From: dac.override@gmail.com (Dominick Grift) Date: Sun, 11 Sep 2016 15:21:37 +0200 Subject: [refpolicy] [PATCH] mozilla: let mozilla play audio In-Reply-To: <1473524806.18488.3.camel@trentalancia.net> References: <1473524806.18488.3.camel@trentalancia.net> Message-ID: <88e4da55-6d3a-5d36-a54f-98b83cc86038@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/10/2016 06:26 PM, Guido Trentalancia via refpolicy wrote: > Let mozilla play audio: > > - add new interfaces to the pulseaudio module; > - let mozilla read alsa configuration files; > - add further permissions to mozilla needed to use > pulseaudio to play audio. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/mozilla.te | 9 ++++ > policy/modules/contrib/pulseaudio.if | 77 +++++++++++++++++++++++++++++++++++ > 2 files changed, 86 insertions(+) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-09-10 18:09:13.357710355 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-09-10 18:07:16.322739208 +0200 > @@ -234,6 +239,11 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > + alsa_read_config(mozilla_t) > + alsa_read_home_files(mozilla_t) > +') > + Applies to all pulseaudio clients, so this should have been added to pulseaudio.te instead: optional_policy(` alsa_read_config(pulseaudio_client) alsa_read_home_files(pulseaudio_client) ') > +optional_policy(` > apache_read_user_scripts(mozilla_t) > apache_read_user_content(mozilla_t) > ') > @@ -292,6 +305,8 @@ optional_policy(` > > optional_policy(` > pulseaudio_run(mozilla_t, mozilla_roles) > + pulseaudio_rw_tmpfs_files(mozilla_t) I wonder what exactly prompted you to add this. pulseaudio clients should only be able to read and delete pulseaudio tmpfs files. This is already in pulseaudio.te (so mozilla_t is already allowed to read pulseaudio_tmpfs_t files (but not delete them, so that may be a bug in pulseaudio.te: read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }) > + pulseaudio_use_fds(mozilla_t) This applies to all pulseaudio_client and thus should be added to pulseaudio.te as follows instead: pulseaudio_use_fds(pulseaudio_client) > ') > > optional_policy(` > @@ -561,6 +580,8 @@ optional_policy(` > > optional_policy(` > pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) > + pulseaudio_rw_tmpfs_files(mozilla_plugin_t) > + pulseaudio_use_fds(mozilla_plugin_t) same as above > ') > > optional_policy(` > --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:31.740027060 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200 > @@ -346,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',` > > typeattribute $1 pulseaudio_tmpfsfile; > ') > + > +####################################### > +## > +## Read pulseaudio tmpfs files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`pulseaudio_read_tmpfs_files',` > + gen_require(` > + type pulseaudio_tmpfs_t; > + ') > + > + fs_search_tmpfs($1) > + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > +') > + > +####################################### > +## > +## Read and write pulseaudio tmpfs > +## files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`pulseaudio_rw_tmpfs_files',` > + gen_require(` > + type pulseaudio_tmpfs_t; > + ') > + > + fs_search_tmpfs($1) > + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > +') > + > +######################################## > +## > +## Use file descriptors for > +## pulseaudio. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`pulseaudio_use_fds',` > + gen_require(` > + type pulseaudio_t; > + ') > + > + allow $1 pulseaudio_t:fd use; > +') > + > +######################################## > +## > +## Do not audit attempts to use the > +## file descriptors for pulseaudio. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`pulseaudio_dontaudit_use_fds',` > + gen_require(` > + type pulseaudio_t; > + ') > + > + dontaudit $1 pulseaudio_t:fd use; > +') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160911/a6bdbbc8/attachment.bin