From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 18 Sep 2016 16:40:06 -0400 Subject: [refpolicy] [PATCH v2] gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution In-Reply-To: <1473945982.12561.0.camel@trentalancia.net> References: <1473937414.22997.3.camel@trentalancia.net> <1473945982.12561.0.camel@trentalancia.net> Message-ID: <7b278ee3-2f74-beac-4a99-92e888343214@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/15/16 09:26, Guido Trentalancia via refpolicy wrote: > Add a new gstreamer_orcexec_t type and file context to the gnome > module in order to support the OIL Runtime Compiler (ORC) optimized > code execution (used for example by pulseaudio). > > Add optional policy to the pulseaudio module to support the ORC > optimized code execution. > > This patch has been anticipated a few weeks ago as part of a > larger gnome patch. It has now been split as a smaller patch, > as required. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/gnome.fc | 5 ++ > policy/modules/contrib/gnome.if | 79 +++++++++++++++++++++++++++++++++++ > policy/modules/contrib/gnome.te | 3 + > policy/modules/contrib/pulseaudio.te | 5 ++ > 4 files changed, 92 insertions(+) > > --- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-08-14 21:28:11.493519589 +0200 > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 2016-09-15 12:45:49.974216884 +0200 > @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst > HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) > HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > + > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) > > /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) > @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont > > /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > + > +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > --- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-08-14 21:28:11.493519589 +0200 > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 2016-09-15 15:19:41.127233923 +0200 > @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',` > > ######################################## > ## > +## Create objects in user home > +## directories with the gstreamer > +## orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## > +## Create objects in the user > +## runtime directories with the > +## gstreamer orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## > ## Read generic gnome keyring home files. > ## > ## > @@ -735,3 +795,22 @@ interface(`gnome_stream_connect_all_gkey > files_search_tmp($1) > stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) > ') > + > +######################################## > +## > +## Manage and mmap gstreamer ORC > +## optimized code. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_manage_mmap_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + allow $1 gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms }; This will need to be split into two interfaces. Otherwise I think it's ok. -- Chris PeBenito