From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 19 Sep 2016 18:36:54 -0400 Subject: [refpolicy] [PATCH v3] gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution In-Reply-To: <1474283744.10971.1.camel@trentalancia.net> References: <1473937414.22997.3.camel@trentalancia.net> <1473945982.12561.0.camel@trentalancia.net> <1474283744.10971.1.camel@trentalancia.net> Message-ID: <28b4e09b-c69d-bf7d-844a-4a0ad7319bd0@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/19/16 07:15, Guido Trentalancia via refpolicy wrote: > Add a new gstreamer_orcexec_t type and file context to the gnome > module in order to support the OIL Runtime Compiler (ORC) optimized > code execution (used for example by pulseaudio). > > Add optional policy to the pulseaudio module to support the ORC > optimized code execution. > > This patch has been anticipated a few weeks ago as part of a > larger gnome patch. It has now been split as a smaller patch, > as required. Merged. > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/gnome.fc | 5 + > policy/modules/contrib/gnome.if | 98 +++++++++++++++++++++++++++++++++++ > policy/modules/contrib/gnome.te | 3 + > policy/modules/contrib/pulseaudio.te | 6 ++ > 4 files changed, 112 insertions(+) > > --- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-08-14 21:28:11.493519589 +0200 > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 2016-09-15 12:45:49.974216884 +0200 > @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst > HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) > HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) > > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > + > /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) > > /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) > @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont > > /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) > + > +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) > --- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-08-14 21:28:11.493519589 +0200 > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 2016-09-19 13:03:01.904972915 +0200 > @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',` > > ######################################## > ## > +## Create objects in user home > +## directories with the gstreamer > +## orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## > +## Create objects in the user > +## runtime directories with the > +## gstreamer orcexec type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) > +') > + > +######################################## > +## > ## Read generic gnome keyring home files. > ## > ## > @@ -735,3 +795,41 @@ interface(`gnome_stream_connect_all_gkey > files_search_tmp($1) > stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) > ') > + > +######################################## > +## > +## Manage gstreamer ORC optimized > +## code. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_manage_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + allow $1 gstreamer_orcexec_t:file manage_file_perms; > +') > + > +######################################## > +## > +## Mmap gstreamer ORC optimized > +## code. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`gnome_mmap_gstreamer_orcexec',` > + gen_require(` > + type gstreamer_orcexec_t; > + ') > + > + allow $1 gstreamer_orcexec_t:file mmap_file_perms; > +') > --- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016-08-14 21:28:11.494519604 +0200 > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 2016-09-15 12:51:26.107456172 +0200 > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ > type gnome_keyring_tmp_t; > userdom_user_tmp_file(gnome_keyring_tmp_t) > > +type gstreamer_orcexec_t; > +application_executable_file(gstreamer_orcexec_t) > + > ############################## > # > # Common local Policy > --- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te 2016-08-15 23:39:24.063783236 +0200 > +++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te 2016-09-19 13:06:10.485531536 +0200 > @@ -193,6 +193,12 @@ optional_policy(` > > optional_policy(` > gnome_stream_connect_gconf(pulseaudio_t) > + > + # OIL Runtime Compiler (ORC) optimized code execution > + gnome_manage_gstreamer_orcexec(pulseaudio_t) > + gnome_mmap_gstreamer_orcexec(pulseaudio_t) > + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) > + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) > ') > > optional_policy(` -- Chris PeBenito