2018-10-02 20:02:54

by Luis Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH] xserver: Allow user fonts (and caches) to be mmap()ed.

Applications can optionally map fonts and fontconfig caches into memory.
miscfiles_read_fonts() already grants those perms, but it seems
xserver_use_user_fonts() was forgotten.
---
policy/modules/services/xserver.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 1b25ff5c1..ec944672b 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -506,11 +506,12 @@ interface(`xserver_use_user_fonts',`

# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
- allow $1 user_fonts_t:file read_file_perms;
+ allow $1 user_fonts_t:file { map read_file_perms };

# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+ allow $1 user_fonts_cache_t:file { map read_file_perms };

# Read per user font config
allow $1 user_fonts_config_t:dir list_dir_perms;
--
2.19.0


2018-10-04 01:59:42

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] xserver: Allow user fonts (and caches) to be mmap()ed.

On 10/02/2018 04:02 PM, Luis Ressel via refpolicy wrote:
> Applications can optionally map fonts and fontconfig caches into memory.
> miscfiles_read_fonts() already grants those perms, but it seems
> xserver_use_user_fonts() was forgotten.
> ---
> policy/modules/services/xserver.if | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index 1b25ff5c1..ec944672b 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -506,11 +506,12 @@ interface(`xserver_use_user_fonts',`
>
> # Read per user fonts
> allow $1 user_fonts_t:dir list_dir_perms;
> - allow $1 user_fonts_t:file read_file_perms;
> + allow $1 user_fonts_t:file { map read_file_perms };
>
> # Manipulate the global font cache
> manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
> manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
> + allow $1 user_fonts_cache_t:file { map read_file_perms };
>
> # Read per user font config
> allow $1 user_fonts_config_t:dir list_dir_perms;

Merged.

--
Chris PeBenito