On 10/12/19 3:53 AM, Dominick Grift wrote:
On Fri, Oct 11, 2019 at 02:54:23PM +0200, Dominick Grift wrote:
On Fri, Oct 11, 2019 at 02:24:11PM +0200, Laurent Bigonville wrote:
From: Laurent Bigonville <bigon@xxxxxxxx>
colord reads the color profiles files that are stored in
~/.local/share/icc/, The file descriptor to that file is passed over
D-Bus so it needs to be inherited
This patch is cutting corners a little. It only takes unconfined_t into account and not the confined users (an alternative would be to call "userdom_use_all_users_fds(colord_t)" instead. Which is arguable too broad as well but closest you can get to "common users" without surgery.
Secondly xdg_read_data_files() is a little broad.
Also if this patch implies that whatever maintains XDG_DATA_DIR/icc is able to maintain generic xdg data files, which is arguable broad as well.
The second and third argument are subject to how far you want to take things, and so I won't object if that is not addressed.
The fd use issue, in my view, should be addressed for all login (common) users with colord access.
Actually, I take this review back. I am not sure how to best deal with this fd.
It seems that going to a colord_role() would be the way to go. There
already is a colord_dbus_chat($1_t) in userdomain.if, so you could put
those dbus rules plus the rules to address the fds together.
I agree the xdg_read_data_files() is somewhat broad, but it seems like
xdg_data_t files aren't sensitive. Maybe that's just how it is on
system? I don't feel strongly on this.
--
Chris PeBenito
