From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 12 Aug 2016 00:04:20 +0200 Subject: [refpolicy] [PATCH] Update the pulseaudio module for usability and ORC support Message-ID: <1470953060.25389.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the pulseaudio module so that it is usable (tested with latest version pulseaudio 9.0). Support for the OIL Runtime Compiler (OIL) optimized code execution is added to the pulseaudio module by using a few newly created interfaces and file contexts in the gnome module. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gnome.fc | 4 + policy/modules/contrib/gnome.if | 91 +++++++++++++++++++++++++++++++++++ policy/modules/contrib/gnome.te | 3 + policy/modules/contrib/pulseaudio.fc | 1 policy/modules/contrib/pulseaudio.if | 1 policy/modules/contrib/pulseaudio.te | 23 +++++++- 6 files changed, 119 insertions(+), 4 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-11 21:42:20.520989284 +0200 @@ -4,13 +4,17 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/orcexec.* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) +/tmp/orcexec.* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) /usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/var/run/user/[^/]*/orcexec.* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-11 23:19:10.190331107 +0200 @@ -569,6 +569,36 @@ interface(`gnome_home_filetrans_gnome_ho ######################################## ## +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_home_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## ## Create objects in gnome gconf home ## directories with a private type. ## @@ -603,6 +633,67 @@ interface(`gnome_gconf_home_filetrans',` ') ######################################## +## +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + + +######################################## +## +## Create objects in the tmp +## directories with the gstreamer +## orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## ## ## Read generic gnome keyring home files. ## --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-06 21:27:11.354094337 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-11 20:16:46.001970644 +0200 @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.fc 2016-08-06 21:27:11.411094987 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.fc 2016-08-11 20:07:21.338329216 +0200 @@ -1,6 +1,7 @@ HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_u:object_r:pulseaudio_home_t,s0) /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-06 21:27:11.411094987 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-11 17:34:47.778835995 +0200 @@ -25,6 +25,7 @@ interface(`pulseaudio_role',` pulseaudio_run($2, $1) allow $2 pulseaudio_t:process { ptrace signal_perms }; + allow $2 pulseaudio_t:fd use; ps_process_pattern($2, pulseaudio_t) allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te 2016-08-06 21:27:11.412094999 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-11 23:50:05.921992338 +0200 @@ -37,7 +37,7 @@ files_pid_file(pulseaudio_var_run_t) # allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config }; -allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull }; +allow pulseaudio_t self:process { execmem getcap getsched setcap setrlimit setsched signal signull }; allow pulseaudio_t self:fifo_file rw_fifo_file_perms; allow pulseaudio_t self:unix_stream_socket { accept connectto listen }; allow pulseaudio_t self:unix_dgram_socket sendto; @@ -129,9 +129,11 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) userdom_read_user_tmpfs_files(pulseaudio_t) - +userdom_delete_user_tmpfs_files(pulseaudio_t) userdom_search_user_home_dirs(pulseaudio_t) -userdom_write_user_tmp_sockets(pulseaudio_t) +userdom_search_user_home_content(pulseaudio_t) + +userdom_manage_user_tmp_sockets(pulseaudio_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(pulseaudio_t) @@ -146,7 +148,8 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` - alsa_read_rw_config(pulseaudio_t) + alsa_read_config(pulseaudio_t) + alsa_read_home_files(pulseaudio_t) ') optional_policy(` @@ -176,6 +179,17 @@ optional_policy(` ') optional_policy(` + # OIL Runtime Compiler (ORC) optimized code execution + can_exec(pulseaudio_t, gstreamer_orcexec_t) + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) + gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file) + gnome_tmp_filetrans_gstreamer_orcexec(pulseaudio_t, file) + manage_files_pattern(pulseaudio_t, gstreamer_orcexec_t, gstreamer_orcexec_t) + + gnome_stream_connect_gconf(pulseaudio_t) +') + +optional_policy(` rtkit_scheduled(pulseaudio_t) ') @@ -186,6 +200,7 @@ optional_policy(` ') optional_policy(` + udev_read_pid_files(pulseaudio_t) udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) ')