From: dac.override@gmail.com (Dominick Grift)
Date: Sat, 13 Aug 2016 22:20:35 +0200
Subject: [refpolicy] [PATCH] Update for the gnome policy and file
	contexts
In-Reply-To: <96283402.942510.1471118969499.JavaMail.open-xchange@popper02.register.it>
References: <1471099545.21480.27.camel@trentalancia.net>
	<e4796821-1139-a8d5-e29e-91ad07c603ac@gmail.com>
	<96283402.942510.1471118969499.JavaMail.open-xchange@popper02.register.it>
Message-ID: <5ba73d28-50d2-cede-f5f4-cf8c6d54e3a3@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/13/2016 10:09 PM, Guido Trentalancia wrote:
> Hello Dominick,
> 
> thanks for getting back on this.
> 
>> On the 13th of August 2016 at 16.51 Dominick Grift <dac.override@gmail.com>
>> wrote:
>>
>>
>> On 08/13/2016 04:45 PM, Guido Trentalancia wrote:
>>> Update for the gnome module:
>>>
>>> - a new gstreamer_orcexec_t type and file context is introduced
>>>   to support the OIL Runtime Compiler (ORC) optimized code
>>>   execution (used for example by pulseaudio);
>>> - add support for more permissions needed in gconfd_t and gnome
>>>   keyring domains;
>>> - add support for a few needed fs and kernel permissions. 
>>>
>>> This patch should be applied before applying the pulseaudio patch.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/contrib/gnome.fc |    7 ++
>>>  policy/modules/contrib/gnome.if |   99
>>> +++++++++++++++++++++++++++++++++++++++-
>>>  policy/modules/contrib/gnome.te |    8 +++
>>>  3 files changed, 112 insertions(+), 2 deletions(-)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc	2016-08-13
>>> 16:02:14.949814288 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc	2016-08-13
>>> 16:30:32.175198600 +0200
>>> @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)?	gen_context(syste
>>>  HOME_DIR/\.gnome2(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
>>>  HOME_DIR/\.gnome2/keyrings(/.*)?
>>> gen_context(system_u:object_r:gnome_keyring_home_t,s0)
>>>  HOME_DIR/\.gnome2_private(/.*)?
>>> gen_context(system_u:object_r:gnome_home_t,s0)
>>> +HOME_DIR/orcexec\..*	gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>>>  
>>>  /etc/gconf(/.*)?	gen_context(system_u:object_r:gconf_etc_t,s0)
>>>  
>>> @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)?	gen_cont
>>>  /usr/bin/mate-keyring-daemon	--
>>> gen_context(system_u:object_r:gkeyringd_exec_t,s0)
>>>  
>>>  /usr/lib/[^/]*/gconf/gconfd-2	--
>>> gen_context(system_u:object_r:gconfd_exec_t,s0)
>>> -/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
>>> +
>>> +/usr/libexec/gconfd-2		--	gen_context(system_u:object_r:gconfd_exec_t,s0)
>>> +
>>> +/var/run/user/[^/]*/orcexec\..*
>>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>>> +/var/run/user/%{USERID}/orcexec\..*
>>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>>
>> these are files so you can be more specific about it:
>>
>> /var/run/user/[^/]*/orcexec\..* --
>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
>> /var/run/user/%{USERID}/orcexec\..* --
>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> 
> Thanks for pointing it out, I have now amended it.
> 
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if	2016-08-13
>>> 16:02:14.950814302 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if	2016-08-13
>>> 00:55:24.980149003 +0200
>>> @@ -1,4 +1,4 @@
>>> -## <summary>GNU network object model environment.</summary>
>>> +
>>>  
>>>  ########################################
>>>  ## <summary>
>>> @@ -100,9 +100,15 @@ template(`gnome_role_template',`
>>>  
>>>  	allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms
>>> manage_sock_file_perms };
>>>  
>>> +	userdom_manage_user_home_content_dirs($1_gkeyringd_t)
>>> +	userdom_manage_user_home_content_files($1_gkeyringd_t)
>>> +	userdom_manage_user_home_content_sockets($1_gkeyringd_t)
>>> +
> 
>> I don't like this, and I dont understand it
> 
> I will double check it. Hopefully, I won't forget about that, with the many
> other modules that are being changed...
> 
>>>  	ps_process_pattern($3, $1_gkeyringd_t)
>>>  	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
>>>  
>>> +	kernel_read_kernel_sysctls($1_gkeyringd_t)
>>> +
>>>  	corecmd_bin_domtrans($1_gkeyringd_t, $3)
>>>  	corecmd_shell_domtrans($1_gkeyringd_t, $3)
>>>  
>>> @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho
>>>  
>>>  ########################################
>>>  ## <summary>
>>> +##	Create objects in user home
>>> +##	directories with the gstreamer
>>> +##	orcexec type.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +## <param name="object_class">
>>> +##	<summary>
>>> +##	Class of the object being created.
>>> +##	</summary>
>>> +## </param>
>>> +## <param name="name" optional="true">
>>> +##	<summary>
>>> +##	The name of the object being created.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_home_filetrans_gstreamer_orcexec',`
>>> +	gen_require(`
>>> +		type gstreamer_orcexec_t;
>>> +	')
>>> +
>>> +	userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>>  ##	Create objects in gnome gconf home
>>>  ##	directories with a private type.
>>>  ## </summary>
>>> @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',`
>>>  ')
>>>  
>>>  ########################################
>>> +## <summary>
>>> +##	Create objects in the user
>>> +##	runtime directories with the
>>> +##	gstreamer orcexec type.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +## <param name="object_class">
>>> +##	<summary>
>>> +##	Class of the object being created.
>>> +##	</summary>
>>> +## </param>
>>> +## <param name="name" optional="true">
>>> +##	<summary>
>>> +##	The name of the object being created.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
>>> +	gen_require(`
>>> +		type gstreamer_orcexec_t;
>>> +	')
>>> +
>>> +	userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
>>> +')
>>> +
>>> +
>>> +########################################
>>> +## <summary>
>>> +##	Create objects in the tmp
>>> +##	directories with the gstreamer
>>> +##	orcexec type.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +## <param name="object_class">
>>> +##	<summary>
>>> +##	Class of the object being created.
>>> +##	</summary>
>>> +## </param>
>>> +## <param name="name" optional="true">
>>> +##	<summary>
>>> +##	The name of the object being created.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_tmp_filetrans_gstreamer_orcexec',`
>>> +	gen_require(`
>>> +		type gstreamer_orcexec_t;
>>> +	')
>>> +
>>> +	files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3)
>>> +')
>>> +
>>
>> If you're not going to support that file in /tmp then this is not needed
> 
> Removed.
> 
>>> +########################################
>>>  ## <summary>
>>>  ##	Read generic gnome keyring home files.
>>>  ## </summary>
>>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te	2016-08-13
>>> 16:02:14.951814316 +0200
>>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te	2016-08-13
>>> 13:45:54.704254788 +0200
>>> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
>>>  type gnome_keyring_tmp_t;
>>>  userdom_user_tmp_file(gnome_keyring_tmp_t)
>>>  
>>> +type gstreamer_orcexec_t;
>>> +application_executable_file(gstreamer_orcexec_t)
>>
>> it is not an applications executable file
> 
> It's very similar to it or, in other words, it is equivalent to it. I could find
> a better interface to describe it.
> 
> But if you have other constructive ideas, please let me know and I will test
> them out...

