From: dac.override@gmail.com (Dominick Grift)
Date: Sat, 13 Aug 2016 16:23:17 +0200
Subject: [refpolicy] [PATCH v5] Update policy and file contexts for the
 alsa module
In-Reply-To: <1471097852.21480.18.camel@trentalancia.net>
References: <1470771217.3770.2.camel@trentalancia.net>
	<89ebee6b-8605-678d-e323-28d6e99778cd@gmail.com>
	<1470772925.3770.6.camel@trentalancia.net>
	<1470839456.11490.4.camel@trentalancia.net>
	<1470840227.11490.6.camel@trentalancia.net>
	<1471097852.21480.18.camel@trentalancia.net>
Message-ID: <0b67a987-701b-33c4-daa2-22ae6d5d4a9e@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/13/2016 04:17 PM, Guido Trentalancia wrote:
> Update the alsa module so that the alsa_etc_t file context (previously
> alsa_etc_rw_t) is widened to the whole alsa share directory, instead
> of just a couple of files.
> 
> The wrong and misleading _rw_ label has been deprecated in the alsa
> interface definitions and in their instances throughout the whole
> Reference Policy (static and system-wide configuration files are
> not runtime-writable). Warning messages are printed when the user
> attempts to use the old namings for the above mentioned alsa
> interface definitions. 
> 
> This version of the patch finally removes obsolete file contexts and
> grants read permissions instead of manage permissions for static
> configuration files in /usr/share/alsa and system-wide configuration
> files in /etc.
> 
> Thanks to Dominick Grift for pointing out redundant interface usage
> in a previous version of this patch.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/alsa.fc       |    9 ++----
>  policy/modules/contrib/alsa.if       |   52 ++++++++++++++++++++++++++++-------
>  policy/modules/contrib/alsa.te       |   10 +++---
>  policy/modules/contrib/asterisk.te   |    2 -
>  policy/modules/contrib/entropyd.te   |    2 -
>  policy/modules/contrib/hal.te        |    2 -
>  policy/modules/contrib/mozilla.te    |    2 -
>  policy/modules/contrib/mpd.te        |    2 -
>  policy/modules/contrib/mplayer.te    |    2 -
>  policy/modules/contrib/pulseaudio.te |    2 -
>  policy/modules/system/init.te        |    2 -
>  policy/modules/system/udev.te        |    2 -
>  policy/modules/system/userdomain.if  |    4 +-
>  13 files changed, 61 insertions(+), 32 deletions(-)
> 
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc	2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc	2016-08-10 16:07:26.601201245 +0200
> @@ -6,10 +6,8 @@ ifdef(`distro_debian',`
>  
>  /bin/alsaunmute	--	gen_context(system_u:object_r:alsa_exec_t,s0)
>  
> -/etc/alsa/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/asound(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/etc/alsa(/.*)?		gen_context(system_u:object_r:alsa_etc_t,s0)
> +/etc/asound\.conf	gen_context(system_u:object_r:alsa_etc_t,s0)
>  
>  /sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
>  /sbin/salsa	--	gen_context(system_u:object_r:alsa_exec_t,s0)
> @@ -25,8 +23,7 @@ ifdef(`distro_debian',`
>  /usr/sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
>  /usr/sbin/salsa	--	gen_context(system_u:object_r:alsa_exec_t,s0)
>  
> -/usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa(/.*)?		gen_context(system_u:object_r:alsa_etc_t,s0)
>  
>  /var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
>  
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if	2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.if	2016-08-13 15:57:00.899552788 +0200
> @@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
>  
>  ########################################
>  ## <summary>
> -##	Read writable Alsa configuration content.
> +##	Read writable Alsa configuration
> +##	content.  (Deprecated)
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
>  ## </param>
>  #
>  interface(`alsa_read_rw_config',`
> +	refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
> +	alsa_read_config($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Read Alsa configuration content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`alsa_read_config',`
>  	gen_require(`
> -		type alsa_etc_rw_t;
> +		type alsa_etc_t;
>  	')
>  
>  	files_search_etc($1)
> -	allow $1 alsa_etc_rw_t:dir list_dir_perms;
> -	read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> -	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> +	allow $1 alsa_etc_t:dir list_dir_perms;
> +	read_files_pattern($1, alsa_etc_t, alsa_etc_t)
> +	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>  
>  	ifdef(`distro_debian',`
>  		files_search_usr($1)
> @@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
>  
>  ########################################
>  ## <summary>
> -##	Manage writable Alsa config files.
> +##	Manage writable Alsa config
> +##	files.  (Deprecated)
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
>  ## </param>
>  #
>  interface(`alsa_manage_rw_config',`
> +	refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
> +	alsa_manage_config($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage Alsa config files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`alsa_manage_config',`
>  	gen_require(`
> -		type alsa_etc_rw_t;
> +		type alsa_etc_t;
>  	')
>  
>  	files_search_etc($1)
> -	allow $1 alsa_etc_rw_t:dir list_dir_perms;
> -	manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> -	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> +	allow $1 alsa_etc_t:dir list_dir_perms;
> +	manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
> +	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)

