[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Wed, 17 Aug 2016 09:59:44 -0700 

commit:     3101fc57262e91f9e5f57a89493a32197c1ebc81
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Aug 13 15:16:10 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3101fc57

Update the pulseaudio module for usability and ORC support

Update the pulseaudio module so that it is usable (tested with
latest version pulseaudio 9.0).

This patch depends on a recent patch to update the gnome module.

Support for the OIL Runtime Compiler (OIL) optimized code
execution is added to the pulseaudio module by using a few
newly created interfaces and file contexts in the gnome
module.

Supports the execmem permission only through a boolean which
defaults to false.

Thanks to Dominick Grift for the useful suggestions that
permitted to create this new improved version of the patch.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/contrib/pulseaudio.fc |  1 +
 policy/modules/contrib/pulseaudio.if |  1 +
 policy/modules/contrib/pulseaudio.te | 34 ++++++++++++++++++++++++++++++----
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/pulseaudio.fc 
b/policy/modules/contrib/pulseaudio.fc
index e005030..19ade57 100644
--- a/policy/modules/contrib/pulseaudio.fc
+++ b/policy/modules/contrib/pulseaudio.fc
@@ -1,6 +1,7 @@
 HOME_DIR/\.esd_auth    --      
gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.pulse-cookie        --      
gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)?  --      
gen_context(system_u:object_r:pulseaudio_home_t,s0)
 
 /usr/bin/pulseaudio    --      
gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 

diff --git a/policy/modules/contrib/pulseaudio.if 
b/policy/modules/contrib/pulseaudio.if
index ce863b0..f057680 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -25,6 +25,7 @@ interface(`pulseaudio_role',`
        pulseaudio_run($2, $1)
 
        allow $2 pulseaudio_t:process { ptrace signal_perms };
+       allow $2 pulseaudio_t:fd use;
        ps_process_pattern($2, pulseaudio_t)
 
        allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };

diff --git a/policy/modules/contrib/pulseaudio.te 
b/policy/modules/contrib/pulseaudio.te
index e7511a8..134866e 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -5,6 +5,14 @@ policy_module(pulseaudio, 1.8.3)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow pulseaudio to execute code in
+## writable memory 
+## </p>
+## </desc>
+gen_tunable(pulseaudio_execmem, false)
+
 attribute pulseaudio_client;
 attribute pulseaudio_tmpfsfile;
 
@@ -37,7 +45,8 @@ files_pid_file(pulseaudio_var_run_t)
 #
 
 allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid 
sys_nice sys_resource sys_tty_config };
-allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched 
signal signull };
+allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched 
signal signull };
+
 allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
 allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
 allow pulseaudio_t self:unix_dgram_socket sendto;
@@ -129,9 +138,15 @@ logging_send_syslog_msg(pulseaudio_t)
 miscfiles_read_localization(pulseaudio_t)
 
 userdom_read_user_tmpfs_files(pulseaudio_t)
-
+userdom_delete_user_tmpfs_files(pulseaudio_t)
 userdom_search_user_home_dirs(pulseaudio_t)
-userdom_write_user_tmp_sockets(pulseaudio_t)
+userdom_search_user_home_content(pulseaudio_t)
+
+userdom_manage_user_tmp_sockets(pulseaudio_t)
+
+tunable_policy(`pulseaudio_execmem',`
+       allow pulseaudio_t self:process execmem;
+')
 
 tunable_policy(`use_nfs_home_dirs',`
        fs_manage_nfs_dirs(pulseaudio_t)
@@ -146,7 +161,8 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-       alsa_read_rw_config(pulseaudio_t)
+       alsa_read_config(pulseaudio_t)
+       alsa_read_home_files(pulseaudio_t)
 ')
 
 optional_policy(`
@@ -176,6 +192,15 @@ optional_policy(`
 ')
 
 optional_policy(`
+       gnome_stream_connect_gconf(pulseaudio_t)
+
+       # OIL Runtime Compiler (ORC) optimized code execution
+       allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms 
mmap_file_perms };
+       gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+       gnome_home_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+')
+
+optional_policy(`
        rtkit_scheduled(pulseaudio_t)
 ')
 
@@ -186,6 +211,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+       udev_read_pid_files(pulseaudio_t)
        udev_read_state(pulseaudio_t)
        udev_read_db(pulseaudio_t)
 ')

Reply via email to