From: dac.override@gmail.com (Dominick Grift) Date: Sat, 13 Aug 2016 16:36:42 +0200 Subject: [refpolicy] [PATCH v3] Update the pulseaudio module for usability and ORC support In-Reply-To: <1471098846.21480.22.camel@trentalancia.net> References: <1470953060.25389.1.camel@trentalancia.net> <1471021082.23869.7.camel@trentalancia.net> <1471031806.30650.0.camel@trentalancia.net> <1471098846.21480.22.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/13/2016 04:34 PM, Guido Trentalancia wrote: > Hello Christopher, > > thanks for getting back on this... > > On Sat, 13/08/2016 at 09.50 -0400, Chris PeBenito wrote: >> On 08/12/16 15:56, Guido Trentalancia wrote: >>> Update the pulseaudio module so that it is usable (tested with >>> latest version pulseaudio 9.0). >>> >>> Support for the OIL Runtime Compiler (OIL) optimized code >>> execution is added to the pulseaudio module by using a few >>> newly created interfaces and file contexts in the gnome >>> module. >>> >>> Supports the execmem permission only through a boolean which >>> defaults to false. >>> >>> This third version fixes an error introduced with the second >>> version (cannot execute ORC file). >>> >>> Thanks to Dominick Grift for the useful suggestions that >>> permitted to create this new improved version of the patch. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/gnome.fc | 5 + >>> policy/modules/contrib/gnome.if | 91 >>> +++++++++++++++++++++++++++++++++++ >>> policy/modules/contrib/gnome.te | 3 + >>> policy/modules/contrib/pulseaudio.fc | 1 >>> policy/modules/contrib/pulseaudio.if | 1 >>> policy/modules/contrib/pulseaudio.te | 35 +++++++++++-- >>> 6 files changed, 132 insertions(+), 4 deletions(-) >>> >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc >>> 2016-08-06 21:27:11.354094337 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2 >>> 016-08-12 17:39:35.069146107 +0200 >>> @@ -4,13 +4,18 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste >>> HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome >>> _home_t,s0) >>> HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:objec >>> t_r:gnome_keyring_home_t,s0) >>> HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object >>> _r:gnome_home_t,s0) >>> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreame >>> r_orcexec_t,s0) >>> >>> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t, >>> s0) >>> >>> /tmp/gconfd-USER/.* -- gen_context(system_u:object_r >>> :gconf_tmp_t,s0) >>> +/tmp/orcexec\..* gen_context(system_u:object_r:gstreamer_or >>> cexec_t,s0) >> >> I agree with Dominick that this labeling is problematic. I'd prefer >> to >> avoid putting fc entries for /tmp. The ones that we have already >> should >> probably be revisited. > > That's fine to me. I was also not very keen on letting pulseaudio > execute stuff in /tmp. > > I have now dropped the support for the last alternative ORC runtime > executable location (in /tmp). > That is not what was meant though. We only request that the file context spec for that file in /tmp be removed. This is because /tmp could be shared (the same goes for /var/run probably though in a sense but i don't want to open that can of worms right now) >>> /usr/bin/gnome-keyring-daemon -- gen_context(system_ >>> u:object_r:gkeyringd_exec_t,s0) >>> /usr/bin/mate-keyring-daemon -- gen_context(system_u >>> :object_r:gkeyringd_exec_t,s0) >>> >>> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_ >>> u:object_r:gconfd_exec_t,s0) >>> /usr/libexec/gconfd-2 -- gen_context(system_u:object >>> _r:gconfd_exec_t,s0) >>> + >>> +/var/run/user/[^/]*/orcexec\..* gen_context(system_u:object >>> _r:gstreamer_orcexec_t,s0) >>> +/var/run/user/%{USERID}/orcexec\..* gen_context(system_u:ob >>> ject_r:gstreamer_orcexec_t,s0) >> >> [...] >> >>> --- refpolicy-git-06082016- >>> orig/policy/modules/contrib/pulseaudio.te 2016-08-06 >>> 21:27:11.412094999 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te >>> 2016-08-12 21:33:49.231266389 +0200 >>> @@ -5,6 +5,14 @@ policy_module(pulseaudio, 1.8.1) >>> # Declarations >>> # >>> >>> +## >>> +##

>>> +## Allow pulseaudio to execute code in >>> +## writable memory >>> +##

>>> +## >>> +gen_tunable(pulseaudio_execmem, false) >>> + >>> attribute pulseaudio_client; >>> attribute pulseaudio_tmpfsfile; >>> >>> @@ -37,7 +45,12 @@ files_pid_file(pulseaudio_var_run_t) >>> # >>> >>> allow pulseaudio_t self:capability { fowner fsetid chown setgid >>> setuid sys_nice sys_resource sys_tty_config }; >>> -allow pulseaudio_t self:process { getcap setcap setrlimit setsched >>> getsched signal signull }; >>> +allow pulseaudio_t self:process { getcap getsched setcap setrlimit >>> setsched signal signull }; >>> + >>> +tunable_policy(`pulseaudio_execmem',` >>> + allow pulseaudio_t self:process execmem; >>> +') >> >> This should be moved down with the other tunables (in alphabetical >> order >> by tunable name) > > The update for this module now depends on a forthcoming gnome update. > Please apply the forthcoming patch for the gnome module first and then > the next version of this patch. > >>> allow pulseaudio_t self:fifo_file rw_fifo_file_perms; >>> allow pulseaudio_t self:unix_stream_socket { accept connectto >>> listen }; >>> allow pulseaudio_t self:unix_dgram_socket sendto; >>> @@ -129,9 +142,11 @@ logging_send_syslog_msg(pulseaudio_t) >>> miscfiles_read_localization(pulseaudio_t) >>> >>> userdom_read_user_tmpfs_files(pulseaudio_t) >>> - >>> +userdom_delete_user_tmpfs_files(pulseaudio_t) >>> userdom_search_user_home_dirs(pulseaudio_t) >>> -userdom_write_user_tmp_sockets(pulseaudio_t) >>> +userdom_search_user_home_content(pulseaudio_t) >>> + >>> +userdom_manage_user_tmp_sockets(pulseaudio_t) >>> >>> tunable_policy(`use_nfs_home_dirs',` >>> fs_manage_nfs_dirs(pulseaudio_t) >>> @@ -146,7 +161,8 @@ tunable_policy(`use_samba_home_dirs',` >>> ') >>> >>> optional_policy(` >>> - alsa_read_rw_config(pulseaudio_t) >>> + alsa_read_config(pulseaudio_t) >>> + alsa_read_home_files(pulseaudio_t) >>> ') >>> >>> optional_policy(` >>> @@ -176,6 +192,16 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + gnome_stream_connect_gconf(pulseaudio_t) >>> + >>> + # OIL Runtime Compiler (ORC) optimized code execution >>> + allow pulseaudio_t gstreamer_orcexec_t:file { >>> manage_file_perms mmap_file_perms }; >>> + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_ >>> t, file) >>> + gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file) >>> + gnome_tmp_filetrans_gstreamer_orcexec(pulseaudio_t, file) >>> +') >>> + >>> +optional_policy(` >>> rtkit_scheduled(pulseaudio_t) >>> ') >>> >>> @@ -186,6 +212,7 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + udev_read_pid_files(pulseaudio_t) >>> udev_read_state(pulseaudio_t) >>> udev_read_db(pulseaudio_t) >>> ') > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/44eab782/attachment.bin