From 9706f6a477f2d1d386d33e478c2c51063611d7a9 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Mon, 5 Nov 2012 12:55:13 +0100
Subject: [PATCH] Create a attribute user_home_content_type and assign it to
 all types that are classified userdom_user_home_content()

Create various interfaces using the user_home_content_type attribute for
tmpreaper

user_home_t, user_tmp_t and user_tmpfs_t are user_home_content_type
(why?) We should probably also create user_tmp_content_type and
user_tmpfs_content_type attributes and assign to userdom_tmp_file and
userdom_tmpfs_file respectively

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/userdomain.if | 101 ++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |   2 +
 2 files changed, 103 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b15630a25..6d4424b09 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1350,9 +1350,12 @@ interface(`userdom_user_application_domain',`
 #
 interface(`userdom_user_home_content',`
 	gen_require(`
+		attribute user_home_content_type;
 		type user_home_t;
 	')
 
+	typeattribute $1 user_home_content_type;
+
 	allow $1 user_home_t:filesystem associate;
 	files_type($1)
 	files_poly_member($1)
@@ -1702,6 +1705,25 @@ interface(`userdom_dontaudit_search_user_home_content',`
 	dontaudit $1 user_home_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	List all users home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_all_user_home_content',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 user_home_content_type:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	List contents of users home directory.
@@ -1740,6 +1762,26 @@ interface(`userdom_manage_user_home_content_dirs',`
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Delete all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
 ########################################
 ## <summary>
 ##	Delete directories in a user home subdirectory.
@@ -1758,6 +1800,25 @@ interface(`userdom_delete_user_home_content_dirs',`
 	allow $1 user_home_t:dir delete_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Set attributes of all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_setattr_all_user_home_content_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 user_home_content_type:dir setattr_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the
@@ -1870,6 +1931,26 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 	dontaudit $1 user_home_t:file write_file_perms;
 ')
 
+########################################
+## <summary>
+##	Delete all user home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_files',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_content($1)
+	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
 ########################################
 ## <summary>
 ##	Delete files in a user home subdirectory.
@@ -2032,6 +2113,26 @@ interface(`userdom_manage_user_home_content_symlinks',`
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Delete all user home content symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_symlinks',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
 ########################################
 ## <summary>
 ##	Delete symbolic links in a user home directory.
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 460d96f40..1f2a51964 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -59,6 +59,8 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
 
+attribute user_home_content_type;
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)