From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 4 Apr 2014 16:22:45 -0400 Subject: [refpolicy] [PATCH 1/3] Introduce alsa domains In-Reply-To: <1396188552-16007-2-git-send-email-sven.vermeulen@siphos.be> References: <1396188552-16007-1-git-send-email-sven.vermeulen@siphos.be> <1396188552-16007-2-git-send-email-sven.vermeulen@siphos.be> Message-ID: <533F1495.3050305@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/30/2014 10:09 AM, Sven Vermeulen wrote: > Some plugins in the ALSA ecosystem (including the default dmix/pcm > plugins) use SysV IPC resources to collaborate access to the sound > subsystem between ALSA-enabled applications. > > These applications thus require access to the ALSA semaphore created by > the first application that uses access to the sound subsystem as well as > the shared memory. If they don't, then sound is not available for the > subsequent applications, like with mplayer: > > alsa-lib: pcm_dmix.c:989:(snd_pcm_dmix_open) unable to create IPC > semaphore > > As this means that all ALSA enabled domains need access to the > semaphores of all other ALSA enabled domains, starting to sum up all > these domains is not manageable. As a result, an attribute called > "alsadomain" is created which is assigned to all domains that use ALSA. > Then, we grant the following: > > allow alsadomain alsadomain:sem create_sem_perms; > allow alsadomain alsadomain:shm rw_shm_perms; > > The second 'failure' one would get is access to the Linux shared memory. > This is not all covered only by the shm class, but also through tmpfs, > as can be seen in the following denial: > > type=AVC msg=audit(1396182569.016:1763): avc: denied { write } for > pid=1047 comm="mplayer" > path=2F535953563030353661346435202864656C6574656429 dev="tmpfs" > ino=1867789 scontext=staff_u:staff_r:mplayer_t > tcontext=staff_u:object_r:mozilla_plugin_tmpfs_t tclass=file > > In the above denial, we notice that mplayer failed to write to shared > memory created by the mozilla_plugin_t domain (and thus labeled as > mozilla_plugin_tmpfs_t). This is shared memory, as can be decomposed > from the path: > > python -c 'import base64; > print(base64.b16decode("2F535953563030353661346435202864656C6574656429"));' > > b'/SYSV0056a4d5 (deleted)' > > That means we also need to grant ALSA domains read/write access to the > tmpfs types of the ALSA domains. For this, we create an attribute called > "alsatmpfsfile" which is assigned to the tmpfs_t types of those ALSA > domains, with: > > allow alsadomain alsatmpfsfile:file rw_file_perms; > > With this in place, we now create an interface called "alsa_domain" that > assigns the attributes to the ALSA enabled applications, such as this: > > alsa_domain(mplayer_t, mplayer_tmpfs_t) This is a frightening access. Are you sure there isn't some tool we can (ab)use to run on boot so that the correct IPC objects are created, e.g. with an alsa_t type? > Signed-off-by: Sven Vermeulen > --- > alsa.if | 25 +++++++++++++++++++++++++ > alsa.te | 17 +++++++++++++++++ > mozilla.te | 3 +-- > mplayer.te | 2 +- > pulseaudio.te | 2 +- > 5 files changed, 45 insertions(+), 4 deletions(-) > > diff --git a/alsa.if b/alsa.if > index ca8d8cf..ef7eb3d 100644 > --- a/alsa.if > +++ b/alsa.if > @@ -2,6 +2,31 @@ > > ######################################## > ## > +## Mark the selected domain as an ALSA-capable domain > +## > +## > +## > +## Domain that links with ALSA > +## > +## > +## > +## > +## Tmpfs type used for shared memory of the given domain > +## > +## > +# > +interface(`alsa_domain',` > + gen_require(` > + attribute alsadomain; > + attribute alsatmpfsfile; > + ') > + > + typeattribute $1 alsadomain; > + typeattribute $2 alsatmpfsfile; > +') > + > +######################################## > +## > ## Role access for alsa. > ## > ## > diff --git a/alsa.te b/alsa.te > index 814b426..4fd8018 100644 > --- a/alsa.te > +++ b/alsa.te > @@ -5,12 +5,16 @@ policy_module(alsa, 1.13.0) > # Declarations > # > > +attribute alsadomain; > +attribute alsatmpfsfile; > + > attribute_role alsa_roles; > > type alsa_t; > type alsa_exec_t; > init_system_domain(alsa_t, alsa_exec_t) > role alsa_roles types alsa_t; > +typeattribute alsa_t alsadomain; > > type alsa_etc_rw_t; > files_config_file(alsa_etc_rw_t) > @@ -20,6 +24,7 @@ files_tmp_file(alsa_tmp_t) > > type alsa_tmpfs_t; > files_tmpfs_file(alsa_tmpfs_t) > +typeattribute alsa_tmpfs_t alsatmpfsfile; > > type alsa_var_lib_t; > files_type(alsa_var_lib_t) > @@ -29,6 +34,18 @@ userdom_user_home_content(alsa_home_t) > > ######################################## > # > +# alsadomain policy > +# > + > +allow alsadomain alsadomain:sem create_sem_perms; > +allow alsadomain alsadomain:shm rw_shm_perms; > +allow alsadomain alsatmpfsfile:file rw_file_perms; > + > +alsa_read_rw_config(alsadomain) > +alsa_read_home_files(alsadomain) > + > +######################################## > +# > # Local policy > # > > diff --git a/mozilla.te b/mozilla.te > index 11ac8e4..63f0875 100644 > --- a/mozilla.te > +++ b/mozilla.te > @@ -518,8 +518,7 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > - alsa_read_rw_config(mozilla_plugin_t) > - alsa_read_home_files(mozilla_plugin_t) > + alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t) > ') > > optional_policy(` > diff --git a/mplayer.te b/mplayer.te > index 0f03cd9..6300573 100644 > --- a/mplayer.te > +++ b/mplayer.te > @@ -250,7 +250,7 @@ tunable_policy(`allow_mplayer_execstack',` > ') > > optional_policy(` > - alsa_read_rw_config(mplayer_t) > + alsa_domain(mplayer_t, mplayer_tmpfs_t) > ') > > optional_policy(` > diff --git a/pulseaudio.te b/pulseaudio.te > index 4665af2..5a8f356 100644 > --- a/pulseaudio.te > +++ b/pulseaudio.te > @@ -144,7 +144,7 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > - alsa_read_rw_config(pulseaudio_t) > + alsa_domain(pulseaudio_t, pulseaudio_tmpfs_t) > ') > > optional_policy(` > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com