add user fonts to xserver.

2006-03-28 18:29:52 +00:00 · 2006-03-28 18:29:52 +00:00 · 1786478c7b
parent a5d54655dd
commit 1786478c7b
6 changed files with 140 additions and 14 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -1,3 +1,4 @@
+- Add user fonts to xserver.
 - Additional interfaces in corecommands, miscfiles, and userdomain
  from Joy Latten.
 - Miscellaneous fixes from Thomas Bleher.
--- a/refpolicy/policy/modules/services/xserver.fc
+++ b/refpolicy/policy/modules/services/xserver.fc
@ -2,6 +2,10 @@
 # HOME_DIR
 #
 ifdef(`strict_policy',`
+HOME_DIR/\.fonts.conf	--	gen_context(system_u:object_r:ROLE_fonts_config_t,s0)
+HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:ROLE_fonts_t,s0)
+HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
+HOME_DIR/\.fonts.cache-.* --	gen_context(system_u:object_r:ROLE_fonts_cache_t,s0)
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:ROLE_iceauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
--- a/refpolicy/policy/modules/services/xserver.if
+++ b/refpolicy/policy/modules/services/xserver.if
@ -229,6 +229,15 @@ template(`xserver_per_userdomain_template',`
 	xserver_common_domain_template($1)
 	role $3 types $1_xserver_t;

+	type $1_fonts_t, fonts_type;
+	userdom_user_home_content($1,$1_fonts_t)
+
+	type $1_fonts_cache_t, fonts_cache_type;
+	userdom_user_home_content($1,$1_fonts_cache_t)
+
+	type $1_fonts_config_t, fonts_config_type;
+	userdom_user_home_content($1,$1_fonts_cache_t)
+
 	type $1_iceauth_t;
 	domain_type($1_iceauth_t)
 	role $3 types $1_iceauth_t;
@ -269,6 +278,17 @@ template(`xserver_per_userdomain_template',`

 	allow $1_xserver_t $2:shm rw_shm_perms;

+	allow $2 $1_fonts_t:dir manage_dir_perms;
+	allow $2 $1_fonts_t:file manage_file_perms;
+	allow $2 $1_fonts_t:{ dir file } { relabelto relabelfrom };
+
+	allow $2 $1_fonts_config_t:dir manage_dir_perms;
+	allow $2 $1_fonts_config_t:file manage_file_perms;
+	allow $2 $1_fonts_config_t:file { relabelto relabelfrom };
+
+	# For startup relabel
+	allow $2 $1_fonts_cache_t:{ dir file } { relabelto relabelfrom };
+
 	allow $2 $1_xserver_tmp_t:dir r_dir_perms;
 	allow $2 $1_xserver_tmp_t:sock_file rw_file_perms;
 	allow $2 $1_xserver_t:unix_stream_socket connectto;
@ -288,14 +308,13 @@ template(`xserver_per_userdomain_template',`
 	userdom_setattr_user_ttys($1,$1_xserver_t)
 	userdom_rw_user_tmpfs_files($1,$1_xserver_t)

+	xserver_use_user_fonts($1,$1_xserver_t)
+
 	optional_policy(`
 		userhelper_search_config($1_xserver_t)
 	')

 	ifdef(`TODO',`
-	# Read fonts
-	read_fonts($1_xserver_t, $1)
-
 	allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
 	allow $1_t xdm_xserver_t:unix_stream_socket connectto;

@ -559,6 +578,7 @@ template(`xserver_user_client_template',`

 	xserver_ro_session_template(xdm,$2,$3)
 	xserver_rw_session_template($1,$2,$3)
+	xserver_use_user_fonts($1,$2)

 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
@ -571,10 +591,57 @@ template(`xserver_user_client_template',`
 		kernel_tcp_recvfrom($2)
 		ssh_tcp_connect($2)
 	')
+')

