[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Thu, 01 Nov 2012 21:42:24
Message-Id:	`1351804720.99ba63620bef6fb39efa3418b51269117dd856a9.SwifT@gentoo`

1

commit:     99ba63620bef6fb39efa3418b51269117dd856a9

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Thu Nov  1 21:18:40 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Thu Nov  1 21:18:40 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=99ba6362

7

8

Introduce mplayer read or manage booleans

9

10

Try to isolate mplayer reading movies only from the xdg videos location, but

11

keep supporting the upstream behavior (all user content).

12

13

Also reshuffle gentoo-specifics into its own distro_gentoo structure.

14

15

---

16

 policy/modules/contrib/mplayer.te |   62 ++++++++++++++++++++++++++++---------

17

 1 files changed, 47 insertions(+), 15 deletions(-)

18

19

diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te

20

index 579055f..c175411 100644

21

--- a/policy/modules/contrib/mplayer.te

22

+++ b/policy/modules/contrib/mplayer.te

23

@@ -13,6 +13,21 @@ policy_module(mplayer, 2.4.2)

24

 ## </desc>

25

 gen_tunable(allow_mplayer_execstack, false)

26

27

+## <desc>

28

+## <p>

29

+## Allow mplayer to read user content

30

+## </p>

31

+## </desc>

32

+gen_tunable(mplayer_read_user_content, true)

33

+

34

+## <desc>

35

+## <p>

36

+## Allow mplayer to manage user content

37

+## </p>

38

+## </desc>

39

+gen_tunable(mplayer_manage_user_content, false)

40

+

41

+

42

 attribute_role mencoder_roles;

43

 attribute_role mplayer_roles;

44

45

@@ -166,9 +181,9 @@ dev_read_realtime_clock(mplayer_t)

46

 dev_read_sound_mixer(mplayer_t)

47

 dev_read_urand(mplayer_t)

48

 dev_read_video_dev(mplayer_t)

49

-dev_rwx_zero(mplayer_t)

50

-dev_write_video_dev(mplayer_t)

51

 dev_write_sound_mixer(mplayer_t)

52

+dev_write_video_dev(mplayer_t)

53

+dev_rwx_zero(mplayer_t)

54

55

 domain_use_interactive_fds(mplayer_t)

56

57

@@ -193,19 +208,40 @@ miscfiles_read_localization(mplayer_t)

58

 miscfiles_read_fonts(mplayer_t)

59

60

 userdom_use_user_terminals(mplayer_t)

61

-userdom_manage_user_tmp_dirs(mplayer_t)

62

-userdom_manage_user_tmp_files(mplayer_t)

63

-userdom_manage_user_home_content_dirs(mplayer_t)

64

-userdom_manage_user_home_content_files(mplayer_t)

65

-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })

66

67

-ifndef(`enable_mls',`',`

68

+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)

69

+

70

+ifdef(`distro_gentoo',`

71

+	alsa_domain(mplayer_t, mplayer_tmpfs_t)

72

+

73

+	xdg_manage_videos_home(mplayer_t)

74

+

75

+	tunable_policy(`mplayer_read_user_content',`

76

+		userdom_read_user_home_content_files(mplayer_t)

77

+		userdom_read_user_home_content_symlinks(mplayer_t)

78

+	')

79

+

80

+	tunable_policy(`mplayer_manage_user_content',`

81

+		userdom_manage_user_tmp_dirs(mplayer_t)

82

+		userdom_manage_user_tmp_files(mplayer_t)

83

+		userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })

84

+

85

+		userdom_manage_user_home_content_dirs(mplayer_t)

86

+		userdom_manage_user_home_content_files(mplayer_t)

87

+

88

+		userdom_write_user_tmp_sockets(mplayer_t)

89

+	')

90

+')

91

+

92

+ifndef(`enable_mls',`

93

 	fs_list_dos(mplayer_t)

94

 	fs_read_dos_files(mplayer_t)

95

-	fs_read_iso9660_files(mplayer_t)

96

+

97

+	fs_search_removable(mplayer_t)

98

 	fs_read_removable_files(mplayer_t)

99

 	fs_read_removable_symlinks(mplayer_t)

100

-	fs_search_removable(mplayer_t)

101

+

102

+	fs_read_iso9660_files(mplayer_t)

103

')

104

105

 tunable_policy(`allow_execmem',`

106

@@ -225,6 +261,7 @@ tunable_policy(`use_nfs_home_dirs',`

107

 	fs_manage_nfs_files(mplayer_t)

108

 	fs_manage_nfs_symlinks(mplayer_t)

109

')

110

+

111

 tunable_policy(`use_samba_home_dirs',`

112

 	fs_manage_cifs_dirs(mplayer_t)

113

 	fs_manage_cifs_files(mplayer_t)

114

@@ -236,7 +273,6 @@ tunable_policy(`allow_mplayer_execstack',`

115

')

116

117

 optional_policy(`

118

-	alsa_domain(mplayer_t, mplayer_tmpfs_t)

119

 	alsa_read_rw_config(mplayer_t)

120

')

121

122

@@ -245,7 +281,3 @@ optional_policy(`

123

 	pulseaudio_stream_connect(mplayer_t)

