From: dac.override@gmail.com (Dominick Grift)
Date: Thu, 8 Dec 2016 18:36:08 +0100
Subject: [refpolicy] [PATCH 1/2] games: general update and improved
 pulseaudio integration
In-Reply-To: <1481216996.20182.5.camel@trentalancia.net>
References: <1481216996.20182.5.camel@trentalancia.net>
Message-ID: <6f6a7bd9-45f2-9f77-b8d8-ff2c93301acc@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/08/2016 06:09 PM, Guido Trentalancia via refpolicy wrote:
> Update for the games module and improved integration with pulseaudio.
> 
> This patch also introduces a new interface needed by later versions
> of a recently posted window manager (wm) patch.
> 

It has been a while since i looked at the pulseaudio policy but i
suspect you only need:

pulseaudio_tmpfs_content(games_tmpfs_t)
pulseaudio_run(games_t, games_roles)

The above should take care of everything except
dbus_all_session_bus_client(games_t). It relies heavily on the use of
type attributes.

have a close look at pulseaudio module, and focus on the
pulseaudio_client and pulseaudio_tmpfsfile type attributes


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/games.if |   79 +++++++++++++++++++++++++++++++++++++++-
>  policy/modules/contrib/games.te |   17 ++++++++
>  2 files changed, 95 insertions(+), 1 deletion(-)
> 
> --- refpolicy-git-07122016-orig/policy/modules/contrib/games.if	2016-12-08 16:56:24.204207842 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/games.if	2016-12-08 17:56:49.233100321 +0100
> @@ -42,7 +42,6 @@ interface(`games_role',`
>  ########################################
>  ## <summary>
>  ##	Read and write games data files.
> -##	games data.
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -58,3 +57,81 @@ interface(`games_rw_data',`
>  	files_search_var_lib($1)
>  	rw_files_pattern($1, games_data_t, games_data_t)
>  ')
> +
> +########################################
> +## <summary>
> +##	Read games tmpfs files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`games_read_tmpfs_files',`
> +	gen_require(`
> +		type games_tmpfs_t;
> +	')
> +
> +	fs_search_tmpfs($1)
> +	read_files_pattern($1, games_tmpfs_t, games_tmpfs_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Run a game in the game domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`games_domtrans',`
> +	gen_require(`
> +		type games_t, games_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, games_exec_t, games_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Send null signals to games
> +##	processes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`games_signull',`
> +	gen_require(`
> +		type games_t;
> +	')
> +
> +	allow $1 games_t:process signull;
> +')
> +
> +########################################
> +## <summary>
> +##	Send and receive messages from
> +##	games over dbus.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`games_dbus_chat',`
> +	gen_require(`
> +		type games_t;
> +		class dbus send_msg;
> +	')
> +
> +	allow $1 games_t:dbus send_msg;
> +	allow games_t $1:dbus send_msg;
> +')
> --- refpolicy-git-07122016-orig/policy/modules/contrib/games.te	2016-12-08 16:56:24.204207842 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/games.te	2016-12-08 17:47:13.726232210 +0100
> @@ -95,6 +95,7 @@ optional_policy(`
>  # Client local policy
>  #
>  
> +allow games_t self:fifo_file rw_file_perms;
>  allow games_t self:sem create_sem_perms;
>  allow games_t self:tcp_socket { accept listen };
>  
> @@ -137,6 +138,7 @@ dev_read_sound(games_t)
>  dev_read_input(games_t)
>  dev_read_mouse(games_t)
>  dev_read_urand(games_t)
> +dev_rw_dri(games_t)
>  dev_write_sound(games_t)
>  
>  files_list_var(games_t)
> @@ -146,6 +148,9 @@ files_read_etc_files(games_t)
>  files_read_usr_files(games_t)
>  files_read_var_files(games_t)
>  
> +fs_dontaudit_getattr_xattr_fs(games_t)
> +fs_getattr_tmpfs(games_t)
> +
>  init_dontaudit_rw_utmp(games_t)
>  
>  logging_dontaudit_search_logs(games_t)
> @@ -166,10 +171,22 @@ tunable_policy(`allow_execmem',`
>  ')
>  
>  optional_policy(`
> +	dbus_all_session_bus_client(games_t)
> +	dbus_connect_all_session_bus(games_t)
> +')
> +
> +optional_policy(`
>  	nscd_use(games_t)
>  ')
>  
>  optional_policy(`
> +	pulseaudio_rw_tmpfs_files(games_t)
> +	pulseaudio_signull(games_t)
> +	pulseaudio_stream_connect(games_t)
> +	pulseaudio_use_fds(games_t)
> +')
> +
> +optional_policy(`
>  	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
>  	xserver_create_xdm_tmp_sockets(games_t)
>  	xserver_read_xdm_lib_files(games_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161208/f02a48bc/attachment-0001.bin