1 |
commit: 31afb6134c5d0dca49042de96801d28601a905d3 |
2 |
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com> |
3 |
AuthorDate: Sat Sep 10 16:26:46 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 3 06:06:32 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31afb613 |
7 |
|
8 |
mozilla: let mozilla play audio |
9 |
|
10 |
Let mozilla play audio: |
11 |
|
12 |
- add new interfaces to the pulseaudio module; |
13 |
- let mozilla read alsa configuration files; |
14 |
- add further permissions to mozilla needed to use |
15 |
pulseaudio to play audio. |
16 |
|
17 |
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net> |
18 |
|
19 |
policy/modules/contrib/mozilla.te | 9 +++++ |
20 |
policy/modules/contrib/pulseaudio.if | 77 ++++++++++++++++++++++++++++++++++++ |
21 |
2 files changed, 86 insertions(+) |
22 |
|
23 |
diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te |
24 |
index cd1aea3..ca45f5c 100644 |
25 |
--- a/policy/modules/contrib/mozilla.te |
26 |
+++ b/policy/modules/contrib/mozilla.te |
27 |
@@ -217,6 +217,11 @@ tunable_policy(`use_samba_home_dirs',` |
28 |
') |
29 |
|
30 |
optional_policy(` |
31 |
+ alsa_read_config(mozilla_t) |
32 |
+ alsa_read_home_files(mozilla_t) |
33 |
+') |
34 |
+ |
35 |
+optional_policy(` |
36 |
apache_read_user_scripts(mozilla_t) |
37 |
apache_read_user_content(mozilla_t) |
38 |
') |
39 |
@@ -269,6 +274,8 @@ optional_policy(` |
40 |
|
41 |
optional_policy(` |
42 |
pulseaudio_run(mozilla_t, mozilla_roles) |
43 |
+ pulseaudio_rw_tmpfs_files(mozilla_t) |
44 |
+ pulseaudio_use_fds(mozilla_t) |
45 |
') |
46 |
|
47 |
optional_policy(` |
48 |
@@ -493,6 +500,8 @@ optional_policy(` |
49 |
|
50 |
optional_policy(` |
51 |
pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) |
52 |
+ pulseaudio_rw_tmpfs_files(mozilla_plugin_t) |
53 |
+ pulseaudio_use_fds(mozilla_plugin_t) |
54 |
') |
55 |
|
56 |
optional_policy(` |
57 |
|
58 |
diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if |
59 |
index f057680..11238f2 100644 |
60 |
--- a/policy/modules/contrib/pulseaudio.if |
61 |
+++ b/policy/modules/contrib/pulseaudio.if |
62 |
@@ -371,3 +371,80 @@ interface(`pulseaudio_client_domain',` |
63 |
pulseaudio_domtrans($1) |
64 |
pulseaudio_tmpfs_content($2) |
65 |
') |
66 |
+ |
67 |
+####################################### |
68 |
+## <summary> |
69 |
+## Read pulseaudio tmpfs files. |
70 |
+## </summary> |
71 |
+## <param name="domain"> |
72 |
+## <summary> |
73 |
+## Domain allowed access. |
74 |
+## </summary> |
75 |
+## </param> |
76 |
+# |
77 |
+interface(`pulseaudio_read_tmpfs_files',` |
78 |
+ gen_require(` |
79 |
+ type pulseaudio_tmpfs_t; |
80 |
+ ') |
81 |
+ |
82 |
+ fs_search_tmpfs($1) |
83 |
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) |
84 |
+') |
85 |
+ |
86 |
+####################################### |
87 |
+## <summary> |
88 |
+## Read and write pulseaudio tmpfs |
89 |
+## files. |
90 |
+## </summary> |
91 |
+## <param name="domain"> |
92 |
+## <summary> |
93 |
+## Domain allowed access. |
94 |
+## </summary> |
95 |
+## </param> |
96 |
+# |
97 |
+interface(`pulseaudio_rw_tmpfs_files',` |
98 |
+ gen_require(` |
99 |
+ type pulseaudio_tmpfs_t; |
100 |
+ ') |
101 |
+ |
102 |
+ fs_search_tmpfs($1) |
103 |
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) |
104 |
+') |
105 |
+ |
106 |
+######################################## |
107 |
+## <summary> |
108 |
+## Use file descriptors for |
109 |
+## pulseaudio. |
110 |
+## </summary> |
111 |
+## <param name="domain"> |
112 |
+## <summary> |
113 |
+## Domain allowed access. |
114 |
+## </summary> |
115 |
+## </param> |
116 |
+# |
117 |
+interface(`pulseaudio_use_fds',` |
118 |
+ gen_require(` |
119 |
+ type pulseaudio_t; |
120 |
+ ') |
121 |
+ |
122 |
+ allow $1 pulseaudio_t:fd use; |
123 |
+') |
124 |
+ |
125 |
+######################################## |
126 |
+## <summary> |
127 |
+## Do not audit attempts to use the |
128 |
+## file descriptors for pulseaudio. |
129 |
+## </summary> |
130 |
+## <param name="domain"> |
131 |
+## <summary> |
132 |
+## Domain allowed access. |
133 |
+## </summary> |
134 |
+## </param> |
135 |
+# |
136 |
+interface(`pulseaudio_dontaudit_use_fds',` |
137 |
+ gen_require(` |
138 |
+ type pulseaudio_t; |
139 |
+ ') |
140 |
+ |
141 |
+ dontaudit $1 pulseaudio_t:fd use; |
142 |
+') |