I am currently trying to port the pulseaudio policy module with changes
I would like your opinion on patch below
Some explanation:
applications that run pulseadio for their audio have things in common:
they use shared memory
The need to be able to read and delete eachothers shared memory
they need to be able to signal signull eachother
They need to be able to restart pulseaudio if it crashes
They need to be able to connect to pulseaudio over the network if there is no local pulse running (conditional?)
They need various access to pulse audio home content
They need to be able to stream connect to pulseaudio
The need to be able to dbus chat to pulseaudio
Since pulseaudio as a system service uses the same domain they need to be a system bus client
If you think about it , this can get quite messy if we dont do it tidy
I decided to create two type attributes
the pulseaudio_client is a attribute that is assigned to anyone domain transitioning to pulseaudio_t
This is a prerequisite for pulse clients be cause they need to be able to restart pulse if it crashes
The pulseaudio client attribute is used to write policy efficient that is common to pulseaudio clients
P.S. pulseaudio_role() callers are also pulse_client, they just have a little extra permissions
The pulseaudio_tmpfs_file_type is assigned to all clients tmpfile file types separately with the pulseaudio_tmpfs_content() interface
pulseaudio_clients atomatically get the access they need to pulseaudio tmpfs content
read and delete the content
userdom user tmpfs content is not pulseaudio tmpfs content. Thus all pulseaudio_client also need access
to read and delete user tmpfs files. ( programs using pulseaudio might run in the user domain
I am probably overlooking things in this version of the patch
Please let me know what you think about this and give me suggestions
Signed-off-by: Dominick Grift <[email protected]>
diff --git a/gpg.te b/gpg.te
index 80c8cb3..4545d3c 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,4 +1,4 @@
-policy_module(gpg, 2.7.2)
+policy_module(gpg, 2.7.3)
########################################
#
@@ -67,6 +67,7 @@
type gpg_pinentry_tmpfs_t;
userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
+pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
########################################
#
@@ -275,14 +276,9 @@
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
allow gpg_pinentry_t self:shm create_shm_perms;
allow gpg_pinentry_t self:tcp_socket { accept listen };
-allow gpg_pinentry_t self:unix_dgram_socket sendto;
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-
-manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
-manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
-fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
can_exec(gpg_pinentry_t, pinentry_exec_t)
@@ -308,7 +304,6 @@
files_read_usr_files(gpg_pinentry_t)
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
-fs_getattr_tmpfs(gpg_pinentry_t)
auth_use_nsswitch(gpg_pinentry_t)
@@ -317,16 +312,7 @@
miscfiles_read_fonts(gpg_pinentry_t)
miscfiles_read_localization(gpg_pinentry_t)
-userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_use_user_terminals(gpg_pinentry_t)
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(gpg_pinentry_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(gpg_pinentry_t)
-')
optional_policy(`
dbus_all_session_bus_client(gpg_pinentry_t)
@@ -334,11 +320,7 @@
')
optional_policy(`
- pulseaudio_exec(gpg_pinentry_t)
- pulseaudio_rw_home_files(gpg_pinentry_t)
- pulseaudio_setattr_home_dir(gpg_pinentry_t)
- pulseaudio_stream_connect(gpg_pinentry_t)
- pulseaudio_signull(gpg_pinentry_t)
+ pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
')
optional_policy(`
diff --git a/mozilla.te b/mozilla.te
index edb579a..7d11298 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
