From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 13 Sep 2016 17:43:16 +0200 Subject: [refpolicy] [PATCH] mozilla: let mozilla play audio In-Reply-To: References: <1473524806.18488.3.camel@trentalancia.net> <88e4da55-6d3a-5d36-a54f-98b83cc86038@gmail.com> <1473607339.18488.9.camel@trentalancia.net> <7E021367-E74A-44CE-81EB-457C5B47AFCE@trentalancia.net> Message-ID: <54A9A835-8765-4D06-83BE-CD551F6EF85F@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Just pump up the volume and enjoy!! Guido On the 13th of September 2016 16:40:13 CEST, Dominick Grift via refpolicy wrote: >On 09/13/2016 01:57 PM, Guido Trentalancia via refpolicy wrote: >> For your information. >> >> Pulseaudio clients such as mplayer and pavucontrol do play audio and >change the audio settings respectively without requiring those extra >permissions in the pulseaudio module at the pulseaudio_client section. >> > >I have to admit that mplayer seems to not need to read /etc/alsa in my >quick test either. > >So yes I may just be wrong about this, or maybe i am just not able to >trigger it in short notice. > >> Regards, >> >> Guido >> >> On the 13th of September 2016 00:51:44 CEST, Chris PeBenito > wrote: >>> On 09/11/16 11:22, Guido Trentalancia via refpolicy wrote: >>>> Hello Dominick (and cc Chris) ! >>>> >>>> On Sun, 11/09/2016 at 15.21 +0200, Dominick Grift via refpolicy >>> wrote: >>>>> On 09/10/2016 06:26 PM, Guido Trentalancia via refpolicy wrote: >>>>>> >>>>>> Let mozilla play audio: >>>>>> >>>>>> - add new interfaces to the pulseaudio module; >>>>>> - let mozilla read alsa configuration files; >>>>>> - add further permissions to mozilla needed to use >>>>>> pulseaudio to play audio. >>>>>> >>>>>> Signed-off-by: Guido Trentalancia >>>>>> --- >>>>>> policy/modules/contrib/mozilla.te | 9 ++++ >>>>>> policy/modules/contrib/pulseaudio.if | 77 >>>>>> +++++++++++++++++++++++++++++++++++ >>>>>> 2 files changed, 86 insertions(+) >>>> >>>> [...] >>>> >>>>> Applies to all pulseaudio clients, so this should have been added >to >>>>> pulseaudio.te instead: >>>> >>>> I am fine with improving this. >>>> >>>>> optional_policy(` >>>>> alsa_read_config(pulseaudio_client) >>>>> alsa_read_home_files(pulseaudio_client) >>>>> ') >>>> >>>> and this: >>>> >>>>>> >>>>>> + pulseaudio_use_fds(mozilla_t) >>>>> >>>>> This applies to all pulseaudio_client and thus should be added to >>>>> pulseaudio.te as follows instead: >>>>> >>>>> pulseaudio_use_fds(pulseaudio_client) >>>> >>>> as long as it is also fine to Christopher. >>> >>> If the rules apply to all pulseaudio domains, then it should be done >as >>> >>> Dominick suggests. >>> >>> >>> >>>> The other change (delete instead of read/write) doesn't make a big >>>> difference in my opinion. >>>> >>>> Here is the small diff: >>>> >>>> Improvements to the mozilla and pulseaudio modules >>>> as suggested by Dominick Grift. >>>> >>>> policy/modules/contrib/mozilla.te | 14 -------------- >>>> policy/modules/contrib/pulseaudio.te | 8 ++++++++ >>>> 2 files changed, 8 insertions(+), 14 deletions(-) >>>> >>>> --- >>> >refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-09-11 >>> 17:05:47.916850416 +0200 >>>> +++ >>> refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-09-11 >>> 17:05:27.911531798 +0200 >>>> @@ -234,11 +267,6 @@ tunable_policy(`use_samba_home_dirs',` >>>> ') >>>> >>>> optional_policy(` >>>> - alsa_read_config(mozilla_t) >>>> - alsa_read_home_files(mozilla_t) >>>> -') >>>> - >>>> -optional_policy(` >>>> apache_read_user_scripts(mozilla_t) >>>> apache_read_user_content(mozilla_t) >>>> ') >>>> @@ -297,8 +329,6 @@ optional_policy(` >>>> >>>> optional_policy(` >>>> pulseaudio_run(mozilla_t, mozilla_roles) >>>> - pulseaudio_rw_tmpfs_files(mozilla_t) >>>> - pulseaudio_use_fds(mozilla_t) >>>> ') >>>> >>>> optional_policy(` >>>> @@ -525,11 +569,6 @@ tunable_policy(`use_samba_home_dirs',` >>>> ') >>>> >>>> optional_policy(` >>>> - alsa_read_config(mozilla_plugin_t) >>>> - alsa_read_home_files(mozilla_plugin_t) >>>> -') >>>> - >>>> -optional_policy(` >>>> automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) >>>> ') >>>> >>>> @@ -568,8 +607,6 @@ optional_policy(` >>>> >>>> optional_policy(` >>>> pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) >>>> - pulseaudio_rw_tmpfs_files(mozilla_plugin_t) >>>> - pulseaudio_use_fds(mozilla_plugin_t) >>>> ') >>>> >>>> optional_policy(` >>>> --- >>> >refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te 2016-08-20 >>> 03:45:31.741027074 +0200 >>>> +++ >>> >refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-09-11 >>> 17:15:40.155169246 +0200 >>>> @@ -231,6 +258,9 @@ pulseaudio_home_filetrans_pulseaudio_hom >>>> pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, >>> ".pulse-cookie") >>>> pulseaudio_signull(pulseaudio_client) >>>> >>>> +pulseaudio_rw_tmpfs_files(pulseaudio_client) >>>> +pulseaudio_use_fds(pulseaudio_client) >>>> + >>>> userdom_read_user_tmpfs_files(pulseaudio_client) >>>> userdom_user_runtime_filetrans(pulseaudio_client, >pulseaudio_tmp_t, >>> dir, "pulse") >>>> # userdom_delete_user_tmpfs_files(pulseaudio_client) >>>> @@ -250,6 +280,11 @@ tunable_policy(`use_samba_home_dirs',` >>>> ') >>>> >>>> optional_policy(` >>>> + alsa_read_config(pulseaudio_client) >>>> + alsa_read_home_files(pulseaudio_client) >>>> +') >>>> + >>>> +optional_policy(` >>>> pulseaudio_dbus_chat(pulseaudio_client) >>>> ') >>>> >>>> _______________________________________________ >>>> refpolicy mailing list >>>> refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >>