From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 13 Aug 2016 16:44:28 +0200 Subject: [refpolicy] [PATCH v3] Update the pulseaudio module for usability and ORC support In-Reply-To: References: <1470953060.25389.1.camel@trentalancia.net> <1471021082.23869.7.camel@trentalancia.net> <1471031806.30650.0.camel@trentalancia.net> <1471098846.21480.22.camel@trentalancia.net> Message-ID: <1471099468.21480.25.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 13/08/2016 at 16.36 +0200, Dominick Grift wrote: > On 08/13/2016 04:34 PM, Guido Trentalancia wrote: > > Hello Christopher, > > > > thanks for getting back on this... > > > > On Sat, 13/08/2016 at 09.50 -0400, Chris PeBenito wrote: > > > On 08/12/16 15:56, Guido Trentalancia wrote: > > > > Update the pulseaudio module so that it is usable (tested with > > > > latest version pulseaudio 9.0). > > > > > > > > Support for the OIL Runtime Compiler (OIL) optimized code > > > > execution is added to the pulseaudio module by using a few > > > > newly created interfaces and file contexts in the gnome > > > > module. > > > > > > > > Supports the execmem permission only through a boolean which > > > > defaults to false. > > > > > > > > This third version fixes an error introduced with the second > > > > version (cannot execute ORC file). > > > > > > > > Thanks to Dominick Grift for the useful suggestions that > > > > permitted to create this new improved version of the patch. > > > > > > > > Signed-off-by: Guido Trentalancia > > > > --- > > > > ?policy/modules/contrib/gnome.fc??????|????5 + > > > > ?policy/modules/contrib/gnome.if??????|???91 > > > > +++++++++++++++++++++++++++++++++++ > > > > ?policy/modules/contrib/gnome.te??????|????3 + > > > > ?policy/modules/contrib/pulseaudio.fc |????1 > > > > ?policy/modules/contrib/pulseaudio.if |????1 > > > > ?policy/modules/contrib/pulseaudio.te |???35 +++++++++++-- > > > > ?6 files changed, 132 insertions(+), 4 deletions(-) > > > > > > > > --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc > > > > > > > > 2016-08-06 21:27:11.354094337 +0200 > > > > +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc > > > > 2 > > > > 016-08-12 17:39:35.069146107 +0200 > > > > @@ -4,13 +4,18 @@ HOME_DIR/\.gnome(/.*)? gen_context(sys > > > > te > > > > ?HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:g > > > > nome > > > > _home_t,s0) > > > > ?HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:o > > > > bjec > > > > t_r:gnome_keyring_home_t,s0) > > > > ?HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:ob > > > > ject > > > > _r:gnome_home_t,s0) > > > > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstr > > > > eame > > > > r_orcexec_t,s0) > > > > > > > > ?/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_et > > > > c_t, > > > > s0) > > > > > > > > ?/tmp/gconfd-USER/.* -- gen_context(system_u:obje > > > > ct_r > > > > :gconf_tmp_t,s0) > > > > +/tmp/orcexec\..* gen_context(system_u:object_r:gstreame > > > > r_or > > > > cexec_t,s0) > > > > > > I agree with Dominick that this labeling is problematic.??I'd > > > prefer > > > to? > > > avoid putting fc entries for /tmp.??The ones that we have already > > > should? > > > probably be revisited. > > > > That's fine to me. I was also not very keen on letting pulseaudio > > execute stuff in /tmp. > > > > I have now dropped the support for the last alternative ORC runtime > > executable location (in /tmp). > > > > That is not what was meant though. > > We only request that the file context spec for that file in /tmp be > removed. > > This is because /tmp could be shared (the same goes for /var/run > probably though in a sense but i don't want to open that can of worms > right now) I don't like the idea that stuff in /tmp is executable. Therefore, the support for ORC executable primary and fall-back locations is not 100% complete but, say, 66.6% complete which is not bad. > > > > ?/usr/bin/gnome-keyring-daemon -- gen_context(sys > > > > tem_ > > > > u:object_r:gkeyringd_exec_t,s0) > > > > ?