commit: aca1f09d3605e0b15e00f4dca5be1be828a330e5 Author: Rahul Sandhu <nvraxn <AT> gmail <DOT> com> AuthorDate: Thu Jul 10 19:42:09 2025 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Nov 16 00:22:34 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aca1f09d
wayland: new policy module A new type attribute wayland_compositor is introduced for shared rules for Wayland compositors. To support the security-context protocol[1], two new type attributes are introduced: wayland_client for regular Wayland clients, and wayland_client_sandboxed for sandboxed Wayland clients for use in applications run by sandbox engines such as Flatpak that support security-context[2]. As a fair amount of new policy modules can be expected to work with modern Wayland desktop sessions, a new policy layer has been created, session, to contain these new policy modules. [1] https://wayland.app/protocols/security-context-v1 [2] https://github.com/flatpak/flatpak/pull/4920 Signed-off-by: Rahul Sandhu <nvraxn <AT> gmail.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/session/metadata.xml | 1 + policy/modules/session/wayland.fc | 1 + policy/modules/session/wayland.if | 101 ++++++++++++++++++++++++++++++++++++ policy/modules/session/wayland.te | 81 +++++++++++++++++++++++++++++ 4 files changed, 184 insertions(+) diff --git a/policy/modules/session/metadata.xml b/policy/modules/session/metadata.xml new file mode 100644 index 000000000..fd4e6972e --- /dev/null +++ b/policy/modules/session/metadata.xml @@ -0,0 +1 @@ +<summary>Policy modules for desktop sessions.</summary> diff --git a/policy/modules/session/wayland.fc b/policy/modules/session/wayland.fc new file mode 100644 index 000000000..73151efba --- /dev/null +++ b/policy/modules/session/wayland.fc @@ -0,0 +1 @@ +/run/user/%{USERID}/wayland-.* -s gen_context(system_u:object_r:wayland_runtime_t,s0) diff --git a/policy/modules/session/wayland.if b/policy/modules/session/wayland.if new file mode 100644 index 000000000..2812dcb30 --- /dev/null +++ b/policy/modules/session/wayland.if @@ -0,0 +1,101 @@ +## <summary>Policy for wayland desktops.</summary> + +######################################### +## <summary> +## Associate the specified domain with +## the Wayland compositor attribute. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wayland_compositor_domain',` + gen_require(` + attribute wayland_compositor; + ') + + typeattribute $1 wayland_compositor; +') + +######################################### +## <summary> +## Associate the specified domain with the +## Wayland compositor tmpfs attribute. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wayland_compositor_tmpfs',` + gen_require(` + attribute wayland_compositor_tmpfs_type; + ') + + typeattribute $1 wayland_compositor_tmpfs_type; +') + +######################################### +## <summary> +## Associate the specified domain with +## the Wayland client attribute. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wayland_client_domain',` + gen_require(` + attribute wayland_client; + ') + + typeattribute $1 wayland_client; +') + +######################################### +## <summary> +## Associate the specified domain with the +## Wayland client tmpfs attribute. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wayland_client_tmpfs',` + gen_require(` + attribute wayland_client_tmpfs_type; + ') + + typeattribute $1 wayland_client_tmpfs_type; +') + +######################################### +## <summary> +## Associate the specified domain with +## the Wayland client sandboxed attribute. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`wayland_client_sandboxed_domain',` + gen_require(` + attribute wayland_client_sandboxed; + ') + + typeattribute $1 wayland_client_sandboxed; +') diff --git a/policy/modules/session/wayland.te b/policy/modules/session/wayland.te new file mode 100644 index 000000000..c1b93b9c0 --- /dev/null +++ b/policy/modules/session/wayland.te @@ -0,0 +1,81 @@ +policy_module(wayland) + +######################################## +# +# Declarations +# + +attribute wayland_compositor; +attribute wayland_client; + +# For use by clients only allowed to talk through security_context restricted sockets. +attribute wayland_client_sandboxed; + +type wayland_runtime_t; +files_runtime_file(wayland_runtime_t) +userdom_user_runtime_content(wayland_runtime_t) + +# For use by sandbox engines implementing the security_context protocol. +type wayland_runtime_sandboxed_t; +files_runtime_file(wayland_runtime_t) +userdom_user_runtime_content(wayland_runtime_sandboxed_t) + +# Wayland compositors also have their own shared memory. +attribute wayland_compositor_tmpfs_type; + +# No need to distinguish between the shm of sandboxed and unsandboxed clients; +# all clients should have their own shm type, this attribute is only to group them +# and grant wayland_compositor access to them. +attribute wayland_client_tmpfs_type; + +############################## +# +# Local Policy +# + +allow wayland_client wayland_compositor_tmpfs_type:file mmap_rw_inherited_file_perms; + +allow wayland_compositor wayland_client_tmpfs_type:file mmap_rw_inherited_file_perms; +allow wayland_compositor wayland_client:fd use; +allow wayland_compositor wayland_client_sandboxed:fd use; + +# Compositors may make more privileged sockets in $XDG_RUNTIME_DIR, so let's +# hardcode in WAYLAND_DISPLAY so we can give other sockets created a higher level +# of privilege (namebased filetransitions are not supported yet). +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-0") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-1") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-2") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-3") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-4") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-5") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-6") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-7") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-8") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-9") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-0.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-1.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-2.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-3.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-4.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-5.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-6.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-7.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-8.lock") +userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-9.lock") + +# GPU Access +dev_rw_dri(wayland_compositor) + +files_read_usr_files(wayland_compositor) + +# Fonts +miscfiles_read_fonts(wayland_compositor) +xserver_use_user_fonts(wayland_compositor) + +xserver_read_xkb_libs(wayland_compositor) +xserver_rw_mesa_shader_cache(wayland_compositor) + +optional_policy(` + # For seats + systemd_use_logind_fds(wayland_compositor) +')
