From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 18 Dec 2016 17:29:05 -0500
Subject: [refpolicy] [PATCH] xserver: curb on execheap and execmem
 permissions
In-Reply-To: <1481993348.5458.6.camel@trentalancia.net>
References: <1481993348.5458.6.camel@trentalancia.net>
Message-ID: <449b0f9a-77a4-aa50-782a-17a1b3f26725@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote:
> The X Display Manager (XDM) does not normally require execheap
> and execmem permissions.
>
> Modify the current xserver module so that execheap and/or
> execmem are enabled only when the global booleans allow_execheap
> and/or allow_execmem are enabled.
>
> This applies only to systems other than RedHat.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.te |    9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/services/xserver.te	2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.te	2016-12-17 17:23:59.955264997 +0100
> @@ -584,7 +584,14 @@ optional_policy(`
>  	unconfined_domtrans(xdm_t)
>
>  	ifndef(`distro_redhat',`
> -		allow xdm_t self:process { execheap execmem };
> +		tunable_policy(`allow_execheap',`
> +			allow xdm_t self:process execheap;
> +		')
> +
> +		# gnome-shell in gdm mode requires execmem
> +		tunable_policy(`allow_execmem',`
> +			allow xdm_t self:process execmem;
> +		')
>  	')
>  ')

I't probably should just be removed from the ifndef, if the rules are 
conditional.

A more important question is if xserver actually still needs these perms.

-- 
Chris PeBenito