From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 27 Sep 2016 18:28:42 -0400 Subject: [refpolicy] [PATCH v3] gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution In-Reply-To: <1474988500.2265.5.camel@trentalancia.net> References: <1473937414.22997.3.camel@trentalancia.net> <1473945982.12561.0.camel@trentalancia.net> <1474283744.10971.1.camel@trentalancia.net> <28b4e09b-c69d-bf7d-844a-4a0ad7319bd0@ieee.org> <1474988500.2265.5.camel@trentalancia.net> Message-ID: <9d96e623-c818-340e-d8e8-0bce4ebbcec2@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/27/16 11:01, Guido Trentalancia wrote: > Hello Christopher. > > I have checked the current git tree, but unfortunately I couldn't find > any trace of this patch. > > Can you please double-check that it has been applied ? This looks like it, to me: https://github.com/TresysTechnology/refpolicy-contrib/commit/89a34a6719990644905b4ea64a4b5b84965c76cc > On Mon, 19/09/2016 at 18.36 -0400, Chris PeBenito wrote: >> On 09/19/16 07:15, Guido Trentalancia via refpolicy wrote: >>> >>> Add a new gstreamer_orcexec_t type and file context to the gnome >>> module in order to support the OIL Runtime Compiler (ORC) optimized >>> code execution (used for example by pulseaudio). >>> >>> Add optional policy to the pulseaudio module to support the ORC >>> optimized code execution. >>> >>> This patch has been anticipated a few weeks ago as part of a >>> larger gnome patch. It has now been split as a smaller patch, >>> as required. >> >> Merged. >> >> >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/gnome.fc | 5 + >>> policy/modules/contrib/gnome.if | 98 >>> +++++++++++++++++++++++++++++++++++ >>> policy/modules/contrib/gnome.te | 3 + >>> policy/modules/contrib/pulseaudio.te | 6 ++ >>> 4 files changed, 112 insertions(+) >>> >>> --- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016- >>> 08-14 21:28:11.493519589 +0200 >>> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 20 >>> 16-09-15 12:45:49.974216884 +0200 >>> @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst >>> HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:objec >>> t_r:gnome_keyring_home_t,s0) >>> HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object >>> _r:gnome_home_t,s0) >>> >>> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreame >>> r_orcexec_t,s0) >>> + >>> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t, >>> s0) >>> >>> /tmp/gconfd-USER/.* -- gen_context(system_u:object_r >>> :gconf_tmp_t,s0) >>> @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont >>> >>> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_ >>> u:object_r:gconfd_exec_t,s0) >>> /usr/libexec/gconfd-2 -- gen_context(system_u:object >>> _r:gconfd_exec_t,s0) >>> + >>> +/var/run/user/[^/]*/orcexec\..* -- gen_context(syste >>> m_u:object_r:gstreamer_orcexec_t,s0) >>> +/var/run/user/%{USERID}/orcexec\..* -- gen_context(s >>> ystem_u:object_r:gstreamer_orcexec_t,s0) >>> --- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016- >>> 08-14 21:28:11.493519589 +0200 >>> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 20 >>> 16-09-19 13:03:01.904972915 +0200 >>> @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',` >>> >>> ######################################## >>> ## >>> +## Create objects in user home >>> +## directories with the gstreamer >>> +## orcexec type. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +## >>> +## Class of the object being created. >>> +## >>> +## >>> +## >>> +## >>> +## The name of the object being created. >>> +## >>> +## >>> +# >>> +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, >>> $2, $3) >>> +') >>> + >>> +######################################## >>> +## >>> +## Create objects in the user >>> +## runtime directories with the >>> +## gstreamer orcexec type. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +## >>> +## >>> +## Class of the object being created. >>> +## >>> +## >>> +## >>> +## >>> +## The name of the object being created. >>> +## >>> +## >>> +# >>> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, >>> $2, $3) >>> +') >>> + >>> +######################################## >>> +## >>> ## Read generic gnome keyring home files. >>> ## >>> ## >>> @@ -735,3 +795,41 @@ interface(`gnome_stream_connect_all_gkey >>> files_search_tmp($1) >>> stream_connect_pattern($1, gnome_keyring_tmp_t, >>> gnome_keyring_tmp_t, gkeyringd_domain) >>> ') >>> + >>> +######################################## >>> +## >>> +## Manage gstreamer ORC optimized >>> +## code. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +# >>> +interface(`gnome_manage_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + allow $1 gstreamer_orcexec_t:file manage_file_perms; >>> +') >>> + >>> +######################################## >>> +## >>> +## Mmap gstreamer ORC optimized >>> +## code. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +# >>> +interface(`gnome_mmap_gstreamer_orcexec',` >>> + gen_require(` >>> + type gstreamer_orcexec_t; >>> + ') >>> + >>> + allow $1 gstreamer_orcexec_t:file mmap_file_perms; >>> +') >>> --- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016- >>> 08-14 21:28:11.494519604 +0200 >>> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 20 >>> 16-09-15 12:51:26.107456172 +0200 >>> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ >>> type gnome_keyring_tmp_t; >>> userdom_user_tmp_file(gnome_keyring_tmp_t) >>> >>> +type gstreamer_orcexec_t; >>> +application_executable_file(gstreamer_orcexec_t) >>> + >>> ############################## >>> # >>> # Common local Policy >>> --- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te >>> 2016-08-15 23:39:24.063783236 +0200 >>> +++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te >>> 2016-09-19 13:06:10.485531536 +0200 >>> @@ -193,6 +193,12 @@ optional_policy(` >>> >>> optional_policy(` >>> gnome_stream_connect_gconf(pulseaudio_t) >>> + >>> + # OIL Runtime Compiler (ORC) optimized code execution >>> + gnome_manage_gstreamer_orcexec(pulseaudio_t) >>> + gnome_mmap_gstreamer_orcexec(pulseaudio_t) >>> + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_ >>> t, file) >>> + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio >>> _t, file) >>> ') >>> >>> optional_policy(` >> >> >> > -- Chris PeBenito