From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 15 Aug 2016 23:36:53 +0200
Subject: [refpolicy] [PATCH v4] Update the pulseaudio module for
 usability and ORC support
In-Reply-To: <1471101370.21480.31.camel@trentalancia.net>
References: <1470953060.25389.1.camel@trentalancia.net>
	<1471021082.23869.7.camel@trentalancia.net>
	<1471031806.30650.0.camel@trentalancia.net>
	<1471101370.21480.31.camel@trentalancia.net>
Message-ID: <1471297013.28802.3.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello.

Please note that this patch (already merged, hopefully at the latest
version 4), depends on the following gnome patch:

[PATCH v2] Update for the gnome policy and file contexts

Regards,

Guido

On Sat, 13/08/2016 at 17.16 +0200, Guido Trentalancia wrote:
> Update the pulseaudio module so that it is usable (tested with
> latest version pulseaudio 9.0).
> 
> This patch depends on a recent patch to update the gnome module.
> 
> Support for the OIL Runtime Compiler (OIL) optimized code
> execution is added to the pulseaudio module by using a few
> newly created interfaces and file contexts in the gnome
> module.
> 
> Supports the execmem permission only through a boolean which
> defaults to false.
> 
> Thanks to Dominick Grift for the useful suggestions that
> permitted to create this new improved version of the patch.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> ?policy/modules/contrib/pulseaudio.fc |????1 +
> ?policy/modules/contrib/pulseaudio.if |????1 +
> ?policy/modules/contrib/pulseaudio.te |???34
> ++++++++++++++++++++++++++++++----
> ?3 files changed, 32 insertions(+), 4 deletions(-)
> 
> --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.fc	
> 2016-08-13 16:02:14.951814316 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.fc	
> 2016-08-11 20:07:21.338329216 +0200
> @@ -1,6 +1,7 @@
> ?HOME_DIR/\.esd_auth	--	gen_context(system_u:object_r:p
> ulseaudio_home_t,s0)
> ?HOME_DIR/\.pulse(/.*)?	gen_context(system_u:object_r:pulseaud
> io_home_t,s0)
> ?HOME_DIR/\.pulse-cookie	--	gen_context(system_u:object
> _r:pulseaudio_home_t,s0)
> +HOME_DIR/\.config/pulse(/.*)?	--	gen_context(system_u:
> object_r:pulseaudio_home_t,s0)
> ?
> ?/usr/bin/pulseaudio	--	gen_context(system_u:object_r:p
> ulseaudio_exec_t,s0)
> ?
> --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if	
> 2016-08-13 16:02:14.951814316 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if	
> 2016-08-11 17:34:47.778835995 +0200
> @@ -25,6 +25,7 @@ interface(`pulseaudio_role',`
> ?	pulseaudio_run($2, $1)
> ?
> ?	allow $2 pulseaudio_t:process { ptrace signal_perms };
> +	allow $2 pulseaudio_t:fd use;
> ?	ps_process_pattern($2, pulseaudio_t)
> ?
> ?	allow $2 pulseaudio_home_t:dir { manage_dir_perms
> relabel_dir_perms };
> --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te	
> 2016-08-13 16:02:14.952814330 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te	
> 2016-08-13 16:31:13.125857283 +0200
> @@ -5,6 +5,14 @@ policy_module(pulseaudio, 1.8.1)
> ?# Declarations
> ?#
> ?
> +## <desc>
> +## <p>
> +## Allow pulseaudio to execute code in
> +## writable memory?
> +## </p>
> +## </desc>
> +gen_tunable(pulseaudio_execmem, false)
> +
> ?attribute pulseaudio_client;
> ?attribute pulseaudio_tmpfsfile;
> ?
> @@ -37,7 +45,8 @@ files_pid_file(pulseaudio_var_run_t)
> ?#
> ?
> ?allow pulseaudio_t self:capability { fowner fsetid chown setgid
> setuid sys_nice sys_resource sys_tty_config };
> -allow pulseaudio_t self:process { getcap setcap setrlimit setsched
> getsched signal signull };
> +allow pulseaudio_t self:process { getcap getsched setcap setrlimit
> setsched signal signull };
> +
> ?allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
> ?allow pulseaudio_t self:unix_stream_socket { accept connectto listen
> };
> ?allow pulseaudio_t self:unix_dgram_socket sendto;
> @@ -129,9 +138,15 @@ logging_send_syslog_msg(pulseaudio_t)
> ?miscfiles_read_localization(pulseaudio_t)
> ?
> ?userdom_read_user_tmpfs_files(pulseaudio_t)
> -
> +userdom_delete_user_tmpfs_files(pulseaudio_t)
> ?userdom_search_user_home_dirs(pulseaudio_t)
> -userdom_write_user_tmp_sockets(pulseaudio_t)
> +userdom_search_user_home_content(pulseaudio_t)
> +
> +userdom_manage_user_tmp_sockets(pulseaudio_t)
> +
> +tunable_policy(`pulseaudio_execmem',`
> +	allow pulseaudio_t self:process execmem;
> +')
> ?
> ?tunable_policy(`use_nfs_home_dirs',`
> ?	fs_manage_nfs_dirs(pulseaudio_t)
> @@ -146,7 +161,8 @@ tunable_policy(`use_samba_home_dirs',`
> ?')
> ?
> ?optional_policy(`
> -	alsa_read_rw_config(pulseaudio_t)
> +	alsa_read_config(pulseaudio_t)
> +	alsa_read_home_files(pulseaudio_t)
> ?')
> ?
> ?optional_policy(`
> @@ -176,6 +192,15 @@ optional_policy(`
> ?')
> ?
> ?optional_policy(`
> +	gnome_stream_connect_gconf(pulseaudio_t)
> +
> +	# OIL Runtime Compiler (ORC) optimized code execution
> +	allow pulseaudio_t gstreamer_orcexec_t:file {
> manage_file_perms mmap_file_perms };
> +	gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t,
> file)
> +	gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file)
> +')
> +
> +optional_policy(`
> ?	rtkit_scheduled(pulseaudio_t)
> ?')
> ?
> @@ -186,6 +211,7 @@ optional_policy(`
> ?')
> ?
> ?optional_policy(`
> +	udev_read_pid_files(pulseaudio_t)
> ?	udev_read_state(pulseaudio_t)
> ?	udev_read_db(pulseaudio_t)
> ?')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-- 

This message contains confidential information intended only for the use
of the addressee(s). If you are not the intended recipient, please
contact the sender by return e-mail and destroy all copies of the
original message.