From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 77B86139694 for ; Tue, 21 Feb 2017 07:12:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EACA421C168; Tue, 21 Feb 2017 07:12:02 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AA2C221C168 for ; Tue, 21 Feb 2017 07:12:02 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8129C3413AA for ; Tue, 21 Feb 2017 07:11:54 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 5FC0C4F57 for ; Tue, 21 Feb 2017 07:11:50 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1487660780.6e50d6f81946eeb21cfec280182f0ff875a9e5e8.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/alsa.fc policy/modules/contrib/alsa.if policy/modules/contrib/alsa.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 6e50d6f81946eeb21cfec280182f0ff875a9e5e8 X-VCS-Branch: master Date: Tue, 21 Feb 2017 07:11:50 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 3fb304c7-b7c9-4b53-82a6-9d451560df4d X-Archives-Hash: 44f30ae1a5a818c8ef762bfacefb5025 commit: 6e50d6f81946eeb21cfec280182f0ff875a9e5e8 Author: cgzones googlemail com> AuthorDate: Fri Jan 6 14:56:26 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Feb 21 07:06:20 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e50d6f8 update alsa module policy/modules/contrib/alsa.fc | 31 ++++++++++++++--------------- policy/modules/contrib/alsa.if | 8 -------- policy/modules/contrib/alsa.te | 44 ++++++++++++++---------------------------- 3 files changed, 29 insertions(+), 54 deletions(-) diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc index f26e2392..0f9e5196 100644 --- a/policy/modules/contrib/alsa.fc +++ b/policy/modules/contrib/alsa.fc @@ -1,25 +1,22 @@ -HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) +HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) -ifdef(`distro_debian',` -/\.config(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) -') +/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) +/etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0) -/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) -/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0) +/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0) -# Systemd unit files -/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0) -/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0) -/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0) +/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) +/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) -/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) -/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) +/usr/lib/systemd/system/[^/]*alsa-restore.* -- gen_context(system_u:object_r:alsa_unit_t,s0) +/usr/lib/systemd/system/[^/]*alsa-state.* -- gen_context(system_u:object_r:alsa_unit_t,s0) +/usr/lib/systemd/system/[^/]*alsa-store.* -- gen_context(system_u:object_r:alsa_unit_t,s0) -/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) -/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) +/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) +/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) -/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) +/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) -/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) -/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_var_lock_t,s0) +/var/lock/asound\.state\.lock -- gen_context(system_u:object_r:alsa_var_lock_t,s0) diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if index 9ffed049..d50f5e33 100644 --- a/policy/modules/contrib/alsa.if +++ b/policy/modules/contrib/alsa.if @@ -135,10 +135,6 @@ interface(`alsa_read_config',` allow $1 alsa_etc_t:dir list_dir_perms; read_files_pattern($1, alsa_etc_t, alsa_etc_t) read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ') ') ######################################## @@ -176,10 +172,6 @@ interface(`alsa_manage_config',` allow $1 alsa_etc_t:dir list_dir_perms; manage_files_pattern($1, alsa_etc_t, alsa_etc_t) read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) - - ifdef(`distro_debian',` - files_search_usr($1) - ') ') ######################################## diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te index f82e39ca..ed579965 100644 --- a/policy/modules/contrib/alsa.te +++ b/policy/modules/contrib/alsa.te @@ -15,6 +15,12 @@ role alsa_roles types alsa_t; type alsa_etc_t alias alsa_etc_rw_t; files_config_file(alsa_etc_t) +type alsa_home_t; +userdom_user_home_content(alsa_home_t) + +type alsa_runtime_t; +files_pid_file(alsa_runtime_t) + type alsa_tmp_t; files_tmp_file(alsa_tmp_t) @@ -30,16 +36,14 @@ files_type(alsa_var_lib_t) type alsa_var_lock_t; files_lock_file(alsa_var_lock_t) -type alsa_home_t; -userdom_user_home_content(alsa_home_t) - ######################################## # # Local policy # allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid }; -dontaudit alsa_t self:capability sys_admin; +# kill : kill pulseaudio +dontaudit alsa_t self:capability { kill sys_admin }; allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen }; @@ -52,6 +56,10 @@ read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) can_exec(alsa_t, alsa_exec_t) +allow alsa_t alsa_runtime_t:dir manage_dir_perms; +allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms; +files_pid_filetrans(alsa_t, alsa_runtime_t, dir) + manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) @@ -71,6 +79,7 @@ kernel_read_system_state(alsa_t) corecmd_exec_bin(alsa_t) dev_getattr_fs(alsa_t) +dev_read_input(alsa_t) dev_read_sound(alsa_t) dev_read_sysfs(alsa_t) dev_read_urand(alsa_t) @@ -79,14 +88,14 @@ dev_write_sound(alsa_t) files_read_usr_files(alsa_t) files_search_var_lib(alsa_t) +fs_getattr_tmpfs(alsa_t) + term_dontaudit_use_console(alsa_t) term_dontaudit_use_generic_ptys(alsa_t) term_dontaudit_use_all_ptys(alsa_t) auth_use_nsswitch(alsa_t) -init_use_fds(alsa_t) - logging_send_syslog_msg(alsa_t) miscfiles_read_localization(alsa_t) @@ -95,29 +104,6 @@ userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_user_home_dirs(alsa_t) -ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(alsa_t) - - # Gnome 3.4 bug - dev_associate(alsa_tmpfs_t) - - allow alsa_t self:capability kill; - - manage_lnk_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) - files_root_filetrans(alsa_t, alsa_var_lib_t, dir, ".config") - - fs_list_tmpfs(alsa_t) - - optional_policy(` - dbus_read_lib_files(alsa_t) - ') - - optional_policy(` - pulseaudio_run(alsa_t, system_r) - pulseaudio_tmpfs_content(alsa_tmpfs_t) - ') -') - optional_policy(` hal_use_fds(alsa_t) hal_write_log(alsa_t)