-	ifdef(`TODO',`
-	# cjp: need to implement the user-specific fonts part
-	read_fonts($2, $1)
+########################################
+## <summary>
+##	Read user fonts, user font configuration,
+##	and manage the user font cache.
+## </summary>
+## <desc>
+##	<p>
+##	Read user fonts, user font configuration,
+##	and manage the user font cache.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`xserver_use_user_fonts',`
+	gen_require(`
+		type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
+	')
+
+	# Read per user fonts
+	allow $2 $1_fonts_t:dir list_dir_perms;
+	allow $2 $1_fonts_t:file read_file_perms;
+
+	# Manipulate the global font cache
+	allow $2 $1_fonts_cache_t:dir manage_dir_perms;
+	allow $2 $1_fonts_cache_t:file manage_file_perms;
+
+	# Read per user font config
+	allow $2 $1_fonts_config_t:dir list_dir_perms;
+	allow $2 $1_fonts_config_t:file read_file_perms;
+
+	userdom_search_user_home_dirs($1,$2)
+
+	# There are some fonts in .gnome2
+	ifdef(`gnome.te', `
+	allow $2 $1_gnome_settings_t:dir { getattr search };
 	')
 ')

@ -615,6 +682,42 @@ template(`xserver_domtrans_user_xauth',`
 	allow $1_xauth_t $2:process sigchld;
 ')

+########################################
+## <summary>
+##	Read all users fonts, user font configurations,
+##	and manage all users font caches.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_use_all_users_fonts',`
+	gen_require(`
+		attribute fonts_type, fonts_cache_type, fonts_config_type;
+	')
+
+	# Read per user fonts
+	allow $1 fonts_type:dir list_dir_perms;
+	allow $1 fonts_type:file read_file_perms;
+
+	# Manipulate the global font cache
+	allow $1 fonts_cache_type:dir manage_dir_perms;
+	allow $1 fonts_cache_type:file manage_file_perms;
+
+	# Read per user font config
+	allow $1 fonts_config_type:dir list_dir_perms;
+	allow $1 fonts_config_type:file read_file_perms;
+
+	userdom_search_all_users_home_dirs($1)
+
+	# There are some fonts in .gnome2
+	ifdef(`gnome.te', `
+	allow $1 $1_gnome_settings_t:dir { getattr search };
+	')
+')
+
 ########################################
 ## <summary>
 ##	Connect to XDM over a unix domain
--- a/refpolicy/policy/modules/services/xserver.te
+++ b/refpolicy/policy/modules/services/xserver.te
@ -1,11 +1,15 @@

-policy_module(xserver,1.1.1)
+policy_module(xserver,1.1.2)

 ########################################
 #
 # Declarations
 #

+attribute fonts_type;
+attribute fonts_cache_type;
+attribute fonts_config_type;
+
 type ice_tmp_t;
 files_tmp_file(ice_tmp_t)

@ -414,12 +418,7 @@ ifdef(`strict_policy',`
 	# (xauth?)
 	userdom_read_unpriv_users_home_content_files(xdm_xserver_t)

-	ifdef(`TODO',`
-	# Read all global and per user fonts
-	read_fonts(xdm_xserver_t, sysadm)
-	read_fonts(xdm_xserver_t, staff)
-	read_fonts(xdm_xserver_t, user)
-	') dnl end TODO
+	xserver_use_all_users_fonts(xdm_xserver_t)
 ')

 ifdef(`targeted_policy',`
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -3871,6 +3871,25 @@ interface(`userdom_read_sysadm_home_content_files',`
 	allow $1 sysadm_home_t:{ file lnk_file } r_file_perms;
 ')

+########################################
+## <summary>
+##	Search all users home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_all_users_home_dirs',`
+	gen_require(`
+		attribute home_dir_type;
+	')
+
+	files_list_home($1)
+	allow $1 home_dir_type:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	List all users home directories.
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@ -1,5 +1,5 @@

-policy_module(userdomain,1.3.6)
+policy_module(userdomain,1.3.7)

 gen_require(`
 	role sysadm_r, staff_r, user_r;