From: dac.override@gmail.com (Dominick Grift) Date: Fri, 12 Aug 2016 19:09:28 +0200 Subject: [refpolicy] [PATCH] Update the pulseaudio module for usability and ORC support In-Reply-To: <1471021057.23869.6.camel@trentalancia.net> References: <1470953060.25389.1.camel@trentalancia.net> <1471021057.23869.6.camel@trentalancia.net> Message-ID: <4e0be59a-b2c3-050c-842d-0fd524e31080@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/12/2016 06:57 PM, Guido Trentalancia wrote: > Hello Dominick ! > > Thanks very much for getting back with very useful suggestions ! > > My reply follows your comments... > > On Fri, 12/08/2016 at 10.18 +0200, Dominick Grift wrote: >> On 08/12/2016 12:04 AM, Guido Trentalancia wrote: >>> Update the pulseaudio module so that it is usable (tested with >>> latest version pulseaudio 9.0). >>> >>> Support for the OIL Runtime Compiler (OIL) optimized code >>> execution is added to the pulseaudio module by using a few >>> newly created interfaces and file contexts in the gnome >>> module. >>> >> >> Anyhow let me also try to be constructive and make some suggestions >> >> I wouldnt try to support all imaginable scenario's, at least not >> initially. That means that I would rely on the XDG spec. Thus support >> $XDG_RUNTIME_DIR (/run/user/UID, ~/.cache. /tmp) > > XDG_RUNTIME_DIR is not used by all systems. So, the first alternative > is /home/%{USER}. The second alternative is /tmp. > > I would like to support all alternatives. > >> So i would not support the "~" scenario. I would also not support the >> "process execmem" scenario, or at least not unconditionally. > > Ok, I agree. Execmem is now supported through a boolean which defaults > to false, very good idea ! > >> So that leaves us with /run/user/UID and optionally ~/.cache and /tmp >> for failover. > > See above for the first and second alternative (or please refer to the > code). > >> Then i would, at least not initially, not create a "orcexec file >> type" > > ORC is distributed along with gstreamer which belongs to gnome. That's > why I have created the new type in the gnome module. > >> Instead i would just treat this as individual types. for example for >> the >> pulseaudio orcexec file in /run/user/UID: pulseaudio_runtime_user_t >> (or >> whatever name convention reference policy uses for files in >> /run/user) > > See above. It's not necessarily used ONLY by pulseaudio ! > > It's provided as part of the gnome distribution and thus included in > the gnome module. > >> Then that runtime user file needs to be mmap'd by the domain that >> maintains it (it is not to be executed) >> >> allow domain domain_runtime_file:file mmap_file_perms; > > Yes, I have now amended it in the new version of the patch. > >> These files are generally not "shared" they are just for internal >> purposes i believe. > > They are not shared and used only for internal pulseaudio purposes > (it's optimized code generated at runtime: Optimized Inner Loops = > OIL). > > However, as already said, ORC is not used only by pulseaudio ! For > example, another application using it is gstreamer... > I don't recall me saying the liborc is only used by pulseaudio. If i did , then sorry because that was not my intention. >> Below inline also some more comments >> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/gnome.fc | 4 + >>> policy/modules/contrib/gnome.if | 91 >>> +++++++++++++++++++++++++++++++++++ >>> policy/modules/contrib/gnome.te | 3 + >>> policy/modules/contrib/pulseaudio.fc | 1 >>> policy/modules/contrib/pulseaudio.if | 1 >>> policy/modules/contrib/pulseaudio.te | 23 +++++++- >>> 6 files changed, 119 insertions(+), 4 deletions(-) >>> >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc >>> 2016-08-06 21:27:11.354094337 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2 >>> 016-08-11 21:42:20.520989284 +0200 >>> @@ -4,13 +4,17 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste >>> HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome >>> _home_t,s0) >>> HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:objec >>> t_r:gnome_keyring_home_t,s0) >>> HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object >>> _r:gnome_home_t,s0) >>> +HOME_DIR/orcexec.