It is nothing like an "application executable file". This is a file that
gets mmap'd it does not get "executed", its certainly not an
application, and only liborc clients mmap this file. In my policy this
is just a user temporary file, or alternatively user home content file
(i only support this file in $XDG_RUNTIME_DIR and not in ~, so in my
policy i can just get away with classifying it user tmp(fs) file)

> 
>>> +
>>>  ##############################
>>>  #
>>>  # Common local Policy
>>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_
>>>  manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
>>>  userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
>>>  
>>> +kernel_dontaudit_read_system_state(gconfd_t)
>>> +
>>> +fs_getattr_xattr_fs(gconfd_t)
>>> +
>>>  userdom_manage_user_tmp_dirs(gconfd_t)
>>>  userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
>>> +userdom_manage_user_tmp_sockets(gconfd_t)
>>
>> What is going on there and why did you choose this?
> 
> I think it's to support sockets in /tmp/orbit-USER/linc-.*
> 
> They are created by ORBit2. It's a library and some gnome components are linked
> against it.
> 
> I am now working on a new revised version of this patch which introduces
> specific support for ORBit temporary files.
> 

I see. for Mate i suppose.

>>>  userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir)
>>>  
>>>  optional_policy(`
>>> _______________________________________________
> 
> Best regards,
> 
> Guido
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/279d0f2c/attachment.bin