Consolekit (and i guess logind too?) have inhibit locks that programs can use
eg for preventing the machine from sleeping. It involves a fifo_file and
passing the fd to the application to hold. when done, it close()'s the fd.
What do i name the interface for it? If you have a better idea I can rename and
send.
-- Jason
On 05/26/2017 12:16 PM, Dominick Grift via refpolicy wrote:
> On Sat, May 27, 2017 at 12:10:51AM +0800, Jason Zaman via refpolicy wrote:
>> Applications hold FDs while they hold the lock.
>> Implements this API:
>> https://www.freedesktop.org/wiki/Software/systemd/inhibit/
>> ---
>> consolekit.if | 19 +++++++++++++++++++
>> 1 file changed, 19 insertions(+)
>>
>> diff --git a/consolekit.if b/consolekit.if
>> index 5b830ec..c2c203f 100644
>> --- a/consolekit.if
>> +++ b/consolekit.if
>> @@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',`
>>
>> ########################################
>> ## <summary>
>> +## Take inhibit locks from consolekit
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`consolekit_use_inhibit_lock',`
>> + gen_require(`
>> + type consolekit_t, consolekit_var_run_t;
>> + ')
>> +
>> + allow $1 consolekit_t:fd use;
>> + allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms;
>
> I suppose my personal preference would be consolekit_rw_inherited_runtime_fifo_files():
>
> allow $1 consolekit_t:fd use;
> allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
Agreed, that seems to match more what is described.
> But consolekit_use_inhibit_lock() sounds fine as well...
I'm ok with the interface name as long as you put that explanation in
the patch set overview email in the interface's description tag.
--
Chris PeBenito
Applications hold FDs while they hold the lock.
Implements this API:
https://www.freedesktop.org/wiki/Software/systemd/inhibit/
---
consolekit.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/consolekit.if b/consolekit.if
index 5b830ec..c2c203f 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',`
########################################
## <summary>
+## Take inhibit locks from consolekit
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_use_inhibit_lock',`
+ gen_require(`
+ type consolekit_t, consolekit_var_run_t;
+ ')
+
+ allow $1 consolekit_t:fd use;
+ allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Read consolekit log files.
## </summary>
## <param name="domain">
--
2.13.0
Needs to be able to clear out /run/user/UID on logout
---
consolekit.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/consolekit.te b/consolekit.te
index d51634e..ea4db82 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -64,6 +64,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t)
files_read_usr_files(consolekit_t)
files_read_var_lib_files(consolekit_t)
files_search_all_mountpoints(consolekit_t)
+files_purge_tmp(consolekit_t)
fs_list_inotifyfs(consolekit_t)
fs_mount_tmpfs(consolekit_t)
--
2.13.0
---
dbus.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dbus.te b/dbus.te
index a3bd6bd..f6b83a6 100644
--- a/dbus.te
+++ b/dbus.te
@@ -164,6 +164,10 @@ optional_policy(`
')
optional_policy(`
+ consolekit_use_inhibit_lock(system_dbusd_t)
+')
+
+optional_policy(`
policykit_read_lib(system_dbusd_t)
')
--
2.13.0
---
networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/networkmanager.te b/networkmanager.te
index 9b9aaec..f5f0879 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -223,6 +223,7 @@ optional_policy(`
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
+ consolekit_use_inhibit_lock(NetworkManager_t)
')
optional_policy(`
--
2.13.0
On Sat, May 27, 2017 at 12:10:51AM +0800, Jason Zaman via refpolicy wrote:
> Applications hold FDs while they hold the lock.
> Implements this API:
> https://www.freedesktop.org/wiki/Software/systemd/inhibit/
> ---
> consolekit.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/consolekit.if b/consolekit.if
> index 5b830ec..c2c203f 100644
> --- a/consolekit.if
> +++ b/consolekit.if
> @@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',`
>
> ########################################
> ## <summary>
> +## Take inhibit locks from consolekit
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`consolekit_use_inhibit_lock',`
> + gen_require(`
> + type consolekit_t, consolekit_var_run_t;
> + ')
> +
> + allow $1 consolekit_t:fd use;
> + allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms;
I suppose my personal preference would be consolekit_rw_inherited_runtime_fifo_files():
allow $1 consolekit_t:fd use;
allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
But consolekit_use_inhibit_lock() sounds fine as well...
> +')
> +
> +########################################
> +## <summary>
> ## Read consolekit log files.
> ## </summary>
> ## <param name="domain">
> --
> 2.13.0
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170526/f53b786b/attachment.bin