[refpolicy] [PATCH 04/19] Enhance mozilla domain with XDG privilege sets

Sven Vermeulen sven.vermeulen at siphos.be
Mon May 22 16:11:40 UTC 2017


The mozilla-style browsers, such as Firefox, should not by default have
manage rights on end user content. These privileges are now moved under
the support of the booleans
(mozilla_{read,manage}_{generic,all}_user_content), with read access
being enabled by default on the generic user content.

The browsers are granted manage rights on the Downloads/ location
through the xdg_manage_downloads() privileges.

Additionally, these browsers do use the ~/.cache/mozilla location for
their user-specific application cache data. Hence, the
mozilla_xdg_cache_home_t type is introduced and the necessary privileges
are provided for the mozilla- and mozilla plugin domains.

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 mozilla.fc |  1 +
 mozilla.te | 46 ++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/mozilla.fc b/mozilla.fc
index 21974b8..195f924 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,3 +1,4 @@
+HOME_DIR/\.cache/mozilla(/.*)?	gen_context(system_u:object_r:mozilla_xdg_cache_home_t,s0)
 HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
diff --git a/mozilla.te b/mozilla.te
index 7ada83a..e194e79 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -13,6 +13,34 @@ policy_module(mozilla, 2.11.3)
 ## </desc>
 gen_tunable(mozilla_execstack, false)
 
+## <desc>
+##	<p>
+##	Grant the mozilla domains read access to generic user content
+##	</p>
+## </desc>
+gen_tunable(`mozilla_read_generic_user_content', true)
+
+## <desc>
+##	<p>
+##	Grant the mozilla domains read access to all user content
+##	</p>
+## </desc>
+gen_tunable(`mozilla_read_all_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the mozilla domains manage rights on generic user content
+##	</p>
+## </desc>
+gen_tunable(`mozilla_manage_generic_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the mozilla domains manage rights on all user content
+##	</p>
+## </desc>
+gen_tunable(`mozilla_manage_all_user_content', false)
+
 attribute_role mozilla_roles;
 attribute_role mozilla_plugin_roles;
 attribute_role mozilla_plugin_config_roles;
@@ -71,6 +99,9 @@ optional_policy(`
 	pulseaudio_tmpfs_content(mozilla_tmpfs_t)
 ')
 
+type mozilla_xdg_cache_home_t;
+xdg_cache_home_content(mozilla_xdg_cache_home_t)
+
 ########################################
 #
 # Local policy
@@ -114,6 +145,10 @@ allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
 
 stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
 
+manage_files_pattern(mozilla_t, mozilla_xdg_cache_home_t, mozilla_xdg_cache_home_t)
+manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_home_t, mozilla_xdg_cache_home_t)
+xdg_cache_home_filetrans(mozilla_t, mozilla_xdg_cache_home_t, dir, "mozilla")
+
 can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
 
 kernel_read_kernel_sysctls(mozilla_t)
@@ -196,8 +231,7 @@ userdom_use_user_ptys(mozilla_t)
 userdom_manage_user_tmp_dirs(mozilla_t)
 userdom_manage_user_tmp_files(mozilla_t)
 
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
+userdom_user_content_access_template(mozilla, { mozilla_t mozilla_plugin_t })
 userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
 
 userdom_write_user_tmp_sockets(mozilla_t)
@@ -205,6 +239,10 @@ userdom_write_user_tmp_sockets(mozilla_t)
 mozilla_run_plugin(mozilla_t, mozilla_roles)
 mozilla_run_plugin_config(mozilla_t, mozilla_roles)
 
+xdg_read_config_home_files(mozilla_t)
+xdg_read_data_home_files(mozilla_t)
+xdg_manage_downloads(mozilla_t)
+
 xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
 xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
@@ -501,14 +539,14 @@ miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
 userdom_manage_user_tmp_dirs(mozilla_plugin_t)
 userdom_manage_user_tmp_files(mozilla_plugin_t)
 
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
 userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
 
 userdom_write_user_tmp_sockets(mozilla_plugin_t)
 
 userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
 
+xdg_read_config_home_files(mozilla_plugin_t)
+
 ifndef(`enable_mls',`
 	fs_list_dos(mozilla_plugin_t)
 	fs_read_dos_files(mozilla_plugin_t)
-- 
2.13.0



More information about the refpolicy mailing list