124

 	pulseaudio_signull(mplayer_t)

125

')

126

-

127

-optional_policy(`

128

-	xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)

129

-')

1	commit: 99ba63620bef6fb39efa3418b51269117dd856a9
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Thu Nov 1 21:18:40 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Thu Nov 1 21:18:40 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=99ba6362
7
8	Introduce mplayer read or manage booleans
9
10	Try to isolate mplayer reading movies only from the xdg videos location, but
11	keep supporting the upstream behavior (all user content).
12
13	Also reshuffle gentoo-specifics into its own distro_gentoo structure.
14
15	---
16	policy/modules/contrib/mplayer.te \| 62 ++++++++++++++++++++++++++++---------
17	1 files changed, 47 insertions(+), 15 deletions(-)
18
19	diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
20	index 579055f..c175411 100644
21	--- a/policy/modules/contrib/mplayer.te
22	+++ b/policy/modules/contrib/mplayer.te
23	@@ -13,6 +13,21 @@ policy_module(mplayer, 2.4.2)
24	## </desc>
25	gen_tunable(allow_mplayer_execstack, false)
26
27	+## <desc>
28	+## <p>
29	+## Allow mplayer to read user content
30	+## </p>
31	+## </desc>
32	+gen_tunable(mplayer_read_user_content, true)
33	+
34	+## <desc>
35	+## <p>
36	+## Allow mplayer to manage user content
37	+## </p>
38	+## </desc>
39	+gen_tunable(mplayer_manage_user_content, false)
40	+
41	+
42	attribute_role mencoder_roles;
43	attribute_role mplayer_roles;
44
45	@@ -166,9 +181,9 @@ dev_read_realtime_clock(mplayer_t)
46	dev_read_sound_mixer(mplayer_t)
47	dev_read_urand(mplayer_t)
48	dev_read_video_dev(mplayer_t)
49	-dev_rwx_zero(mplayer_t)
50	-dev_write_video_dev(mplayer_t)
51	dev_write_sound_mixer(mplayer_t)
52	+dev_write_video_dev(mplayer_t)
53	+dev_rwx_zero(mplayer_t)
54
55	domain_use_interactive_fds(mplayer_t)
56
57	@@ -193,19 +208,40 @@ miscfiles_read_localization(mplayer_t)
58	miscfiles_read_fonts(mplayer_t)
59
60	userdom_use_user_terminals(mplayer_t)
61	-userdom_manage_user_tmp_dirs(mplayer_t)
62	-userdom_manage_user_tmp_files(mplayer_t)
63	-userdom_manage_user_home_content_dirs(mplayer_t)
64	-userdom_manage_user_home_content_files(mplayer_t)
65	-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
66
67	-ifndef(`enable_mls',`',`
68	+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
69	+
70	+ifdef(`distro_gentoo',`
71	+ alsa_domain(mplayer_t, mplayer_tmpfs_t)
72	+
73	+ xdg_manage_videos_home(mplayer_t)
74	+
75	+ tunable_policy(`mplayer_read_user_content',`
76	+ userdom_read_user_home_content_files(mplayer_t)
77	+ userdom_read_user_home_content_symlinks(mplayer_t)
78	+ ')
79	+
80	+ tunable_policy(`mplayer_manage_user_content',`
81	+ userdom_manage_user_tmp_dirs(mplayer_t)
82	+ userdom_manage_user_tmp_files(mplayer_t)
83	+ userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
84	+
85	+ userdom_manage_user_home_content_dirs(mplayer_t)
86	+ userdom_manage_user_home_content_files(mplayer_t)
87	+
88	+ userdom_write_user_tmp_sockets(mplayer_t)
89	+ ')
90	+')
91	+
92	+ifndef(`enable_mls',`
93	fs_list_dos(mplayer_t)
94	fs_read_dos_files(mplayer_t)
95	- fs_read_iso9660_files(mplayer_t)
96	+
97	+ fs_search_removable(mplayer_t)
98	fs_read_removable_files(mplayer_t)
99	fs_read_removable_symlinks(mplayer_t)
100	- fs_search_removable(mplayer_t)
101	+
102	+ fs_read_iso9660_files(mplayer_t)
103	')
104
105	tunable_policy(`allow_execmem',`
106	@@ -225,6 +261,7 @@ tunable_policy(`use_nfs_home_dirs',`
107	fs_manage_nfs_files(mplayer_t)
108	fs_manage_nfs_symlinks(mplayer_t)
109	')
110	+
111	tunable_policy(`use_samba_home_dirs',`
112	fs_manage_cifs_dirs(mplayer_t)
113	fs_manage_cifs_files(mplayer_t)
114	@@ -236,7 +273,6 @@ tunable_policy(`allow_mplayer_execstack',`
115	')
116
117	optional_policy(`
118	- alsa_domain(mplayer_t, mplayer_tmpfs_t)
119	alsa_read_rw_config(mplayer_t)
120	')
121
122	@@ -245,7 +281,3 @@ optional_policy(`
123	pulseaudio_stream_connect(mplayer_t)
124	pulseaudio_signull(mplayer_t)
125	')
126	-
127	-optional_policy(`
128	- xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
129	-')

Gentoo Archives: gentoo-commits