From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 23 Aug 2016 15:34:46 +0200 Subject: [refpolicy] [PATCH] xserver: add r/w permissions for the DRI devices In-Reply-To: <021b4bee-b488-c61c-2bae-dfe1e78e5a77@gmail.com> References: <1471704751.17584.8.camel@trentalancia.net> <1471958481.9254.2.camel@trentalancia.net> <021b4bee-b488-c61c-2bae-dfe1e78e5a77@gmail.com> Message-ID: <3FB9719D-1DD2-4B1F-903E-0A0E2FB85001@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com If you are only using the shell, then you should not load the xserver module in the first place! On the 23rd august 2016 15:28:37 CEST, Dominick Grift wrote: >On 08/23/2016 03:21 PM, Guido Trentalancia wrote: >> On Mon, 22/08/2016 at 20.52 -0400, Chris PeBenito wrote: >>> On 08/20/16 10:52, Guido Trentalancia wrote: >>>> >>>> Modify the xserver role, so that the Direct Rendering >>>> Infrastructure >>>> devices can be opened read/write (used for graphic acceleration, >>>> for example, by Mesa/libGL). >>>> >>>> Signed-off-by: Guido Trentalancia >>>> --- >>>> policy/modules/services/xserver.if | 2 ++ >>>> 1 file changed, 2 insertions(+) >>>> >>>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if >>>> 2016-08-06 21:26:43.295774282 +0200 >>>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if >>>> 2016-08-19 15:52:41.712830041 +0200 >>>> @@ -163,6 +163,8 @@ interface(`xserver_role',` >>>> relabel_dirs_pattern($2, user_fonts_config_t, >>>> user_fonts_config_t) >>>> relabel_files_pattern($2, user_fonts_config_t, >>>> user_fonts_config_t) >>>> >>>> + # for the accelerated graphic drivers >>>> + dev_rw_dri($2) >>>> ') >>>> >>>> ####################################### >>> >>> I'm fine with this change, but I think it should be >>> conditional. Then >>> people that don't want users to have direct access to hardware, like > >>> this, can disable it. >> >> What's the point ? DRI can already be disabled in the X server >> configuration file easily and using it should not pose a security >risk. >> >> So, why increasing the complexity for little or no gain ? > >https://en.wikipedia.org/wiki/Principle_of_least_privilege > >The login shell does not need to read/write dri devices. > >> >> Regards, >> >> Guido >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >>