From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 12 Aug 2016 18:57:37 +0200 Subject: [refpolicy] [PATCH] Update the pulseaudio module for usability and ORC support In-Reply-To: References: <1470953060.25389.1.camel@trentalancia.net> Message-ID: <1471021057.23869.6.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Dominick ! Thanks very much for getting back with very useful suggestions ! My reply follows your comments... On Fri, 12/08/2016 at 10.18 +0200, Dominick Grift wrote: > On 08/12/2016 12:04 AM, Guido Trentalancia wrote: > > Update the pulseaudio module so that it is usable (tested with > > latest version pulseaudio 9.0). > > > > Support for the OIL Runtime Compiler (OIL) optimized code > > execution is added to the pulseaudio module by using a few > > newly created interfaces and file contexts in the gnome > > module. > > > > Anyhow let me also try to be constructive and make some suggestions > > I wouldnt try to support all imaginable scenario's, at least not > initially. That means that I would rely on the XDG spec. Thus support > $XDG_RUNTIME_DIR (/run/user/UID, ~/.cache. /tmp) XDG_RUNTIME_DIR is not used by all systems. So, the first alternative is /home/%{USER}. The second alternative is /tmp. I would like to support all alternatives. > So i would not support the "~" scenario. I would also not support the > "process execmem" scenario, or at least not unconditionally. Ok, I agree. Execmem is now supported through a boolean which defaults to false, very good idea ! > So that leaves us with /run/user/UID and optionally ~/.cache and /tmp > for failover. See above for the first and second alternative (or please refer to the code). > Then i would, at least not initially, not create a "orcexec file > type" ORC is distributed along with gstreamer which belongs to gnome. That's why I have created the new type in the gnome module. > Instead i would just treat this as individual types. for example for > the > pulseaudio orcexec file in /run/user/UID: pulseaudio_runtime_user_t > (or > whatever name convention reference policy uses for files in > /run/user) See above. It's not necessarily used ONLY by pulseaudio ! It's provided as part of the gnome distribution and thus included in the gnome module. > Then that runtime user file needs to be mmap'd by the domain that > maintains it (it is not to be executed) > > allow domain domain_runtime_file:file mmap_file_perms; Yes, I have now amended it in the new version of the patch. > These files are generally not "shared" they are just for internal > purposes i believe. They are not shared and used only for internal pulseaudio purposes (it's optimized code generated at runtime: Optimized Inner Loops = OIL). However, as already said, ORC is not used only by pulseaudio ! For example, another application using it is gstreamer... > Below inline also some more comments > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/contrib/gnome.fc??????|????4 + > > ?policy/modules/contrib/gnome.if??????|???91 > > +++++++++++++++++++++++++++++++++++ > > ?policy/modules/contrib/gnome.te??????|????3 + > > ?policy/modules/contrib/pulseaudio.fc |????1 > > ?policy/modules/contrib/pulseaudio.if |????1 > > ?policy/modules/contrib/pulseaudio.te |???23 +++++++- > > ?6 files changed, 119 insertions(+), 4 deletions(-) > > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc > > 2016-08-06 21:27:11.354094337 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2 > > 016-08-11 21:42:20.520989284 +0200 > > @@ -4,13 +4,17 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste > > ?HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome > > _home_t,s0) > > ?HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:objec > > t_r:gnome_keyring_home_t,s0) > > ?HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object > > _r:gnome_home_t,s0) > > +HOME_DIR/orcexec.* gen_context(system_u:object_r:gstreamer_ > > orcexec_t,s0) > > ? > > ?/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t, > > s0) > > ? > > ?/tmp/gconfd-USER/.* -- gen_context(system_u:object_r > > :gconf_tmp_t,s0) > > +/tmp/orcexec.* gen_context(system_u:object_r:gstrea > > mer_orcexec_t,s0) > > ? > > ?/usr/bin/gnome-keyring-daemon -- gen_context(system_ > > u:object_r:gkeyringd_exec_t,s0) > > ?/usr/bin/mate-keyring-daemon -- gen_context(system_u > > :object_r:gkeyringd_exec_t,s0) > > ? > > ?/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_ > > u:object_r:gconfd_exec_t,s0) > > ?/usr/libexec/gconfd-2 -- gen_context(system_u:object > > _r:gconfd_exec_t,s0) > > + > > +/var/run/user/[^/]*/orcexec.* gen_context(system_u:object_r > > :gstreamer_orcexec_t,s0) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if > > 2016-08-06 21:27:11.354094337 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2 > > 016-08-11 23:19:10.190331107 +0200 > > @@ -569,6 +569,36 @@ interface(`gnome_home_filetrans_gnome_ho > > ? > > ?######################################## > > ?## > > +## Create objects in user home > > +## directories with the gstreamer > > +## orcexec type. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## Class of the object being created. > > +## > > +## > > +## > > +## > > +## The name of the object being created. > > +## > > +## > > +# > > +interface(`gnome_home_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, > > $2, $3) > > +') > > + > > +######################################## > > +## > > ?## Create objects in gnome gconf home > > ?## directories with a private type. > > ?## > > @@ -603,6 +633,67 @@ interface(`gnome_gconf_home_filetrans',` > > ?') > > ? > > ?######################################## > > +## > > +## Create objects in the user > > +## runtime directories with the > > +## gstreamer orcexec type. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## Class of the object being created. > > +## > > +## > > +## > > +## > > +## The name of the object being created. > > +## > > +## > > +# > > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, > > $2, $3) > > +') > > + > > + > > +######################################## > > +## > > +## Create objects in the tmp > > +## directories with the gstreamer > > +## orcexec type. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +## > > +## > > +## Class of the object being created. > > +## > > +## > > +## > > +## > > +## The name of the object being created. > > +## > > +## > > +# > > +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` > > + gen_require(` > > + type gstreamer_orcexec_t; > > + ') > > + > > + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) > > +') > > + > > +######################################## > > ?## > > ?## Read generic gnome keyring home files. > > ?## > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te > > 2016-08-06 21:27:11.354094337 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2 > > 016-08-11 20:16:46.001970644 +0200 > > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ > > ?type gnome_keyring_tmp_t; > > ?userdom_user_tmp_file(gnome_keyring_tmp_t) > > ? > > +type gstreamer_orcexec_t; > > +application_executable_file(gstreamer_orcexec_t) > > + > > ?############################## > > ?# > > ?# Common local Policy > > --- refpolicy-git-06082016- > > orig/policy/modules/contrib/pulseaudio.fc 2016-08-06 > > 21:27:11.411094987 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.fc > > 2016-08-11 20:07:21.338329216 +0200 > > @@ -1,6 +1,7 @@ > > ?HOME_DIR/\.esd_auth -- gen_context(system_u:object_r > > :pulseaudio_home_t,s0) > > ?HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulsea > > udio_home_t,s0) > > ?HOME_DIR/\.pulse-cookie -- gen_context(system_u:obje > > ct_r:pulseaudio_home_t,s0) > > +HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_ > > u:object_r:pulseaudio_home_t,s0) > > I suspect that refpolicy has a private type for ~/.config (not sure > though) Make sure that you are using refpolicy (up-to-date) and that > ~/.config is not mislabeled The file context for ~/.config has not been modified. However, I don't like pulseaudio to have manage permissions on the user_home_t, therefore I created a specific file context for the subdirectory "pulse" used by pulseaudio. > > ? > > ?