From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4D213138330 for ; Mon, 3 Oct 2016 06:27:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1A0C921C0E4; Mon, 3 Oct 2016 06:26:54 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C45F621C0E4 for ; Mon, 3 Oct 2016 06:26:38 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E1B08340E1A for ; Mon, 3 Oct 2016 06:26:36 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7A3CD24B0 for ; Mon, 3 Oct 2016 06:26:34 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1475475213.fa460d674228cdbe2e16cd33b5b5d83c85e72008.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/gnome.fc policy/modules/contrib/gnome.if policy/modules/contrib/gnome.te policy/modules/contrib/pulseaudio.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: fa460d674228cdbe2e16cd33b5b5d83c85e72008 X-VCS-Branch: next Date: Mon, 3 Oct 2016 06:26:34 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0af44ae2-a7ef-4290-bf25-7e4ac30e155f X-Archives-Hash: db95140762afcaa400cc289be66febd8 Message-ID: <20161003062634.ZtJSndwIfrAbPxhzmwqF3d_rtrvoeXMzdoVB-g6vsC4@z> commit: fa460d674228cdbe2e16cd33b5b5d83c85e72008 Author: Guido Trentalancia via refpolicy oss tresys com> AuthorDate: Mon Sep 19 11:15:44 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 3 06:13:33 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fa460d67 gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution Add a new gstreamer_orcexec_t type and file context to the gnome module in order to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio). Add optional policy to the pulseaudio module to support the ORC optimized code execution. This patch has been anticipated a few weeks ago as part of a larger gnome patch. It has now been split as a smaller patch, as required. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/contrib/gnome.fc | 4 ++ policy/modules/contrib/gnome.if | 98 ++++++++++++++++++++++++++++++++++++ policy/modules/contrib/gnome.te | 3 ++ policy/modules/contrib/pulseaudio.te | 6 +++ 4 files changed, 111 insertions(+) diff --git a/policy/modules/contrib/gnome.fc b/policy/modules/contrib/gnome.fc index 31d8c6c..ce12193 100644 --- a/policy/modules/contrib/gnome.fc +++ b/policy/modules/contrib/gnome.fc @@ -7,6 +7,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) + /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) @@ -16,6 +18,8 @@ HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) ifdef(`distro_gentoo',` HOME_DIR/\.config/dconf(/.*)? gen_context(system_u:object_r:gnome_xdg_config_home_t,s0) diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if index cad0e95..190fa16 100644 --- a/policy/modules/contrib/gnome.if +++ b/policy/modules/contrib/gnome.if @@ -610,6 +610,66 @@ interface(`gnome_gconf_home_filetrans',` ######################################## ## +## Create objects in user home +## directories with the gstreamer +## orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## +## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +## +## +## +## Domain allowed access. +## +## +## +## +## Class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +## ## Read generic gnome keyring home files. ## ## @@ -764,3 +824,41 @@ interface(`gnome_dbus_chat_gconfd',` allow $1 gconfd_t:dbus send_msg; allow gconfd_t $1:dbus send_msg; ') + +######################################## +## +## Manage gstreamer ORC optimized +## code. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_manage_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + allow $1 gstreamer_orcexec_t:file manage_file_perms; +') + +######################################## +## +## Mmap gstreamer ORC optimized +## code. +## +## +## +## Domain allowed access. +## +## +# +interface(`gnome_mmap_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + allow $1 gstreamer_orcexec_t:file mmap_file_perms; +') diff --git a/policy/modules/contrib/gnome.te b/policy/modules/contrib/gnome.te index dd6ac04..8c79849 100644 --- a/policy/modules/contrib/gnome.te +++ b/policy/modules/contrib/gnome.te @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_home_t) type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te index 214e9c6..7f30a72 100644 --- a/policy/modules/contrib/pulseaudio.te +++ b/policy/modules/contrib/pulseaudio.te @@ -193,6 +193,12 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(pulseaudio_t) + + # OIL Runtime Compiler (ORC) optimized code execution + gnome_manage_gstreamer_orcexec(pulseaudio_t) + gnome_mmap_gstreamer_orcexec(pulseaudio_t) + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) ') optional_policy(`