-policy_module(mozilla, 2.7.0)
+policy_module(mozilla, 2.7.1)
########################################
#
@@ -42,6 +42,7 @@
type mozilla_plugin_tmpfs_t;
userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
+pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
type mozilla_plugin_rw_t;
files_type(mozilla_plugin_rw_t)
@@ -58,6 +59,7 @@
typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sysadm_mozilla_tmpfs_t };
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
+pulseaudio_tmpfs_content(mozilla_tmpfs_t)
########################################
#
@@ -273,7 +275,7 @@
')
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
+ lpd_run_lpr(mozilla_t, mozilla_roles)
')
optional_policy(`
@@ -283,7 +285,7 @@
')
optional_policy(`
- pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_run(mozilla_t, mozilla_roles)
')
optional_policy(`
@@ -302,10 +304,8 @@
allow mozilla_plugin_t self:sem create_sem_perms;
allow mozilla_plugin_t self:shm create_shm_perms;
allow mozilla_plugin_t self:tcp_socket { accept listen };
-allow mozilla_plugin_t self:unix_dgram_socket sendto;
allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
-allow mozilla_plugin_t mozilla_t:process signull;
allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
@@ -453,7 +453,6 @@
term_getattr_all_ptys(mozilla_plugin_t)
application_exec(mozilla_plugin_t)
-application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
@@ -553,7 +552,7 @@
')
optional_policy(`
- pulseaudio_role(mozilla_plugin_roles, mozilla_plugin_t)
+ pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
')
optional_policy(`
diff --git a/mpd.te b/mpd.te
index 49dc4b3..ef7fde6 100644
--- a/mpd.te
+++ b/mpd.te
@@ -1,4 +1,4 @@
-policy_module(mpd, 1.0.2)
+policy_module(mpd, 1.0.3)
########################################
#
@@ -51,6 +51,7 @@
type mpd_tmpfs_t;
files_tmpfs_file(mpd_tmpfs_t)
+pulseaudio_tmpfs_content(mpd_tmpfs_t)
type mpd_var_lib_t;
files_type(mpd_var_lib_t)
@@ -67,7 +68,6 @@
allow mpd_t self:process { getsched setsched setrlimit signal signull };
allow mpd_t self:fifo_file rw_fifo_file_perms;
allow mpd_t self:unix_stream_socket { accept connectto listen };
-allow mpd_t self:unix_dgram_socket sendto;
allow mpd_t self:tcp_socket { accept listen };
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -89,7 +89,7 @@
files_tmp_filetrans(mpd_t, mpd_tmp_t, { dir file sock_file })
allow mpd_t mpd_tmpfs_t:file manage_file_perms;
-fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file )
+fs_tmpfs_filetrans(mpd_t, mpd_tmpfs_t, file)
allow mpd_t mpd_user_data_t:dir list_dir_perms;
allow mpd_t mpd_user_data_t:file read_file_perms;
@@ -129,10 +129,6 @@
corenet_sendrecv_http_cache_client_packets(mpd_t)
corenet_tcp_connect_http_cache_port(mpd_t)
corenet_tcp_sendrecv_http_cache_port(mpd_t)
-
-corenet_sendrecv_pulseaudio_client_packets(mpd_t)
-corenet_tcp_connect_pulseaudio_port(mpd_t)
-corenet_tcp_sendrecv_pulseaudio_port(mpd_t)
dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
@@ -194,17 +190,12 @@
')
optional_policy(`
- pulseaudio_exec(mpd_t)
- pulseaudio_stream_connect(mpd_t)
- pulseaudio_signull(mpd_t)
+ pulseaudio_domtrans(mpd_t)
+
')
optional_policy(`
rpc_search_nfs_state_data(mpd_t)
-')
-
-optional_policy(`
- rtkit_daemon_dbus_chat(mpd_t)
')
optional_policy(`
diff --git a/mplayer.te b/mplayer.te
index 2e42824..a24fb6f 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -42,6 +42,7 @@
typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
userdom_user_tmpfs_file(mplayer_tmpfs_t)
+pulseaudio_tmpfs_content(mplayer_tmpfs_t)
########################################
#
@@ -126,7 +127,6 @@
allow mplayer_t self:process { signal_perms getsched };
allow mplayer_t self:fifo_file rw_fifo_file_perms;
allow mplayer_t self:sem create_sem_perms;
-allow mplayer_t self:unix_dgram_socket sendto;
allow mplayer_t mplayer_etc_t:dir list_dir_perms;