The interface name suggests that it applies to all alsa_etc_t content.
The description suggests that it only applies to files, the reality is
somewhere in between...

how about: "Manage Alsa config"

allow $1 alsa_etc_t:dir manage_dir_perms;
allow $1 alsa_etc_t:file manage_file_perms;
allow $1 alsa_etc_t:lnk_file manage_link_file_perms;

>  
>  	ifdef(`distro_debian',`
>  		files_search_usr($1)
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te	2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.te	2016-08-10 15:42:03.969550824 +0200
> @@ -12,8 +12,8 @@ type alsa_exec_t;
>  init_system_domain(alsa_t, alsa_exec_t)
>  role alsa_roles types alsa_t;
>  
> -type alsa_etc_rw_t;
> -files_config_file(alsa_etc_rw_t)
> +type alsa_etc_t;
> +files_config_file(alsa_etc_t)
>  
>  type alsa_tmp_t;
>  files_tmp_file(alsa_tmp_t)
> @@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
>  
>  allow alsa_t alsa_home_t:file read_file_perms;
>  
> -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
> -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
> -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
> +list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> +read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> +read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
>  
>  can_exec(alsa_t, alsa_exec_t)
>  
> --- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te	2016-08-06 21:27:11.330094064 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te	2016-08-10 15:54:57.818932359 +0200
> @@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
>  userdom_dontaudit_search_user_home_dirs(asterisk_t)
>  
>  optional_policy(`
> -	alsa_read_rw_config(asterisk_t)
> +	alsa_read_config(asterisk_t)
>  ')
>  
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te	2016-08-06 21:27:11.349094280 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te	2016-08-10 15:55:49.200688065 +0200
> @@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
>  optional_policy(`
>  	tunable_policy(`entropyd_use_audio',`
>  		alsa_read_lib(entropyd_t)
> -		alsa_read_rw_config(entropyd_t)
> +		alsa_read_config(entropyd_t)
>  	')
>  ')
>  
> --- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te	2016-08-06 21:27:11.357094372 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/hal.te	2016-08-10 15:55:28.902389524 +0200
> @@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
>  
>  optional_policy(`
>  	alsa_domtrans(hald_t)
> -	alsa_read_rw_config(hald_t)
> +	alsa_read_config(hald_t)
>  ')
>  
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te	2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te	2016-08-10 15:57:03.475780480 +0200
> @@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(mozilla_plugin_t)
> +	alsa_read_config(mozilla_plugin_t)
>  	alsa_read_home_files(mozilla_plugin_t)
>  ')
>  
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te	2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mpd.te	2016-08-10 15:56:33.740343142 +0200
> @@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(mpd_t)
> +	alsa_read_config(mpd_t)
>  ')
>  
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te	2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te	2016-08-10 15:56:47.576546638 +0200
> @@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(mplayer_t)
> +	alsa_read_config(mplayer_t)
>  ')
>  
>  optional_policy(`
> --- refpolicy-git-06082016-pulseaudio-orig/policy/modules/contrib/pulseaudio.te	2016-08-13 16:04:58.606101692 +0200
> +++ refpolicy-git-06082016-pulseaudio-alsa/policy/modules/contrib/pulseaudio.te	2016-08-13 16:05:07.627227363 +0200
> @@ -161,7 +161,7 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> -	alsa_rw_config(pulseaudio_t)
> +	alsa_read_config(pulseaudio_t)
>  	alsa_read_home_files(pulseaudio_t)
>  ')
>  
> --- refpolicy-git-06082016-orig/policy/modules/system/init.te	2016-08-06 21:26:43.300774339 +0200
> +++ refpolicy-git-06082016/policy/modules/system/init.te	2016-08-10 15:57:39.413309038 +0200
> @@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
>  	miscfiles_read_hwdata(initrc_t)
>  
>  	optional_policy(`
> -		alsa_manage_rw_config(initrc_t)
> +		alsa_manage_config(initrc_t)
>  	')
>  
>  	optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/udev.te	2016-08-07 19:44:14.820691246 +0200
> +++ refpolicy-git-06082016/policy/modules/system/udev.te	2016-08-10 15:58:00.350616976 +0200
> @@ -234,7 +234,7 @@ ifdef(`init_systemd',`
>  optional_policy(`
>  	alsa_domtrans(udev_t)
>  	alsa_read_lib(udev_t)
> -	alsa_read_rw_config(udev_t)
> +	alsa_read_config(udev_t)
>  ')
>  
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if	2016-08-06 21:26:43.311774465 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if	2016-08-10 16:00:35.340683806 +0200
> @@ -579,7 +579,7 @@ template(`userdom_common_user_template',
>  	optional_policy(`
>  		alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
>  		alsa_manage_home_files($1_t)
> -		alsa_read_rw_config($1_t)
> +		alsa_read_config($1_t)
>  		alsa_relabel_home_files($1_t)
>  	')
>  
> @@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
>  	xserver_restricted_role($1_r, $1_t)
>  
>  	optional_policy(`
> -		alsa_read_rw_config($1_t)
> +		alsa_read_config($1_t)
>  	')
>  
>  	optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/ac486bcc/attachment-0001.bin