type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create objects in a user runtime
+##	directory with an automatic type
+##	transition to a specified private
+##	type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_filetrans',`
+	gen_require(`
+		type user_runtime_root_t, user_runtime_t;
+	')
+
+	filetrans_pattern($1, user_runtime_t, $2, $3, $4)
+	userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+##	Create objects in the user runtime directory
+##	with an automatic type transition to
+##	the user temporary type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_filetrans_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	userdom_user_runtime_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create objects in the user runtime root
+##	directory with an automatic type transition
+##	to the user runtime dir type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_root_filetrans_user_runtime',`
+	gen_require(`
+		type user_runtime_root_t, user_runtime_t;
+	')
+
+	filetrans_pattern($1, user_runtime_root_t, user_runtime_t, $2, $3)
+	files_search_pids($1)
+')
+
 ########################################
 ## <summary>
 ##	Read and write user tmpfs files.