From: dac.override@gmail.com (Dominick Grift) Date: Tue, 23 Aug 2016 12:33:28 +0200 Subject: [refpolicy] [PATCH] xserver: add r/w permissions for the DRI devices In-Reply-To: <20160823103036.GA2449@meriadoc.perfinion.com> References: <1471704751.17584.8.camel@trentalancia.net> <20160823103036.GA2449@meriadoc.perfinion.com> Message-ID: <8973739d-77b9-48c5-210f-316237d74637@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/23/2016 12:30 PM, Jason Zaman wrote: > On Mon, Aug 22, 2016 at 08:52:38PM -0400, Chris PeBenito wrote: >> On 08/20/16 10:52, Guido Trentalancia wrote: >>> Modify the xserver role, so that the Direct Rendering Infrastructure >>> devices can be opened read/write (used for graphic acceleration, >>> for example, by Mesa/libGL). >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/services/xserver.if | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if 2016-08-06 21:26:43.295774282 +0200 >>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if 2016-08-19 15:52:41.712830041 +0200 >>> @@ -163,6 +163,8 @@ interface(`xserver_role',` >>> relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) >>> relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) >>> >>> + # for the accelerated graphic drivers >>> + dev_rw_dri($2) >>> ') >>> >>> ####################################### >> >> I'm fine with this change, but I think it should be conditional. Then >> people that don't want users to have direct access to hardware, like >> this, can disable it. > > I have this locally as dev_rw_dri(x_domain) instead. since chromium_t > and mplayer_t and other things than just the user roles need hardware > acceleration. > I agree it should be in a boolean too since i have not found anything > that *requires* it, and people might want it off. > I suspect that this is also (or also can be) driver specific > -- Jason >> >> -- >> Chris PeBenito >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160823/d24fd527/attachment.bin