/usr/bin/pulseaudio -- gen_context(system_u:object_r > > :pulseaudio_exec_t,s0) > > ? > > --- refpolicy-git-06082016- > > orig/policy/modules/contrib/pulseaudio.if 2016-08-06 > > 21:27:11.411094987 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if > > 2016-08-11 17:34:47.778835995 +0200 > > @@ -25,6 +25,7 @@ interface(`pulseaudio_role',` > > ? pulseaudio_run($2, $1) > > ? > > ? allow $2 pulseaudio_t:process { ptrace signal_perms }; > > + allow $2 pulseaudio_t:fd use; > > ? ps_process_pattern($2, pulseaudio_t) > > ? > > ? allow $2 pulseaudio_home_t:dir { manage_dir_perms > > relabel_dir_perms }; > > --- refpolicy-git-06082016- > > orig/policy/modules/contrib/pulseaudio.te 2016-08-06 > > 21:27:11.412094999 +0200 > > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te > > 2016-08-11 23:50:05.921992338 +0200 > > @@ -37,7 +37,7 @@ files_pid_file(pulseaudio_var_run_t) > > ?# > > ? > > ?allow pulseaudio_t self:capability { fowner fsetid chown setgid > > setuid sys_nice sys_resource sys_tty_config }; > > -allow pulseaudio_t self:process { getcap setcap setrlimit setsched > > getsched signal signull }; > > +allow pulseaudio_t self:process { execmem getcap getsched setcap > > setrlimit setsched signal signull }; > > ?allow pulseaudio_t self:fifo_file rw_fifo_file_perms; > > ?allow pulseaudio_t self:unix_stream_socket { accept connectto > > listen }; > > ?allow pulseaudio_t self:unix_dgram_socket sendto; > > @@ -129,9 +129,11 @@ logging_send_syslog_msg(pulseaudio_t) > > ?miscfiles_read_localization(pulseaudio_t) > > ? > > ?userdom_read_user_tmpfs_files(pulseaudio_t) > > - > > +userdom_delete_user_tmpfs_files(pulseaudio_t) > > ?userdom_search_user_home_dirs(pulseaudio_t) > > -userdom_write_user_tmp_sockets(pulseaudio_t) > > +userdom_search_user_home_content(pulseaudio_t) > > Why is the above needed? It's needed for searching ~/.config (see above, without granting rw+create=manage permissions). > > + > > +userdom_manage_user_tmp_sockets(pulseaudio_t) > > what sockets are those? Unix sockets in /tmp subdirectories. For example Pulseaudio native sockets or Esound sockets. > > ? > > ?tunable_policy(`use_nfs_home_dirs',` > > ? fs_manage_nfs_dirs(pulseaudio_t) > > @@ -146,7 +148,8 @@ tunable_policy(`use_samba_home_dirs',` > > ?') > > ? > > ?optional_policy(` > > - alsa_read_rw_config(pulseaudio_t) > > + alsa_read_config(pulseaudio_t) > > + alsa_read_home_files(pulseaudio_t) > > ?') > > ? > > ?optional_policy(` > > @@ -176,6 +179,17 @@ optional_policy(` > > ?') > > ? > > ?optional_policy(` > > + # OIL Runtime Compiler (ORC) optimized code execution > > + can_exec(pulseaudio_t, gstreamer_orcexec_t) > > So here you allow pulseaudio to actually execute that orcexec file > but > that is too much. instead it needs: > > allow pulseaudio_t gstreamer_orceexec_t:file mmap_file_perms; I agree, it has been amended in the new version of this patch. > > + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_ > > t, file) > > Is the above refpolicy? because user_runtime is not a gnome thing. I have created the above interface. user_runtime_t is not a gnome thing, but gstreamer_orcexec_t is now a gnome type (see other similar existing interfaces in gnome.if). > > + gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file) > > > + gnome_tmp_filetrans_gstreamer_orcexec(pulseaudio_t, file) > > + manage_files_pattern(pulseaudio_t, gstreamer_orcexec_t, > > gstreamer_orcexec_t) > > There is no directory here Ok, amended. > > + > > + gnome_stream_connect_gconf(pulseaudio_t) > > +') > > + > > +optional_policy(` > > ? rtkit_scheduled(pulseaudio_t) > > ?') > > ? > > @@ -186,6 +200,7 @@ optional_policy(` > > ?') > > ? > > ?optional_policy(` > > + udev_read_pid_files(pulseaudio_t) > > ? udev_read_state(pulseaudio_t) > > ? udev_read_db(pulseaudio_t) > > ?') > > _______________________________________________ A new version of the patch, with the suggested amendments follows in a separate message. Best regards, Guido