/usr/bin/mate-keyring-daemon -- gen_context(syst > > > > em_u > > > > :object_r:gkeyringd_exec_t,s0) > > > > > > > > ?/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(sys > > > > tem_ > > > > u:object_r:gconfd_exec_t,s0) > > > > ?/usr/libexec/gconfd-2 -- gen_context(system_u:ob > > > > ject > > > > _r:gconfd_exec_t,s0) > > > > + > > > > +/var/run/user/[^/]*/orcexec\..* gen_context(system_u:ob > > > > ject > > > > _r:gstreamer_orcexec_t,s0) > > > > +/var/run/user/%{USERID}/orcexec\..* gen_context(system_ > > > > u:ob > > > > ject_r:gstreamer_orcexec_t,s0) > > > > > > [...] > > > > > > > --- refpolicy-git-06082016- > > > > orig/policy/modules/contrib/pulseaudio.te 2016-08-06 > > > > 21:27:11.412094999 +0200 > > > > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te > > > > > > > > 2016-08-12 21:33:49.231266389 +0200 > > > > @@ -5,6 +5,14 @@ policy_module(pulseaudio, 1.8.1) > > > > ?# Declarations > > > > ?# > > > > > > > > +## > > > > +##

> > > > +## Allow pulseaudio to execute code in > > > > +## writable memory > > > > +##

> > > > +## > > > > +gen_tunable(pulseaudio_execmem, false) > > > > + > > > > ?attribute pulseaudio_client; > > > > ?attribute pulseaudio_tmpfsfile; > > > > > > > > @@ -37,7 +45,12 @@ files_pid_file(pulseaudio_var_run_t) > > > > ?# > > > > > > > > ?allow pulseaudio_t self:capability { fowner fsetid chown > > > > setgid > > > > setuid sys_nice sys_resource sys_tty_config }; > > > > -allow pulseaudio_t self:process { getcap setcap setrlimit > > > > setsched > > > > getsched signal signull }; > > > > +allow pulseaudio_t self:process { getcap getsched setcap > > > > setrlimit > > > > setsched signal signull }; > > > > + > > > > +tunable_policy(`pulseaudio_execmem',` > > > > + allow pulseaudio_t self:process execmem; > > > > +') > > > > > > This should be moved down with the other tunables (in > > > alphabetical > > > order? > > > by tunable name) > > > > The update for this module now depends on a forthcoming gnome > > update. > > Please apply the forthcoming patch for the gnome module first and > > then > > the next version of this patch. > > > > > > ?allow pulseaudio_t self:fifo_file rw_fifo_file_perms; > > > > ?allow pulseaudio_t self:unix_stream_socket { accept connectto > > > > listen }; > > > > ?allow pulseaudio_t self:unix_dgram_socket sendto; > > > > @@ -129,9 +142,11 @@ logging_send_syslog_msg(pulseaudio_t) > > > > ?miscfiles_read_localization(pulseaudio_t) > > > > > > > > ?userdom_read_user_tmpfs_files(pulseaudio_t) > > > > - > > > > +userdom_delete_user_tmpfs_files(pulseaudio_t) > > > > ?userdom_search_user_home_dirs(pulseaudio_t) > > > > -userdom_write_user_tmp_sockets(pulseaudio_t) > > > > +userdom_search_user_home_content(pulseaudio_t) > > > > + > > > > +userdom_manage_user_tmp_sockets(pulseaudio_t) > > > > > > > > ?tunable_policy(`use_nfs_home_dirs',` > > > > ? fs_manage_nfs_dirs(pulseaudio_t) > > > > @@ -146,7 +161,8 @@ tunable_policy(`use_samba_home_dirs',` > > > > ?') > > > > > > > > ?optional_policy(` > > > > - alsa_read_rw_config(pulseaudio_t) > > > > + alsa_read_config(pulseaudio_t) > > > > + alsa_read_home_files(pulseaudio_t) > > > > ?') > > > > > > > > ?optional_policy(` > > > > @@ -176,6 +192,16 @@ optional_policy(` > > > > ?') > > > > > > > > ?optional_policy(` > > > > + gnome_stream_connect_gconf(pulseaudio_t) > > > > + > > > > + # OIL Runtime Compiler (ORC) optimized code execution > > > > + allow pulseaudio_t gstreamer_orcexec_t:file { > > > > manage_file_perms mmap_file_perms }; > > > > + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseau > > > > dio_ > > > > t, file) > > > > + gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, > > > > file) > > > > + gnome_tmp_filetrans_gstreamer_orcexec(pulseaudio_t, > > > > file) > > > > +') > > > > + > > > > +optional_policy(` > > > > ? rtkit_scheduled(pulseaudio_t) > > > > ?') > > > > > > > > @@ -186,6 +212,7 @@ optional_policy(` > > > > ?') > > > > > > > > ?optional_policy(` > > > > + udev_read_pid_files(pulseaudio_t) > > > > ? udev_read_state(pulseaudio_t) > > > > ? udev_read_db(pulseaudio_t) > > > > ?') > > > > Guido Regards, Guido