allow mplayer_t mplayer_etc_t:file read_file_perms;
@@ -153,10 +153,6 @@
corenet_all_recvfrom_unlabeled(mplayer_t)
corenet_tcp_sendrecv_generic_if(mplayer_t)
corenet_tcp_sendrecv_generic_node(mplayer_t)
-
-corenet_sendrecv_pulseaudio_client_packets(mplayer_t)
-corenet_tcp_connect_pulseaudio_port(mplayer_t)
-corenet_tcp_sendrecv_pulseaudio_port(mplayer_t)
corecmd_exec_bin(mplayer_t)
corecmd_exec_shell(mplayer_t)
@@ -250,7 +246,5 @@
')
optional_policy(`
- pulseaudio_exec(mplayer_t)
- pulseaudio_stream_connect(mplayer_t)
- pulseaudio_signull(mplayer_t)
+ pulseaudio_run(mplayer_t, mplayer_roles)
')
diff --git a/pulseaudio.fc b/pulseaudio.fc
index 783a98c..4311cef 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -1,7 +1,9 @@
-HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
index f40c64d..5bce16c 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Role access for pulseaudio
+## Role access for pulseaudio.
## </summary>
## <param name="role">
## <summary>
@@ -17,26 +17,51 @@
#
interface(`pulseaudio_role',`
gen_require(`
- type pulseaudio_t, pulseaudio_exec_t;
- class dbus { acquire_svc send_msg };
+ attribute pulseaudio_tmpfs_file_type;
+ type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
+ type pulseaudio_tmp_t;
')
- role $1 types pulseaudio_t;
+ pulseaudio_run($2, $1)
- # Transition from the user domain to the derived domain.
- domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
-
+ allow $2 pulseaudio_t:process { ptrace signal_perms };
ps_process_pattern($2, pulseaudio_t)
- allow pulseaudio_t $2:process { signal signull };
- allow $2 pulseaudio_t:process { signal signull sigkill };
- ps_process_pattern(pulseaudio_t, $2)
+ allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
+ allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+ userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse")
+ userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth")
+ userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie")
+
+ allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfs_file_type }:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfs_file_type }:file { manage_file_perms relabel_file_perms };
+
+ allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
+ allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow pulseaudio_t $2:unix_stream_socket connectto;
- allow $2 pulseaudio_t:unix_stream_socket connectto;
+')
- allow $2 pulseaudio_t:dbus send_msg;
- allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+########################################
+## <summary>
+## Make the specified tmpfs file type
+## pulseaudio tmpfs content.
+## </summary>
+## <param name="file_type">
+## <summary>
+## File type to make pulseaudio tmpfs content.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_tmpfs_content',`
+ gen_require(`
+ attribute pulseaudio_tmpfs_file_type;
+ ')
+
+ typeattribute $1 pulseaudio_tmpfs_file_type;
')
########################################
@@ -51,16 +76,21 @@
#
interface(`pulseaudio_domtrans',`
gen_require(`
+ attribute pulseaudio_client;
type pulseaudio_t, pulseaudio_exec_t;
')
+ typeattribute $1 pulseaudio_client;
+
+ corecmd_search_bin($1)
domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
')
########################################
## <summary>
-## Execute pulseaudio in the pulseaudio domain, and
-## allow the specified role the pulseaudio domain.
+## Execute pulseaudio in the
+## pulseaudio domain, and allow the
+## specified role the pulseaudio domain.
## </summary>
## <param name="domain">
## <summary>
@@ -75,16 +105,16 @@
#
interface(`pulseaudio_run',`
gen_require(`
- type pulseaudio_t;
+ attribute_role pulseaudio_roles;
')
pulseaudio_domtrans($1)
- role $2 types pulseaudio_t;
+ roleattribute $2 pulseaudio_roles;
')
########################################
## <summary>
-## Execute a pulseaudio in the current domain.
+## Execute pulseaudio in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -97,12 +127,13 @@
type pulseaudio_exec_t;
')
+ corecmd_search_bin($1)
can_exec($1, pulseaudio_exec_t)
')
########################################
## <summary>
-## Do not audit to execute a pulseaudio.
+## Do not audit attempts to execute pulseaudio.
## </summary>
## <param name="domain">
## <summary>
@@ -120,7 +151,7 @@
########################################
## <summary>
-## Send signull signal to pulseaudio
+## Send null signals to pulseaudio.
## processes.
## </summary>
## <param name="domain">
@@ -139,8 +170,8 @@
#####################################
## <summary>
-## Connect to pulseaudio over a unix domain
-## stream socket.
+## Connect to pulseaudio with a unix
+## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
@@ -150,13 +181,12 @@
#
interface(`pulseaudio_stream_connect',`
gen_require(`
- type pulseaudio_t, pulseaudio_var_run_t;
+ type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
')
files_search_pids($1)
- allow $1 pulseaudio_t:process signull;
- allow pulseaudio_t $1:process signull;
- stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+ userdom_list_user_tmp($1)
+ stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
')
########################################
@@ -182,9 +212,10 @@
########################################
## <summary>
-## Set the attributes of the pulseaudio homedir.
+## Set attributes of pulseaudio
+## home directories.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -195,34 +226,50 @@
type pulseaudio_home_t;
')
- allow $1 pulseaudio_home_t:dir setattr;
+ allow $1 pulseaudio_home_t:dir setattr_dir_perms;
')
########################################
## <summary>
-## Read pulseaudio homedir files.
+## Read pulseaudio home files.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_read_home_files',`
+ refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
+ pulseaudio_read_home($1)
+')
+
+########################################
+## <summary>
+## Read pulseaudio home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_home',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ allow $1 pulseaudio_home_t:dir list_dir_perms;
+ allow $1 pulseaudio_home_t:file read_file_perms;
+ allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Read and write Pulse Audio files.
+## Read and write pulseaudio home files.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -234,27 +281,43 @@
')
rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
-## Create, read, write, and delete pulseaudio
-## home directory files.
+## Create, read, write, and delete
+## pulseaudio home files.
## </summary>
-## <param name="user_domain">
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_manage_home_files',`
+ refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
+ pulseaudio_manage_home($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## pulseaudio home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_manage_home',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+ allow $1 pulseaudio_home_t:dir manage_dir_perms;
+ allow $1 pulseaudio_home_t:file manage_file_perms;
+ allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
')
diff --git a/pulseaudio.te b/pulseaudio.te
index b48444a..7f62ec6 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -1,47 +1,68 @@
-policy_module(pulseaudio, 1.5.1)
+policy_module(pulseaudio, 1.5.2)
########################################
#
# Declarations
#
+attribute pulseaudio_client;
+attribute pulseaudio_tmpfs_file_type;
+
+attribute_role pulseaudio_roles;
+
type pulseaudio_t;
type pulseaudio_exec_t;
init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
-role system_r types pulseaudio_t;
+role pulseaudio_roles types pulseaudio_t;
type pulseaudio_home_t;
userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmp_t;
+userdom_user_tmp_file(pulseaudio_tmp_t)
type pulseaudio_tmpfs_t;
userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
type pulseaudio_var_lib_t;
files_type(pulseaudio_var_lib_t)
-ubac_constrained(pulseaudio_var_lib_t)
type pulseaudio_var_run_t;
files_pid_file(pulseaudio_var_run_t)
-ubac_constrained(pulseaudio_var_run_t)
########################################
#
-# pulseaudio local policy
+# Local policy
#
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
-allow pulseaudio_t self:fifo_file rw_file_perms;
-allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
-allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
-allow pulseaudio_t self:udp_socket create_socket_perms;
+allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
+allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
+allow pulseaudio_t self:unix_dgram_socket sendto;
+allow pulseaudio_t self:tcp_socket { accept listen };
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
-manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-userdom_search_user_home_dirs(pulseaudio_t)
+allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
+allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
+allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
+
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
+userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
+files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
+userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -53,6 +74,9 @@
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+allow pulseaudio_t pulseaudio_client:process signull;
+ps_process_pattern(pulseaudio_t, pulseaudio_client)
+
can_exec(pulseaudio_t, pulseaudio_exec_t)
kernel_getattr_proc(pulseaudio_t)
@@ -63,20 +87,32 @@
corenet_all_recvfrom_unlabeled(pulseaudio_t)
corenet_all_recvfrom_netlabel(pulseaudio_t)
-corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
-corenet_tcp_bind_soundd_port(pulseaudio_t)
corenet_tcp_sendrecv_generic_if(pulseaudio_t)
-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
-corenet_udp_bind_sap_port(pulseaudio_t)
corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
corenet_udp_sendrecv_generic_node(pulseaudio_t)
+corenet_tcp_sendrecv_all_ports(pulseaudio_t)
+corenet_udp_sendrecv_all_ports(pulseaudio_t)
+corenet_tcp_bind_generic_node(pulseaudio_t)
+corenet_udp_bind_generic_node(pulseaudio_t)
+
+corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
+corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
+
+corenet_sendrecv_soundd_server_packets(pulseaudio_t)
+corenet_tcp_bind_soundd_port(pulseaudio_t)
+corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
+
+corenet_sendrecv_sap_server_packets(pulseaudio_t)
+corenet_udp_bind_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_sap_port(pulseaudio_t)
dev_read_sound(pulseaudio_t)
dev_write_sound(pulseaudio_t)
dev_read_sysfs(pulseaudio_t)
dev_read_urand(pulseaudio_t)
-files_read_etc_files(pulseaudio_t)
files_read_usr_files(pulseaudio_t)
fs_rw_anon_inodefs_files(pulseaudio_t)
@@ -92,10 +128,24 @@
miscfiles_read_localization(pulseaudio_t)
-# cjp: this seems excessive. need to confirm
-userdom_manage_user_home_content_files(pulseaudio_t)
-userdom_manage_user_tmp_files(pulseaudio_t)
-userdom_manage_user_tmpfs_files(pulseaudio_t)
+userdom_search_user_home_dirs(pulseaudio_t)
+userdom_write_user_tmp_sockets(pulseaudio_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(pulseaudio_t)
+ fs_manage_nfs_files(pulseaudio_t)
+ fs_manage_nfs_symlinks(pulseaudio_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(pulseaudio_t)
+ fs_manage_cifs_files(pulseaudio_t)
+ fs_manage_cifs_symlinks(pulseaudio_t)
+')
+
+optional_policy(`
+ alsa_read_rw_config(pulseaudio_t)
+')
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
@@ -103,7 +153,6 @@
optional_policy(`
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
- dbus_system_bus_client(pulseaudio_t)
dbus_all_session_bus_client(pulseaudio_t)
dbus_connect_all_session_bus(pulseaudio_t)
@@ -146,3 +195,58 @@
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
+
+########################################
