From f5f0af2c24bed4d9121f53af857ae724326ad90d Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 8 Aug 2021 12:07:26 -0400
Subject: [PATCH] mozilla, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/apps/mozilla.if     | 43 ++++++++++++++++++++----------
 policy/modules/roles/staff.te      |  2 +-
 policy/modules/roles/sysadm.te     |  2 +-
 policy/modules/roles/unprivuser.te |  2 +-
 policy/modules/roles/xguest.te     |  2 +-
 5 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index dfcb9e854..01427996c 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -4,18 +4,29 @@
 ## <summary>
 ##	Role access for mozilla.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	User domain for the role.
 ##	</summary>
 ## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
 #
-interface(`mozilla_role',`
+template(`mozilla_role',`
 	gen_require(`
 		type mozilla_t, mozilla_exec_t, mozilla_home_t;
 		type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
@@ -28,25 +39,25 @@ interface(`mozilla_role',`
 	# Declarations
 	#
 
-	roleattribute $1 mozilla_roles;
+	roleattribute $4 mozilla_roles;
 
 	########################################
 	#
 	# Policy
 	#
 
-	domtrans_pattern($2, mozilla_exec_t, mozilla_t)
+	domtrans_pattern($3, mozilla_exec_t, mozilla_t)
 
-	allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
-	ps_process_pattern($2, mozilla_t)
+	allow $3 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
+	ps_process_pattern($3, mozilla_t)
 
-	allow mozilla_t $2:process signull;
-	allow mozilla_t $2:unix_stream_socket connectto;
+	allow mozilla_t $3:process signull;
+	allow mozilla_t $3:unix_stream_socket connectto;
 
-	allow $2 mozilla_t:fd use;
-	allow $2 mozilla_t:shm rw_shm_perms;
+	allow $3 mozilla_t:fd use;
+	allow $3 mozilla_t:shm rw_shm_perms;
 
-	stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
+	stream_connect_pattern($3, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
 
 	allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
@@ -68,7 +79,11 @@ interface(`mozilla_role',`
 	allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
 	optional_policy(`
-		mozilla_dbus_chat($2)
+		mozilla_dbus_chat($3)
+	')
+
+	optional_policy(`
+		systemd_user_app_status($1, mozilla_t)
 	')
 ')
 
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 9aab3b6f0..2580caa59 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -135,7 +135,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		mozilla_role(staff_r, staff_t)
+		mozilla_role(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 92aa377e1..c4e402c18 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -625,7 +625,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mozilla_role(sysadm_r, sysadm_t)
+	mozilla_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 ')
 
 optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6f417d5b5..bf859daef 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -103,7 +103,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		mozilla_role(user_r, user_t)
+		mozilla_role(user, user_t, user_application_exec_domain, user_r)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index 4daacc545..ae8e69f28 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -98,7 +98,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mozilla_role(xguest_r, xguest_t)
+	mozilla_role(xguest, xguest_t, xguest_application_exec_domain, xguest_r)
 ')
 
 optional_policy(`