On Sat, Oct 12, 2019 at 11:51:43AM -0400, Chris PeBenito wrote: > On 10/12/19 3:53 AM, Dominick Grift wrote: > > On Fri, Oct 11, 2019 at 02:54:23PM +0200, Dominick Grift wrote: > > > On Fri, Oct 11, 2019 at 02:24:11PM +0200, Laurent Bigonville wrote: > > > > From: Laurent Bigonville <bigon@xxxxxxxx> > > > > > > > > colord reads the color profiles files that are stored in > > > > ~/.local/share/icc/, The file descriptor to that file is passed over > > > > D-Bus so it needs to be inherited > > > > > > This patch is cutting corners a little. It only takes unconfined_t into account and not the confined users (an alternative would be to call "userdom_use_all_users_fds(colord_t)" instead. Which is arguable too broad as well but closest you can get to "common users" without surgery. > > > Secondly xdg_read_data_files() is a little broad. > > > Also if this patch implies that whatever maintains XDG_DATA_DIR/icc is able to maintain generic xdg data files, which is arguable broad as well. > > > > > > The second and third argument are subject to how far you want to take things, and so I won't object if that is not addressed. > > > The fd use issue, in my view, should be addressed for all login (common) users with colord access. > > > > Actually, I take this review back. I am not sure how to best deal with this fd. > > It seems that going to a colord_role() would be the way to go. There > already is a colord_dbus_chat($1_t) in userdomain.if, so you could put those > dbus rules plus the rules to address the fds together. > > I agree the xdg_read_data_files() is somewhat broad, but it seems like > xdg_data_t files aren't sensitive. Maybe that's just how it is on system? > I don't feel strongly on this. Yes it depends i guess. The thing is that like /usr theres really all kinds of things below ~/.local, like bin, lib, doc etc (pip for example installs to ~/.local/{bin,lib}). So I would surely at least consider that beforehand ls -aZ ~/.local/ wheel.id:wheel.role:users.generic_home_data.home_data_file:s0 . wheel.id:wheel.role:users.home_libraries.home_file:s0 lib wheel.id:wheel.role:users.home_dir.file:s0 .. wheel.id:wheel.role:users.generic_home_data.home_data_file:s0 share wheel.id:wheel.role:users.home_commands.home_file:s0 bin There's also other gotchas, take for example your personal libvirt pool in ~/.local, this content may potentially also be need to be accessible by the qemu user. I guess what i am saying is that not everything below /usr is always just "data" I dont have enough experience with colord to give advice, looking at my policy there's also a colord --user instance, it seems also heavily integrated with gnome-settings-daemon. I think this patch is probably alright as is for now (maybe its best to just ignore confined users in this stage) as for further partitioning ~/.local, i suppose we can alway's revisit these changes later as this only applies to ~/.local/share/icc anyway. If this change is one of the few controversial changes that are needed to make gnome work on debian with unconfined, then i think it might be worth it to just accept this and make a note about it to address this properly when someone wants to work on the confined support for this aspect. > > -- > Chris PeBenito -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature