From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 30 Mar 2014 16:09:10 +0200
Subject: [refpolicy] [PATCH 1/3] Introduce alsa domains
In-Reply-To: <1396188552-16007-1-git-send-email-sven.vermeulen@siphos.be>
References: <1396188552-16007-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1396188552-16007-2-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Some plugins in the ALSA ecosystem (including the default dmix/pcm
plugins) use SysV IPC resources to collaborate access to the sound
subsystem between ALSA-enabled applications.

These applications thus require access to the ALSA semaphore created by
the first application that uses access to the sound subsystem as well as
the shared memory. If they don't, then sound is not available for the
subsequent applications, like with mplayer:

alsa-lib: pcm_dmix.c:989:(snd_pcm_dmix_open) unable to create IPC
semaphore

As this means that all ALSA enabled domains need access to the
semaphores of all other ALSA enabled domains, starting to sum up all
these domains is not manageable. As a result, an attribute called
"alsadomain" is created which is assigned to all domains that use ALSA.
Then, we grant the following:

  allow alsadomain alsadomain:sem create_sem_perms;
  allow alsadomain alsadomain:shm rw_shm_perms;

The second 'failure' one would get is access to the Linux shared memory.
This is not all covered only by the shm class, but also through tmpfs,
as can be seen in the following denial:

  type=AVC msg=audit(1396182569.016:1763): avc:  denied  { write } for
  pid=1047 comm="mplayer"
  path=2F535953563030353661346435202864656C6574656429 dev="tmpfs"
  ino=1867789 scontext=staff_u:staff_r:mplayer_t
  tcontext=staff_u:object_r:mozilla_plugin_tmpfs_t tclass=file

In the above denial, we notice that mplayer failed to write to shared
memory created by the mozilla_plugin_t domain (and thus labeled as
mozilla_plugin_tmpfs_t). This is shared memory, as can be decomposed
from the path:

  python -c 'import base64;
  print(base64.b16decode("2F535953563030353661346435202864656C6574656429"));'

  b'/SYSV0056a4d5 (deleted)'

That means we also need to grant ALSA domains read/write access to the
tmpfs types of the ALSA domains. For this, we create an attribute called
"alsatmpfsfile" which is assigned to the tmpfs_t types of those ALSA
domains, with:

  allow alsadomain alsatmpfsfile:file rw_file_perms;

With this in place, we now create an interface called "alsa_domain" that
assigns the attributes to the ALSA enabled applications, such as this:

alsa_domain(mplayer_t, mplayer_tmpfs_t)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 alsa.if       | 25 +++++++++++++++++++++++++
 alsa.te       | 17 +++++++++++++++++
 mozilla.te    |  3 +--
 mplayer.te    |  2 +-
 pulseaudio.te |  2 +-
 5 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/alsa.if b/alsa.if
index ca8d8cf..ef7eb3d 100644
--- a/alsa.if
+++ b/alsa.if
@@ -2,6 +2,31 @@
 
 ########################################
 ## <summary>
+##	Mark the selected domain as an ALSA-capable domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that links with ALSA
+##	</summary>
+## </param>
+## <param name="tmpfstype">
+##	<summary>
+##	Tmpfs type used for shared memory of the given domain
+##	</summary>
+## </param>
+#
+interface(`alsa_domain',`
+	gen_require(`
+		attribute alsadomain;
+		attribute alsatmpfsfile;
+	')
+
+	typeattribute $1 alsadomain;
+	typeattribute $2 alsatmpfsfile;
+')
+
+########################################
+## <summary>
 ##	Role access for alsa.
 ## </summary>
 ## <param name="role">
diff --git a/alsa.te b/alsa.te
index 814b426..4fd8018 100644
--- a/alsa.te
+++ b/alsa.te
@@ -5,12 +5,16 @@ policy_module(alsa, 1.13.0)
 # Declarations
 #
 
+attribute alsadomain;
+attribute alsatmpfsfile;
+
 attribute_role alsa_roles;
 
 type alsa_t;
 type alsa_exec_t;
 init_system_domain(alsa_t, alsa_exec_t)
 role alsa_roles types alsa_t;
+typeattribute alsa_t alsadomain;
 
 type alsa_etc_rw_t;
 files_config_file(alsa_etc_rw_t)
@@ -20,6 +24,7 @@ files_tmp_file(alsa_tmp_t)
 
 type alsa_tmpfs_t;
 files_tmpfs_file(alsa_tmpfs_t)
+typeattribute alsa_tmpfs_t alsatmpfsfile;
 
 type alsa_var_lib_t;
 files_type(alsa_var_lib_t)
@@ -29,6 +34,18 @@ userdom_user_home_content(alsa_home_t)
 
 ########################################
 #
+# alsadomain policy
+#
+
+allow alsadomain alsadomain:sem create_sem_perms;
+allow alsadomain alsadomain:shm rw_shm_perms;
+allow alsadomain alsatmpfsfile:file rw_file_perms;
+
+alsa_read_rw_config(alsadomain)
+alsa_read_home_files(alsadomain)
+
+########################################
+#
 # Local policy
 #
 
diff --git a/mozilla.te b/mozilla.te
index 11ac8e4..63f0875 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -518,8 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mozilla_plugin_t)
-	alsa_read_home_files(mozilla_plugin_t)
+	alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
 ')
 
 optional_policy(`
diff --git a/mplayer.te b/mplayer.te
index 0f03cd9..6300573 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -250,7 +250,7 @@ tunable_policy(`allow_mplayer_execstack',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mplayer_t)
+	alsa_domain(mplayer_t, mplayer_tmpfs_t)
 ')
 
 optional_policy(`
diff --git a/pulseaudio.te b/pulseaudio.te
index 4665af2..5a8f356 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -144,7 +144,7 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(pulseaudio_t)
+	alsa_domain(pulseaudio_t, pulseaudio_tmpfs_t)
 ')
 
 optional_policy(`
-- 
1.8.3.2