From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:07:22 +0200 (CEST) Subject: [refpolicy] [PATCH 24/33] pulseaudio: adapt to userdom permissions restrictions Message-ID: <2143572342.164532.1492650442570@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch adapts the pulseaudio module to the userdomain permissions changes in this patchset. It aims to ensure user data confidentiality. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/pulseaudio.te | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/pulseaudio.te 2017-02-04 19:30:23.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/pulseaudio.te 2017-04-19 21:58:16.953220101 +0200 @@ -61,10 +61,14 @@ userdom_user_home_dir_filetrans(pulseaud userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth") userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie") +userdom_user_cache_filetrans(pulseaudio_t, pulseaudio_home_t, file) +userdom_user_config_filetrans(pulseaudio_t, pulseaudio_home_t, file) + manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) + userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock") userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") @@ -85,6 +89,8 @@ manage_files_pattern(pulseaudio_t, pulse manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) +userdom_user_home_dir_filetrans_user_config(pulseaudio_t, dir, ".config") + allow pulseaudio_t pulseaudio_client:process signull; ps_process_pattern(pulseaudio_t, pulseaudio_client) @@ -137,10 +143,8 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) -userdom_read_user_tmpfs_files(pulseaudio_t) -userdom_delete_user_tmpfs_files(pulseaudio_t) -userdom_search_user_home_dirs(pulseaudio_t) -userdom_search_user_home_content(pulseaudio_t) +userdom_manage_user_tmpfs_files(pulseaudio_t) +userdom_manage_user_config(pulseaudio_t) userdom_manage_user_tmp_sockets(pulseaudio_t) @@ -256,6 +260,7 @@ pulseaudio_manage_home(pulseaudio_client pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse") pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") + pulseaudio_signull(pulseaudio_client) pulseaudio_use_fds(pulseaudio_client)