From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7E95C138334 for ; Sun, 24 Jun 2018 08:46:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B1D92E08C0; Sun, 24 Jun 2018 08:46:46 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 857FFE08C0 for ; Sun, 24 Jun 2018 08:46:46 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0D589335CA0 for ; Sun, 24 Jun 2018 08:46:45 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 85D9A2DA for ; Sun, 24 Jun 2018 08:46:43 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1528981013.6aa6d4c122f71c70f45bc09edea0e945fc366381.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/java.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 6aa6d4c122f71c70f45bc09edea0e945fc366381 X-VCS-Branch: master Date: Sun, 24 Jun 2018 08:46:43 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0a108b75-736e-4cf5-8ba4-9a424ec919da X-Archives-Hash: b3b12b9bba1771719e9442581f57ca86 commit: 6aa6d4c122f71c70f45bc09edea0e945fc366381 Author: Sven Vermeulen siphos be> AuthorDate: Sun Mar 25 11:57:09 2018 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Jun 14 12:56:53 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6aa6d4c1 Make java user content access optional The java_domain attribute covers many java related domains. Historically, the privileges on the java domain have been quite open, including the access to the users' personal files. However, this should not be the case at all times - some administrators might want to reduce this scope, and only grant specific domains (rather than the generic java ones) the necessary accesses. In this patch, the manage rights on the user content is moved under support of specific java-related booleans. Changes since v1: - Move tunable definition inside template Signed-off-by: Sven Vermeulen siphos.be> policy/modules/contrib/java.te | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index f23a330b..78a994e0 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -109,15 +109,16 @@ miscfiles_read_fonts(java_domain) userdom_dontaudit_use_user_terminals(java_domain) userdom_dontaudit_exec_user_home_content_files(java_domain) -userdom_manage_user_home_content_dirs(java_domain) -userdom_manage_user_home_content_files(java_domain) -userdom_manage_user_home_content_symlinks(java_domain) -userdom_manage_user_home_content_pipes(java_domain) -userdom_manage_user_home_content_sockets(java_domain) -userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +userdom_user_content_access_template(java, java_domain) userdom_write_user_tmp_sockets(java_domain) +tunable_policy(`java_manage_generic_user_content',` + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_sockets(java_domain) + userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +') + ifdef(`distro_gentoo',` # For java browser plugin accessing internet resources allow java_domain self:netlink_route_socket create_netlink_socket_perms;