* gen_context(system_u:object_r:gstreamer_ >>> orcexec_t,s0) >>> >>> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t, >>> s0) >>> >>> /tmp/gconfd-USER/.* -- gen_context(system_u:object_r >>> :gconf_tmp_t,s0) >>> +/tmp/orcexec.* gen_context(system_u:object_r:gstrea >>> mer_orcexec_t,s0) >>> >>> /usr/bin/gnome-keyring-daemon -- gen_context(system_ >>> u:object_r:gkeyringd_exec_t,s0) >>> /usr/bin/mate-keyring-daemon -- gen_context(system_u >>> :object_r:gkeyringd_exec_t,s0) >>> >>> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_ >>> u:object_r:gconfd_exec_t,s0) >>> /usr/libexec/gconfd-2 -- gen_context(system_u:object >>> _r:gconfd_exec_t,s0) >>> + >>> +/var/run/user/[^/]*/orcexec.* gen_context(system_u:object_r >>> :gstreamer_orcexec_t,s0) >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if >>> 2016-08-06 21:27:11.354094337 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2 >>> 016-08-11 23:19:10.190331107 +0200 >>> @@ -569,6 +569,36 @@ interface(`gnome_home_filetrans_gnome_ho >>> >>> ######################################## >>> ## >>> +## Create objects in user home >>> +## directories with the gstreamer >>> +## orcexec type. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +## >>> +## Class of the object being created. >>> +## >>> +## >>> +## >>> +## >>> +## The name of the object being created. >>> +## >>> +## >>> +# >>> +interface(`gnome_home_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, >>> $2, $3) >>> +') >>> + >>> +######################################## >>> +## >>> ## Create objects in gnome gconf home >>> ## directories with a private type. >>> ## >>> @@ -603,6 +633,67 @@ interface(`gnome_gconf_home_filetrans',` >>> ') >>> >>> ######################################## >>> +## >>> +## Create objects in the user >>> +## runtime directories with the >>> +## gstreamer orcexec type. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +## >>> +## Class of the object being created. >>> +## >>> +## >>> +## >>> +## >>> +## The name of the object being created. >>> +## >>> +## >>> +# >>> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, >>> $2, $3) >>> +') >>> + >>> + >>> +######################################## >>> +## >>> +## Create objects in the tmp >>> +## directories with the gstreamer >>> +## orcexec type. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +## >>> +## Class of the object being created. >>> +## >>> +## >>> +## >>> +## >>> +## The name of the object being created. >>> +## >>> +## >>> +# >>> +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) >>> +') >>> + >>> +######################################## >>> ## >>> ## Read generic gnome keyring home files. >>> ## >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te >>> 2016-08-06 21:27:11.354094337 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2 >>> 016-08-11 20:16:46.001970644 +0200 >>> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ >>> type gnome_keyring_tmp_t; >>> userdom_user_tmp_file(gnome_keyring_tmp_t) >>> >>> +type gstreamer_orcexec_t; >>> +application_executable_file(gstreamer_orcexec_t) >>> + >>> ############################## >>> # >>> # Common local Policy >>> --- refpolicy-git-06082016- >>> orig/policy/modules/contrib/pulseaudio.fc 2016-08-06 >>> 21:27:11.411094987 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.fc >>> 2016-08-11 20:07:21.338329216 +0200 >>> @@ -1,6 +1,7 @@ >>> HOME_DIR/\.esd_auth -- gen_context(system_u:object_r >>> :pulseaudio_home_t,s0) >>> HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulsea >>> udio_home_t,s0) >>> HOME_DIR/\.pulse-cookie -- gen_context(system_u:obje >>> ct_r:pulseaudio_home_t,s0) >>> +HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_ >>> u:object_r:pulseaudio_home_t,s0) >> >> I suspect that refpolicy has a private type for ~/.config (not sure >> though) Make sure that you are using refpolicy (up-to-date) and that >> ~/.config is not mislabeled > > The file context for ~/.config has not been modified. However, I don't > like pulseaudio to have manage permissions on the user_home_t, > therefore I created a specific file context for the subdirectory > "pulse" used by pulseaudio. > >>> >>> /usr/bin/pulseaudio -- gen_context(system_u:object_r >>> :pulseaudio_exec_t,s0) >>> >>> --- refpolicy-git-06082016- >>> orig/policy/modules/contrib/pulseaudio.if 2016-08-06 >>> 21:27:11.411094987 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if >>> 2016-08-11 17:34:47.778835995 +0200 >>> @@ -25,6 +25,7 @@ interface(`pulseaudio_role',` >>> pulseaudio_run($2, $1) >>> >>> allow $2 pulseaudio_t:process { ptrace signal_perms }; >>> + allow $2 pulseaudio_t:fd use; >>> ps_process_pattern($2, pulseaudio_t) >>> >>> allow $2 pulseaudio_home_t:dir { manage_dir_perms >>> relabel_dir_perms }; >>> --- refpolicy-git-06082016- >>> orig/policy/modules/contrib/pulseaudio.te 2016-08-06 >>> 21:27:11.412094999 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te >>> 2016-08-11 23:50:05.921992338 +0200 >>> @@ -37,7 +37,7 @@ files_pid_file(pulseaudio_var_run_t) >>> # >>> >>> allow pulseaudio_t self:capability { fowner fsetid chown setgid >>> setuid sys_nice sys_resource sys_tty_config }; >>> -allow pulseaudio_t self:process { getcap setcap setrlimit setsched >>> getsched signal signull }; >>> +allow pulseaudio_t self:process { execmem getcap getsched setcap >>> setrlimit setsched signal signull }; >>> allow pulseaudio_t self:fifo_file rw_fifo_file_perms; >>> allow pulseaudio_t self:unix_stream_socket { accept connectto >>> listen }; >>> allow pulseaudio_t self:unix_dgram_socket sendto; >>> @@ -129,9 +129,11 @@ logging_send_syslog_msg(pulseaudio_t) >>> miscfiles_read_localization(pulseaudio_t) >>> >>> userdom_read_user_tmpfs_files(pulseaudio_t) >>> - >>> +userdom_delete_user_tmpfs_files(pulseaudio_t) >>> userdom_search_user_home_dirs(pulseaudio_t) >>> -userdom_write_user_tmp_sockets(pulseaudio_t) >>> +userdom_search_user_home_content(pulseaudio_t) >> >> Why is the above needed? > > It's needed for searching ~/.config (see above, without granting > rw+create=manage permissions). > >>> + >>> +userdom_manage_user_tmp_sockets(pulseaudio_t) >> >> what sockets are those? > > Unix sockets in /tmp subdirectories. For example Pulseaudio native > sockets or Esound sockets. > >>> >>> tunable_policy(`use_nfs_home_dirs',` >>> fs_manage_nfs_dirs(pulseaudio_t) >>> @@ -146,7 +148,8 @@ tunable_policy(`use_samba_home_dirs',` >>> ') >>> >>> optional_policy(` >>> - alsa_read_rw_config(pulseaudio_t) >>> + alsa_read_config(pulseaudio_t) >>> + alsa_read_home_files(pulseaudio_t) >>> ') >>> >>> optional_policy(` >>> @@ -176,6 +179,17 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + # OIL Runtime Compiler (ORC) optimized code execution >>> + can_exec(pulseaudio_t, gstreamer_orcexec_t) >> >> So here you allow pulseaudio to actually execute that orcexec file >> but >> that is too much. instead it needs: >> >> allow pulseaudio_t gstreamer_orceexec_t:file mmap_file_perms; > > I agree, it has been amended in the new version of this patch. > >>> + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_ >>> t, file) >> >> Is the above refpolicy? because user_runtime is not a gnome thing. > > I have created the above interface. user_runtime_t is not a gnome > thing, but gstreamer_orcexec_t is now a gnome type (see other similar > existing interfaces in gnome.if). > >>> + gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file) >> >>> + gnome_tmp_filetrans_gstreamer_orcexec(pulseaudio_t, file) >>> + manage_files_pattern(pulseaudio_t, gstreamer_orcexec_t, >>> gstreamer_orcexec_t) >> >> There is no directory here > > Ok, amended. > >>> + >>> + gnome_stream_connect_gconf(pulseaudio_t) >>> +') >>> + >>> +optional_policy(` >>> rtkit_scheduled(pulseaudio_t) >>> ') >>> >>> @@ -186,6 +200,7 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + udev_read_pid_files(pulseaudio_t) >>> udev_read_state(pulseaudio_t) >>> udev_read_db(pulseaudio_t) >>> ') >>> _______________________________________________ > > A new version of the patch, with the suggested amendments follows in a > separate message. > I still foresee issues with this implementation but i have been out of the loop for too long to provide further review with confidence (my refpolicy is getting rusty). We at least dealt with some obvious issues. > Best regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160812/2e89d098/attachment-0001.bin