From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 18 Dec 2016 23:35:14 +0100 Subject: [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions In-Reply-To: <449b0f9a-77a4-aa50-782a-17a1b3f26725@ieee.org> References: <1481993348.5458.6.camel@trentalancia.net> <449b0f9a-77a4-aa50-782a-17a1b3f26725@ieee.org> Message-ID: <0E24BB16-7EAE-4976-AF20-A8568483A416@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello! It only needs execmem when gnome-shell runs in gdm mode. Regards, Guido On the 18th of December 2016 23:29:05 CET, Chris PeBenito wrote: >On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote: >> The X Display Manager (XDM) does not normally require execheap >> and execmem permissions. >> >> Modify the current xserver module so that execheap and/or >> execmem are enabled only when the global booleans allow_execheap >> and/or allow_execmem are enabled. >> >> This applies only to systems other than RedHat. >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/services/xserver.te | 9 ++++++++- >> 1 file changed, 8 insertions(+), 1 deletion(-) >> >> --- a/policy/modules/services/xserver.te 2016-12-07 >13:39:08.670449307 +0100 >> +++ b/policy/modules/services/xserver.te 2016-12-17 >17:23:59.955264997 +0100 >> @@ -584,7 +584,14 @@ optional_policy(` >> unconfined_domtrans(xdm_t) >> >> ifndef(`distro_redhat',` >> - allow xdm_t self:process { execheap execmem }; >> + tunable_policy(`allow_execheap',` >> + allow xdm_t self:process execheap; >> + ') >> + >> + # gnome-shell in gdm mode requires execmem >> + tunable_policy(`allow_execmem',` >> + allow xdm_t self:process execmem; >> + ') >> ') >> ') > >I't probably should just be removed from the ifndef, if the rules are >conditional. > >A more important question is if xserver actually still needs these >perms.