+#
+# Client local policy
+#
+
+allow pulseaudio_client self:unix_dgram_socket sendto;
+
+allow pulseaudio_client pulseaudio_client:process signull;
+
+read_files_pattern(pulseaudio_client, { pulseaudio_tmpfs_file_type pulseaudio_tmpfs_t }, { pulseaudio_tmpfs_file_type pulseaudio_tmpfs_t })
+delete_files_pattern(pulseaudio_client, pulseaudio_tmpfs_file_type, pulseaudio_tmpfs_file_type)
+
+fs_getattr_tmpfs(pulseaudio_client)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_client)
+corenet_all_recvfrom_netlabel(pulseaudio_client)
+corenet_tcp_sendrecv_generic_if(pulseaudio_client)
+corenet_tcp_sendrecv_generic_node(pulseaudio_client)
+
+corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client)
+corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
+corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+
+pulseaudio_stream_connect(pulseaudio_client)
+pulseaudio_read_home(pulseaudio_client)
+pulseaudio_rw_home_files(pulseaudio_client)
+pulseaudio_setattr_home_dir(pulseaudio_client)
+pulseaudio_signull(pulseaudio_client)
+
+rtkit_scheduled(pulseaudio_client)
+
+# TODO: ~/.cache
+userdom_manage_user_home_content_files(pulseaudio_client)
+
+userdom_read_user_tmpfs_files(pulseaudio_client)
+# userdom_delete_user_tmpfs_files(pulseaudio_client)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(pulseaudio_client)
+ fs_manage_nfs_dirs(pulseaudio_client)
+ fs_manage_nfs_files(pulseaudio_client)
+ fs_read_nfs_symlinks(pulseaudio_client)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(pulseaudio_client)
+ fs_manage_cifs_dirs(pulseaudio_client)
+ fs_manage_cifs_files(pulseaudio_client)
+ fs_read_cifs_symlinks(pulseaudio_client)
+')
+
+optional_policy(`
+ pulseaudio_dbus_chat(pulseaudio_client)
+')
diff --git a/qemu.te b/qemu.te
index d1db264..94af893 100644
--- a/qemu.te
+++ b/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.7.1)
+policy_module(qemu, 1.7.2)
########################################
#
@@ -96,7 +96,7 @@
')
optional_policy(`
- pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_manage_home(qemu_t)
pulseaudio_stream_connect(qemu_t)
')
On Fri, 2012-10-19 at 19:23 +0200, Dominick Grift wrote:
> manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
> userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
> -
> -manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
> -manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
> -fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
>
Whoops that should not have been removed so readding that
On Fri, Oct 19, 2012 at 07:23:42PM +0200, Dominick Grift wrote:
> The pulseaudio_tmpfs_file_type is assigned to all clients tmpfile
> file types separately with the pulseaudio_tmpfs_content() interface
>
> pulseaudio_clients atomatically get the access they need to pulseaudio
> tmpfs content
>
> read and delete the content
I have a similar construction with alsa. One thing I am hoping to look into
soon is a "What if /dev/shm was shm_tmpfs_t instead of tmpfs_t", would that
make sense?
It would tighten the scope of such "wide" tmpfs file accesses.
Wkr,
Sven Vermeulen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/19/2012 02:00 PM, Sven Vermeulen wrote:
> On Fri, Oct 19, 2012 at 07:23:42PM +0200, Dominick Grift wrote:
>> The pulseaudio_tmpfs_file_type is assigned to all clients tmpfile file
>> types separately with the pulseaudio_tmpfs_content() interface
>>
>> pulseaudio_clients atomatically get the access they need to pulseaudio
>> tmpfs content
>>
>> read and delete the content
>
> I have a similar construction with alsa. One thing I am hoping to look
> into soon is a "What if /dev/shm was shm_tmpfs_t instead of tmpfs_t", would
> that make sense?
>
> It would tighten the scope of such "wide" tmpfs file accesses.
>
> Wkr, Sven Vermeulen _______________________________________________
> refpolicy mailing list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
Or just shm_t. Since /tmp is now a tmpfs but we lable it tmpfs_t.
