commit: c41bce39e4cc5a7ae57a5a305ab8e7bb1618fcf7
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 18:42:42 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c41bce39
mpd, pulseaudio: split domtrans and client access
Split `pulseaudio_domtrans()` into two interfaces: one that grants
transition access and the other the `pulseaudio_client` attribute. This
fixes a build error because calls to `pulseaudio_domtrans()` by the role
would associate the client attribute with the user exec domain
attribute.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/apps/pulseaudio.if | 26 ++++++++++++++++++++------
policy/modules/services/mpd.te | 1 +
2 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/policy/modules/apps/pulseaudio.if
b/policy/modules/apps/pulseaudio.if
index 5a2c2a83..1796b771 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -59,6 +59,25 @@ template(`pulseaudio_role',`
')
')
+########################################
+## <summary>
+## Connect to pulseaudio and manage
+## pulseaudio config data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_client_domain',`
+ gen_require(`
+ attribute pulseaudio_client;
+ ')
+
+ typeattribute $1 pulseaudio_client;
+')
+
########################################
## <summary>
## Execute a domain transition to run pulseaudio.
@@ -71,12 +90,9 @@ template(`pulseaudio_role',`
#
interface(`pulseaudio_domtrans',`
gen_require(`
- attribute pulseaudio_client;
type pulseaudio_t, pulseaudio_exec_t;
')
- typeattribute $1 pulseaudio_client;
-
corecmd_search_bin($1)
domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
')
@@ -100,12 +116,10 @@ interface(`pulseaudio_domtrans',`
#
interface(`pulseaudio_run',`
gen_require(`
- attribute pulseaudio_client;
attribute_role pulseaudio_roles;
')
- typeattribute $1 pulseaudio_client;
-
+ pulseaudio_client_domain($1)
pulseaudio_domtrans($1)
roleattribute $2 pulseaudio_roles;
')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
index 4a0650df..3ba4a896 100644
--- a/policy/modules/services/mpd.te
+++ b/policy/modules/services/mpd.te
@@ -182,6 +182,7 @@ optional_policy(`
')
optional_policy(`
+ pulseaudio_client_domain(mpd_t)
pulseaudio_domtrans(mpd_t)
')
