From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 24 Aug 2016 01:11:28 +0200 Subject: [refpolicy] [PATCH] xserver: add r/w permissions for the DRI devices In-Reply-To: <36091975-d0d4-0705-3052-3d9658acde4b@ieee.org> References: <1471704751.17584.8.camel@trentalancia.net> <1471958481.9254.2.camel@trentalancia.net> <36091975-d0d4-0705-3052-3d9658acde4b@ieee.org> Message-ID: <1471993888.12192.7.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. On Tue, 23/08/2016 at 18.53 -0400, Chris PeBenito wrote: > On 08/23/16 09:21, Guido Trentalancia wrote: > > > > On Mon, 22/08/2016 at 20.52 -0400, Chris PeBenito wrote: > > > > > > On 08/20/16 10:52, Guido Trentalancia wrote: > > > > > > > > > > > > Modify the xserver role, so that the Direct Rendering > > > > Infrastructure > > > > devices can be opened read/write (used for graphic > > > > acceleration, > > > > for example, by Mesa/libGL). > > > > > > > > Signed-off-by: Guido Trentalancia > > > > --- > > > > ?policy/modules/services/xserver.if |????2 ++ > > > > ?1 file changed, 2 insertions(+) > > > > > > > > --- refpolicy-git-06082016- > > > > orig/policy/modules/services/xserver.if > > > > 2016-08-06 21:26:43.295774282 +0200 > > > > +++ refpolicy-git-06082016/policy/modules/services/xserver.if > > > > 2016-08-19 15:52:41.712830041 +0200 > > > > @@ -163,6 +163,8 @@ interface(`xserver_role',` > > > > ? relabel_dirs_pattern($2, user_fonts_config_t, > > > > user_fonts_config_t) > > > > ? relabel_files_pattern($2, user_fonts_config_t, > > > > user_fonts_config_t) > > > > > > > > + # for the accelerated graphic drivers > > > > + dev_rw_dri($2) > > > > ?') > > > > > > > > ?####################################### > > > > > > I'm fine with this change, but I think it should be > > > conditional.??Then > > > people that don't want users to have direct access to hardware, > > > like > > > this, can disable it. > > > > What's the point ? DRI can already be disabled in the X server > > configuration file easily and using it should not pose a security > > risk. > > > > So, why increasing the complexity for little or no gain ? > > In this case, it has little to do with the X server.??$2 is a user? > domain, so you're saying any app the user can run (in the user's > domain)? > can rw the DRI device. That is badly wrong. I understand the issue now ! Perhaps, we can target the application that generated such permission request (from Gnome), confine it in its own domain and then grant the permission only for that domain... -- Guido