From: dac.override@gmail.com (Dominick Grift) Date: Tue, 13 Sep 2016 16:40:13 +0200 Subject: [refpolicy] [PATCH] mozilla: let mozilla play audio In-Reply-To: <7E021367-E74A-44CE-81EB-457C5B47AFCE@trentalancia.net> References: <1473524806.18488.3.camel@trentalancia.net> <88e4da55-6d3a-5d36-a54f-98b83cc86038@gmail.com> <1473607339.18488.9.camel@trentalancia.net> <7E021367-E74A-44CE-81EB-457C5B47AFCE@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/13/2016 01:57 PM, Guido Trentalancia via refpolicy wrote: > For your information. > > Pulseaudio clients such as mplayer and pavucontrol do play audio and change the audio settings respectively without requiring those extra permissions in the pulseaudio module at the pulseaudio_client section. > I have to admit that mplayer seems to not need to read /etc/alsa in my quick test either. So yes I may just be wrong about this, or maybe i am just not able to trigger it in short notice. > Regards, > > Guido > > On the 13th of September 2016 00:51:44 CEST, Chris PeBenito wrote: >> On 09/11/16 11:22, Guido Trentalancia via refpolicy wrote: >>> Hello Dominick (and cc Chris) ! >>> >>> On Sun, 11/09/2016 at 15.21 +0200, Dominick Grift via refpolicy >> wrote: >>>> On 09/10/2016 06:26 PM, Guido Trentalancia via refpolicy wrote: >>>>> >>>>> Let mozilla play audio: >>>>> >>>>> - add new interfaces to the pulseaudio module; >>>>> - let mozilla read alsa configuration files; >>>>> - add further permissions to mozilla needed to use >>>>> pulseaudio to play audio. >>>>> >>>>> Signed-off-by: Guido Trentalancia >>>>> --- >>>>> policy/modules/contrib/mozilla.te | 9 ++++ >>>>> policy/modules/contrib/pulseaudio.if | 77 >>>>> +++++++++++++++++++++++++++++++++++ >>>>> 2 files changed, 86 insertions(+) >>> >>> [...] >>> >>>> Applies to all pulseaudio clients, so this should have been added to >>>> pulseaudio.te instead: >>> >>> I am fine with improving this. >>> >>>> optional_policy(` >>>> alsa_read_config(pulseaudio_client) >>>> alsa_read_home_files(pulseaudio_client) >>>> ') >>> >>> and this: >>> >>>>> >>>>> + pulseaudio_use_fds(mozilla_t) >>>> >>>> This applies to all pulseaudio_client and thus should be added to >>>> pulseaudio.te as follows instead: >>>> >>>> pulseaudio_use_fds(pulseaudio_client) >>> >>> as long as it is also fine to Christopher. >> >> If the rules apply to all pulseaudio domains, then it should be done as >> >> Dominick suggests. >> >> >> >>> The other change (delete instead of read/write) doesn't make a big >>> difference in my opinion. >>> >>> Here is the small diff: >>> >>> Improvements to the mozilla and pulseaudio modules >>> as suggested by Dominick Grift. >>> >>> policy/modules/contrib/mozilla.te | 14 -------------- >>> policy/modules/contrib/pulseaudio.te | 8 ++++++++ >>> 2 files changed, 8 insertions(+), 14 deletions(-) >>> >>> --- >> refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-09-11 >> 17:05:47.916850416 +0200 >>> +++ >> refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-09-11 >> 17:05:27.911531798 +0200 >>> @@ -234,11 +267,6 @@ tunable_policy(`use_samba_home_dirs',` >>> ') >>> >>> optional_policy(` >>> - alsa_read_config(mozilla_t) >>> - alsa_read_home_files(mozilla_t) >>> -') >>> - >>> -optional_policy(` >>> apache_read_user_scripts(mozilla_t) >>> apache_read_user_content(mozilla_t) >>> ') >>> @@ -297,8 +329,6 @@ optional_policy(` >>> >>> optional_policy(` >>> pulseaudio_run(mozilla_t, mozilla_roles) >>> - pulseaudio_rw_tmpfs_files(mozilla_t) >>> - pulseaudio_use_fds(mozilla_t) >>> ') >>> >>> optional_policy(` >>> @@ -525,11 +569,6 @@ tunable_policy(`use_samba_home_dirs',` >>> ') >>> >>> optional_policy(` >>> - alsa_read_config(mozilla_plugin_t) >>> - alsa_read_home_files(mozilla_plugin_t) >>> -') >>> - >>> -optional_policy(` >>> automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) >>> ') >>> >>> @@ -568,8 +607,6 @@ optional_policy(` >>> >>> optional_policy(` >>> pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) >>> - pulseaudio_rw_tmpfs_files(mozilla_plugin_t) >>> - pulseaudio_use_fds(mozilla_plugin_t) >>> ') >>> >>> optional_policy(` >>> --- >> refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te 2016-08-20 >> 03:45:31.741027074 +0200 >>> +++ >> refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-09-11 >> 17:15:40.155169246 +0200 >>> @@ -231,6 +258,9 @@ pulseaudio_home_filetrans_pulseaudio_hom >>> pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, >> ".pulse-cookie") >>> pulseaudio_signull(pulseaudio_client) >>> >>> +pulseaudio_rw_tmpfs_files(pulseaudio_client) >>> +pulseaudio_use_fds(pulseaudio_client) >>> + >>> userdom_read_user_tmpfs_files(pulseaudio_client) >>> userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, >> dir, "pulse") >>> # userdom_delete_user_tmpfs_files(pulseaudio_client) >>> @@ -250,6 +280,11 @@ tunable_policy(`use_samba_home_dirs',` >>> ') >>> >>> optional_policy(` >>> + alsa_read_config(pulseaudio_client) >>> + alsa_read_home_files(pulseaudio_client) >>> +') >>> + >>> +optional_policy(` >>> pulseaudio_dbus_chat(pulseaudio_client) >>> ') >>> >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >>> > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160913/bb0ca895/attachment.bin