selinux-policy/backport-Add-watch_sb-interfaces.patch

From a65d7a6e589268afc80c871450423c82aeab530a Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 3 Nov 2022 11:33:59 +0100
Subject: [PATCH] Add watch_sb interfaces

Add interafaces that allow watch_sb user temporary directories,
tmpfs directories, boot and root directories.
Create watch_sb_dirs_pattern and watch_sb_dir_perms
---
 policy/modules/kernel/files.if      | 36 +++++++++++++++++++++++++++++
 policy/modules/kernel/filesystem.if | 18 +++++++++++++++
 policy/modules/system/userdomain.if | 18 +++++++++++++++
 policy/support/file_patterns.spt    |  4 ++++
 policy/support/obj_perm_sets.spt    |  1 +
 5 files changed, 77 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 046db519bb..eb9e6e032c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2560,6 +2560,24 @@ interface(`files_write_root_dirs',`
 	allow $1 root_t:dir write;
 ')
 
+########################################
+## <summary>
+##      Watch_sb root directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_watch_sb_root_dirs', `
+	gen_require(`
+		type root_t;
+	')
+
+        watch_sb_dirs_pattern($1, root_t, root_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to write to / dirs.
@@ -3089,6 +3107,24 @@ interface(`files_watch_boot_dirs',`
 	allow $1 boot_t:dir watch_dir_perms;
 ')
 
+########################################
+## <summary>
+##      Watch_sb boot directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_watch_sb_boot_dirs', `
+	gen_require(`
+		type boot_t;
+	')
+
+        watch_sb_dirs_pattern($1, boot_t, boot_t)
+')
+
 ########################################
 ## <summary>
 ##	Watch_mount directories in /boot.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index bb2f077f6d..d7645a534f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5400,6 +5400,24 @@ interface(`fs_mounton_tmpfs', `
 	allow $1 tmpfs_t:dir mounton;
 ')
 
+########################################
+## <summary>
+##      Watch_sb tmpfs directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_watch_sb_tmpfs', `
+        gen_require(`
+                type tmpfs_t;
+        ')
+
+        watch_sb_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of a tmpfs
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e8817429b2..62bc19c654 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -347,6 +347,24 @@ interface(`userdom_watch_tmp_dirs',`
 	watch_dirs_pattern($1, user_tmp_t, user_tmp_t)
 ')
 
+#######################################
+## <summary>
+##      Watch_sb user temporary directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`userdom_watch_sb_tmp_dirs',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	watch_sb_dirs_pattern($1, user_tmp_t, user_tmp_t)
+')
+
 #######################################
 ## <summary>
 ##	Watch_mount user temporary directories
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index c832c0dab0..57581a8573 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -88,6 +88,10 @@ define(`watch_reads_dirs_pattern',`
 	allow $1 $2:dir search_dir_perms;
 	allow $1 $3:dir watch_reads_dir_perms;
 ')
+define(`watch_sb_dirs_pattern',`
+        allow $1 $2:dir search_dir_perms;
+        allow $1 $3:dir watch_sb_dir_perms;
+')
 define(`watch_with_perm_dirs_pattern',`
 	allow $1 $2:dir search_dir_perms;
 	allow $1 $3:dir watch_with_perm_dir_perms;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 85283eb1e5..c76a77fac9 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -149,6 +149,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
 define(`watch_dir_perms',`{ getattr watch }')
 define(`watch_mount_dir_perms',`{ getattr watch_mount }')
 define(`watch_reads_dir_perms',`{ getattr watch_reads }')
+define(`watch_sb_dir_perms',`{ getattr watch_sb }')
 define(`watch_with_perm_dir_perms',`{ getattr watch_with_perm }')
 
 #