From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 23 Aug 2016 18:53:04 -0400 Subject: [refpolicy] [PATCH] xserver: add r/w permissions for the DRI devices In-Reply-To: <1471958481.9254.2.camel@trentalancia.net> References: <1471704751.17584.8.camel@trentalancia.net> <1471958481.9254.2.camel@trentalancia.net> Message-ID: <36091975-d0d4-0705-3052-3d9658acde4b@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/23/16 09:21, Guido Trentalancia wrote: > On Mon, 22/08/2016 at 20.52 -0400, Chris PeBenito wrote: >> On 08/20/16 10:52, Guido Trentalancia wrote: >>> >>> Modify the xserver role, so that the Direct Rendering >>> Infrastructure >>> devices can be opened read/write (used for graphic acceleration, >>> for example, by Mesa/libGL). >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/services/xserver.if | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> --- refpolicy-git-06082016-orig/policy/modules/services/xserver.if >>> 2016-08-06 21:26:43.295774282 +0200 >>> +++ refpolicy-git-06082016/policy/modules/services/xserver.if >>> 2016-08-19 15:52:41.712830041 +0200 >>> @@ -163,6 +163,8 @@ interface(`xserver_role',` >>> relabel_dirs_pattern($2, user_fonts_config_t, >>> user_fonts_config_t) >>> relabel_files_pattern($2, user_fonts_config_t, >>> user_fonts_config_t) >>> >>> + # for the accelerated graphic drivers >>> + dev_rw_dri($2) >>> ') >>> >>> ####################################### >> >> I'm fine with this change, but I think it should be >> conditional. Then >> people that don't want users to have direct access to hardware, like >> this, can disable it. > > What's the point ? DRI can already be disabled in the X server > configuration file easily and using it should not pose a security risk. > > So, why increasing the complexity for little or no gain ? In this case, it has little to do with the X server. $2 is a user domain, so you're saying any app the user can run (in the user's domain) can rw the DRI device. -- Chris PeBenito