From: dac.override@gmail.com (Dominick Grift) Date: Sat, 13 Aug 2016 22:20:35 +0200 Subject: [refpolicy] [PATCH] Update for the gnome policy and file contexts In-Reply-To: <96283402.942510.1471118969499.JavaMail.open-xchange@popper02.register.it> References: <1471099545.21480.27.camel@trentalancia.net> <96283402.942510.1471118969499.JavaMail.open-xchange@popper02.register.it> Message-ID: <5ba73d28-50d2-cede-f5f4-cf8c6d54e3a3@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/13/2016 10:09 PM, Guido Trentalancia wrote: > Hello Dominick, > > thanks for getting back on this. > >> On the 13th of August 2016 at 16.51 Dominick Grift >> wrote: >> >> >> On 08/13/2016 04:45 PM, Guido Trentalancia wrote: >>> Update for the gnome module: >>> >>> - a new gstreamer_orcexec_t type and file context is introduced >>> to support the OIL Runtime Compiler (ORC) optimized code >>> execution (used for example by pulseaudio); >>> - add support for more permissions needed in gconfd_t and gnome >>> keyring domains; >>> - add support for a few needed fs and kernel permissions. >>> >>> This patch should be applied before applying the pulseaudio patch. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/gnome.fc | 7 ++ >>> policy/modules/contrib/gnome.if | 99 >>> +++++++++++++++++++++++++++++++++++++++- >>> policy/modules/contrib/gnome.te | 8 +++ >>> 3 files changed, 112 insertions(+), 2 deletions(-) >>> >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.fc 2016-08-13 >>> 16:02:14.949814288 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.fc 2016-08-13 >>> 16:30:32.175198600 +0200 >>> @@ -4,6 +4,7 @@ HOME_DIR/\.gnome(/.*)? gen_context(syste >>> HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) >>> HOME_DIR/\.gnome2/keyrings(/.*)? >>> gen_context(system_u:object_r:gnome_keyring_home_t,s0) >>> HOME_DIR/\.gnome2_private(/.*)? >>> gen_context(system_u:object_r:gnome_home_t,s0) >>> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) >>> >>> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) >>> >>> @@ -13,4 +14,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont >>> /usr/bin/mate-keyring-daemon -- >>> gen_context(system_u:object_r:gkeyringd_exec_t,s0) >>> >>> /usr/lib/[^/]*/gconf/gconfd-2 -- >>> gen_context(system_u:object_r:gconfd_exec_t,s0) >>> -/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) >>> + >>> +/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) >>> + >>> +/var/run/user/[^/]*/orcexec\..* >>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0) >>> +/var/run/user/%{USERID}/orcexec\..* >>> gen_context(system_u:object_r:gstreamer_orcexec_t,s0) >> >> these are files so you can be more specific about it: >> >> /var/run/user/[^/]*/orcexec\..* -- >> gen_context(system_u:object_r:gstreamer_orcexec_t,s0) >> /var/run/user/%{USERID}/orcexec\..* -- >> gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > > Thanks for pointing it out, I have now amended it. > >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.if 2016-08-13 >>> 16:02:14.950814302 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.if 2016-08-13 >>> 00:55:24.980149003 +0200 >>> @@ -1,4 +1,4 @@ >>> -## GNU network object model environment. >>> + >>> >>> ######################################## >>> ## >>> @@ -100,9 +100,15 @@ template(`gnome_role_template',` >>> >>> allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms >>> manage_sock_file_perms }; >>> >>> + userdom_manage_user_home_content_dirs($1_gkeyringd_t) >>> + userdom_manage_user_home_content_files($1_gkeyringd_t) >>> + userdom_manage_user_home_content_sockets($1_gkeyringd_t) >>> + > >> I don't like this, and I dont understand it > > I will double check it. Hopefully, I won't forget about that, with the many > other modules that are being changed... > >>> ps_process_pattern($3, $1_gkeyringd_t) >>> allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; >>> >>> + kernel_read_kernel_sysctls($1_gkeyringd_t) >>> + >>> corecmd_bin_domtrans($1_gkeyringd_t, $3) >>> corecmd_shell_domtrans($1_gkeyringd_t, $3) >>> >>> @@ -569,6 +575,36 @@ interface(`gnome_home_filetrans_gnome_ho >>> >>> ######################################## >>> ## >>> +## Create objects in user home >>> +## directories with the gstreamer >>> +## orcexec type. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +## >>> +## Class of the object being created. >>> +## >>> +## >>> +## >>> +## >>> +## The name of the object being created. >>> +## >>> +## >>> +# >>> +interface(`gnome_home_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) >>> +') >>> + >>> +######################################## >>> +## >>> ## Create objects in gnome gconf home >>> ## directories with a private type. >>> ## >>> @@ -603,6 +639,67 @@ interface(`gnome_gconf_home_filetrans',` >>> ') >>> >>> ######################################## >>> +## >>> +## Create objects in the user >>> +## runtime directories with the >>> +## gstreamer orcexec type. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +## >>> +## Class of the object being created. >>> +## >>> +## >>> +## >>> +## >>> +## The name of the object being created. >>> +## >>> +## >>> +# >>> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) >>> +') >>> + >>> + >>> +######################################## >>> +## >>> +## Create objects in the tmp >>> +## directories with the gstreamer >>> +## orcexec type. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +## >>> +## Class of the object being created. >>> +## >>> +## >>> +## >>> +## >>> +## The name of the object being created. >>> +## >>> +## >>> +# >>> +interface(`gnome_tmp_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + files_tmp_filetrans($1, gstreamer_orcexec_t, $2, $3) >>> +') >>> + >> >> If you're not going to support that file in /tmp then this is not needed > > Removed. > >>> +######################################## >>> ## >>> ## Read generic gnome keyring home files. >>> ## >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/gnome.te 2016-08-13 >>> 16:02:14.951814316 +0200 >>> +++ refpolicy-git-06082016/policy/modules/contrib/gnome.te 2016-08-13 >>> 13:45:54.704254788 +0200 >>> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ >>> type gnome_keyring_tmp_t; >>> userdom_user_tmp_file(gnome_keyring_tmp_t) >>> >>> +type gstreamer_orcexec_t; >>> +application_executable_file(gstreamer_orcexec_t) >> >> it is not an applications executable file > > It's very similar to it or, in other words, it is equivalent to it. I could find > a better interface to describe it. > > But if you have other constructive ideas, please let me know and I will test > them out... It is nothing like an "application executable file". This is a file that gets mmap'd it does not get "executed", its certainly not an application, and only liborc clients mmap this file. In my policy this is just a user temporary file, or alternatively user home content file (i only support this file in $XDG_RUNTIME_DIR and not in ~, so in my policy i can just get away with classifying it user tmp(fs) file) > >>> + >>> ############################## >>> # >>> # Common local Policy >>> @@ -87,8 +90,13 @@ manage_dirs_pattern(gconfd_t, gconf_tmp_ >>> manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t) >>> userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file }) >>> >>> +kernel_dontaudit_read_system_state(gconfd_t) >>> + >>> +fs_getattr_xattr_fs(gconfd_t) >>> + >>> userdom_manage_user_tmp_dirs(gconfd_t) >>> userdom_tmp_filetrans_user_tmp(gconfd_t, dir) >>> +userdom_manage_user_tmp_sockets(gconfd_t) >> >> What is going on there and why did you choose this? > > I think it's to support sockets in /tmp/orbit-USER/linc-.* > > They are created by ORBit2. It's a library and some gnome components are linked > against it. > > I am now working on a new revised version of this patch which introduces > specific support for ORBit temporary files. > I see. for Mate i suppose. >>> userdom_user_runtime_filetrans_user_tmp(gconfd_t, dir) >>> >>> optional_policy(` >>> _______________________________________________ > > Best regards, > > Guido > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/279d0f2c/attachment.bin