wayland: new policy module

WavyEbuilder · WavyEbuilder · commit ea8e48673cb5 · 2025-07-22T21:22:14.000+01:00
A new type attribute wayland_compositor is introduced for shared rules for Wayland compositors. To support the security-context protocol[1], two new type attributes are introduced: wayland_client for regular Wayland clients, and wayland_client_sandboxed for sandboxed Wayland clients for use in applications run by sandbox engines such as Flatpak that support security-context[2]. As a fair amount of new policy modules can be expected to work with modern Wayland desktop sessions, a new policy layer has been created, session, to contain these new policy modules. [1] https://wayland.app/protocols/security-context-v1 [2] flatpak/flatpak#4920 Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
diff --git a/policy/modules/session/metadata.xml b/policy/modules/session/metadata.xml
@@ -0,0 +1 @@
+<summary>Policy modules for desktop sessions.</summary>
diff --git a/policy/modules/session/wayland.fc b/policy/modules/session/wayland.fc
@@ -0,0 +1,2 @@
+/run/user/%{USERID}/wayland-[0-9]+	-s	gen_context(system_u:object_r:wayland_runtime_t,s0)
+/run/user/%{USERID}/wayland-[0-9]+\.lock	--	gen_context(system_u:object_r:wayland_runtime_t,s0)
diff --git a/policy/modules/session/wayland.if b/policy/modules/session/wayland.if
@@ -0,0 +1,101 @@
+## <summary>Policy for wayland desktops.</summary>
+
+#########################################
+## <summary>
+##	Associate the specified domain with
+##	the Wayland compositor attribute.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wayland_compositor_domain',`
+	gen_require(`
+		attribute wayland_compositor;
+	')
+
+	typeattribute $1 wayland_compositor;
+')
+
+#########################################
+## <summary>
+##	Associate the specified domain with the
+##	Wayland compositor tmpfs attribute.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wayland_compositor_tmpfs',`
+	gen_require(`
+		attribute wayland_compositor_tmpfs_type;
+	')
+
+	typeattribute $1 wayland_compositor_tmpfs_type;
+')
+
+#########################################
+## <summary>
+##	Associate the specified domain with
+##	the Wayland client attribute.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`wayland_client_domain',`
+	gen_require(`
+		attribute wayland_client;
+	')
+
+	typeattribute $1 wayland_client;
+')
+
+#########################################
+## <summary>
+##	Associate the specified domain with the
+##	Wayland client tmpfs attribute.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`wayland_client_tmpfs',`
+	gen_require(`
+		attribute wayland_client_tmpfs_type;
+	')
+
+	typeattribute $1 wayland_client_tmpfs_type;
+')
+
+#########################################
+## <summary>
+##	Associate the specified domain with
+##	the Wayland client sandboxed attribute.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`wayland_client_sandboxed_domain',`
+	gen_require(`
+		attribute wayland_client_sandboxed;
+	')
+
+	typeattribute $1 wayland_client_sandboxed;
+')
diff --git a/policy/modules/session/wayland.te b/policy/modules/session/wayland.te
@@ -0,0 +1,84 @@
+policy_module(wayland)
+
+########################################
+#
+# Declarations
+#
+
+attribute wayland_compositor;
+attribute wayland_client;
+
+# For use by clients only allowed to talk through security_context restricted sockets.
+attribute wayland_client_sandboxed;
+
+type wayland_runtime_t;
+files_runtime_file(wayland_runtime_t)
+userdom_user_runtime_content(wayland_runtime_t)
+
+# For use by sandbox engines implementing the security_context protocol.
+type wayland_runtime_sandboxed_t;
+files_runtime_file(wayland_runtime_t)
+userdom_user_runtime_content(wayland_runtime_sandboxed_t)
+
+# Wayland compositors also have their own shared memory.
+attribute wayland_compositor_tmpfs_type;
+
+# No need to distinguish between the shm of sandboxed and unsandboxed clients;
+# all clients should have their own shm type, this attribute is only to group them
+# and grant wayland_compositor access to them.
+attribute wayland_client_tmpfs_type;
+
+##############################
+#
+# Local Policy
+#
+
+allow wayland_client wayland_compositor_tmpfs_type:file mmap_rw_inherited_file_perms;
+
+allow wayland_compositor wayland_client_tmpfs_type:file mmap_rw_inherited_file_perms;
+allow wayland_compositor wayland_client:fd use;
+allow wayland_compositor wayland_client_sandboxed:fd use;
+
+# Compositors may make more privileged sockets in $XDG_RUNTIME_DIR, so let's
+# hardcode in WAYLAND_DISPLAY so we can give other sockets created a higher level
+# of privilege (namebased filetransitions are not supported yet).
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-0")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-1")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-2")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-3")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-4")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-5")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-6")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-7")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-8")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, sock_file, "wayland-9")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-0.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-1.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-2.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-3.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-4.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-5.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-6.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-7.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-8.lock")
+userdom_user_runtime_filetrans(wayland_compositor, wayland_runtime_t, file, "wayland-9.lock")
+
+# GPU Access
+dev_rw_dri(wayland_compositor)
+
+# /dev/input
+dev_rw_input_dev(wayland_compositor)
+
+files_read_usr_files(wayland_compositor)
+
+# Fonts
+miscfiles_read_fonts(wayland_compositor)
+xserver_use_user_fonts(wayland_compositor)
+
+xserver_read_xkb_libs(wayland_compositor)
+xserver_rw_mesa_shader_cache(wayland_compositor)
+
+optional_policy(`
+	# For seats
+	systemd_use_logind_fds(wayland_compositor)
+')

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+<summary>Policy modules for desktop sessions.</summary>`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+/run/user/%{USERID}/wayland-[0-9]+ -s gen_context(system_u:object_r:wayland_runtime_t,s0)`
	`2`	`+/run/user/%{USERID}/wayland-[0-9]+\.lock -- gen_context(system_u:object_r:wayland_runtime_t,s0)`