LinuxLists.cc - [refpolicy] [PATCH 24/33] pulseaudio: adapt to userdom permissions restrictions

2017-04-20 01:07:22

Subject: [refpolicy] [PATCH 24/33] pulseaudio: adapt to userdom permissions restrictions

This patch adapts the pulseaudio module to the userdomain permissions
changes in this patchset.

It aims to ensure user data confidentiality.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/pulseaudio.te | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/contrib/pulseaudio.te 2017-02-04 19:30:23.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/pulseaudio.te 2017-04-19 21:58:16.953220101 +0200
@@ -61,10 +61,14 @@ userdom_user_home_dir_filetrans(pulseaud
userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")

+userdom_user_cache_filetrans(pulseaudio_t, pulseaudio_home_t, file)
+userdom_user_config_filetrans(pulseaudio_t, pulseaudio_home_t, file)
+
manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+
userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock")
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
@@ -85,6 +89,8 @@ manage_files_pattern(pulseaudio_t, pulse
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })

+userdom_user_home_dir_filetrans_user_config(pulseaudio_t, dir, ".config")
+
allow pulseaudio_t pulseaudio_client:process signull;
ps_process_pattern(pulseaudio_t, pulseaudio_client)

@@ -137,10 +143,8 @@ logging_send_syslog_msg(pulseaudio_t)

miscfiles_read_localization(pulseaudio_t)

-userdom_read_user_tmpfs_files(pulseaudio_t)
-userdom_delete_user_tmpfs_files(pulseaudio_t)
-userdom_search_user_home_dirs(pulseaudio_t)
-userdom_search_user_home_content(pulseaudio_t)
+userdom_manage_user_tmpfs_files(pulseaudio_t)
+userdom_manage_user_config(pulseaudio_t)

userdom_manage_user_tmp_sockets(pulseaudio_t)

@@ -256,6 +260,7 @@ pulseaudio_manage_home(pulseaudio_client
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
+
pulseaudio_signull(pulseaudio_client)
pulseaudio_use_fds(pulseaudio_client)