That would allow admins to create a new tmpfs for a specific use and prevent
confined domains from useing it. Currently we have tmpfs on /run /dev and
/tmp and they all have unigue labels, /dev/shm should problem also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCBl8IACgkQrlYvE4MpobPafwCfYbj+JgjuGJV1oGAKrRC6JCh/
sSoAmwa1eWx3uitdO3RaG7rQRxuQWrAR
=yUl2
-----END PGP SIGNATURE-----
On Fri, 2012-10-19 at 20:00 +0200, Sven Vermeulen wrote:
> On Fri, Oct 19, 2012 at 07:23:42PM +0200, Dominick Grift wrote:
> > The pulseaudio_tmpfs_file_type is assigned to all clients tmpfile
> > file types separately with the pulseaudio_tmpfs_content() interface
> >
> > pulseaudio_clients atomatically get the access they need to pulseaudio
> > tmpfs content
> >
> > read and delete the content
>
> I have a similar construction with alsa. One thing I am hoping to look into
> soon is a "What if /dev/shm was shm_tmpfs_t instead of tmpfs_t", would that
> make sense?
>
> It would tighten the scope of such "wide" tmpfs file accesses.
pulseaudio clients create that pulse-shm file in /dev/shm with a private
type, i do not see how this would help?
programs that use pulse and that run in the userdomain create those
files with user_tmpfs_t
So all they need with regard to tmpfs_t is search tmpfs_t dirs, add and
remove dir entries from tmpfs_t dirs and get attributes of tmpfs_t
filesystems
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Fri, Oct 19, 2012 at 08:13:19PM +0200, Dominick Grift wrote:
> > I have a similar construction with alsa. One thing I am hoping to look into
> > soon is a "What if /dev/shm was shm_tmpfs_t instead of tmpfs_t", would that
> > make sense?
> >
> > It would tighten the scope of such "wide" tmpfs file accesses.
>
> pulseaudio clients create that pulse-shm file in /dev/shm with a private
> type, i do not see how this would help?
>
> programs that use pulse and that run in the userdomain create those
> files with user_tmpfs_t
>
> So all they need with regard to tmpfs_t is search tmpfs_t dirs, add and
> remove dir entries from tmpfs_t dirs and get attributes of tmpfs_t
> filesystems
It's mainly for reducing the scope. If pulseaudio clients automatically have
their tmpfs types be writeable by other pulseaudio clients, then also
non-shm related tmpfs files are affected by this.
If we'd use a specific type for shared memory (like shm_t) then other tmpfs
files are not "opened up".
It's a fairly intrusive change for a small gain, I understand (many policies
will need to be adapted for this, whereas there aren't that many tmpfs
locations on a system I think that are actually labeled as tmpfs_t). Hence
the "look into" part of the suggestion ;)
Wkr,
Sven Vermeulen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/19/2012 02:13 PM, Dominick Grift wrote:
They are allowed to create files in the tmpfs.
Imagine a third party product creates a tmpfs in /dev/mytmpfs
Currently confined apps and users are allowed to create files in that
directory, if we gave access only to shm_t then this tmpfs would be protected.
Of course the third party could label it's tmpfs something different, but
then they would need to know about SELinux.
Just a thought.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCBvWEACgkQrlYvE4MpobNLMACfcrm3eZjg1Q9Y8LlGzWL7opv8
h+EAoL/64RCTl7fsUSKUY7Yqdw1MCcKG
=Nn6r
-----END PGP SIGNATURE-----
On Fri, 2012-10-19 at 16:51 -0400, Daniel J Walsh wrote:
> On 10/19/2012 02:13 PM, Dominick Grift wrote:
>
> They are allowed to create files in the tmpfs.
>
> Imagine a third party product creates a tmpfs in /dev/mytmpfs
>
> Currently confined apps and users are allowed to create files in that
> directory, if we gave access only to shm_t then this tmpfs would be protected.
> Of course the third party could label it's tmpfs something different, but
> then they would need to know about SELinux.
>
> Just a thought.
Sure i am ok with that idea. go ahead and implement it ;)
I am currently more interested in applicable feed back, suggestions and
comments on the patch in the topic though :)
On Fri, 2012-10-19 at 19:23 +0200, Dominick Grift wrote:
> I am currently trying to port the pulseaudio policy module with changes
If i do not get any comments, suggestions or questions then i guess this
is good to implement