From mboxrd@z Thu Jan 1 00:00:00 1970 From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 19 Sep 2016 13:15:44 +0200 Subject: [refpolicy] [PATCH v3] gnome: add support for the OIL Runtime Compiler (ORC) optimized code execution In-Reply-To: <1473945982.12561.0.camel@trentalancia.net> References: <1473937414.22997.3.camel@trentalancia.net> <1473945982.12561.0.camel@trentalancia.net> Message-ID: <1474283744.10971.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add a new gstreamer_orcexec_t type and file context to the gnome module in order to support the OIL Runtime Compiler (ORC) optimized code execution (used for example by pulseaudio). Add optional policy to the pulseaudio module to support the ORC optimized code execution. This patch has been anticipated a few weeks ago as part of a larger gnome patch. It has now been split as a smaller patch, as required. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gnome.fc | 5 + policy/modules/contrib/gnome.if | 98 +++++++++++++++++++++++++++++++++++ policy/modules/contrib/gnome.te | 3 + policy/modules/contrib/pulseaudio.te | 6 ++ 4 files changed, 112 insertions(+) --- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-08-14 21:28:11.493519589 +0200 +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 2016-09-15 12:45:49.974216884 +0200 @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0) HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0) + /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0) /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0) @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) + +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0) --- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-08-14 21:28:11.493519589 +0200 +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 2016-09-19 13:03:01.904972915 +0200 @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',` ######################################## ##

+## Create objects in user home +## directories with the gstreamer +## orcexec type. +##

+## +##

+## Domain allowed access. +##

+## +## +##

+## Class of the object being created. +##

+## +## +##

+## The name of the object being created. +##

+## +# +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +##

+## Create objects in the user +## runtime directories with the +## gstreamer orcexec type. +##

+## +##

+## Domain allowed access. +##

+## +## +##

+## Class of the object being created. +##

+## +## +##

+## The name of the object being created. +##

+## +# +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3) +') + +######################################## +##

## Read generic gnome keyring home files. ##

## @@ -735,3 +795,41 @@ interface(`gnome_stream_connect_all_gkey files_search_tmp($1) stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ') + +######################################## +##

+## Manage gstreamer ORC optimized +## code. +##

+## +##

+## Domain allowed access. +##

+## +# +interface(`gnome_manage_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + allow $1 gstreamer_orcexec_t:file manage_file_perms; +') + +######################################## +##

+## Mmap gstreamer ORC optimized +## code. +##

+## +##

+## Domain allowed access. +##

+## +# +interface(`gnome_mmap_gstreamer_orcexec',` + gen_require(` + type gstreamer_orcexec_t; + ') + + allow $1 gstreamer_orcexec_t:file mmap_file_perms; +') --- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016-08-14 21:28:11.494519604 +0200 +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 2016-09-15 12:51:26.107456172 +0200 @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_ type gnome_keyring_tmp_t; userdom_user_tmp_file(gnome_keyring_tmp_t) +type gstreamer_orcexec_t; +application_executable_file(gstreamer_orcexec_t) + ############################## # # Common local Policy --- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te 2016-08-15 23:39:24.063783236 +0200 +++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te 2016-09-19 13:06:10.485531536 +0200 @@ -193,6 +193,12 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(pulseaudio_t) + + # OIL Runtime Compiler (ORC) optimized code execution + gnome_manage_gstreamer_orcexec(pulseaudio_t) + gnome_mmap_gstreamer_orcexec(pulseaudio_t) + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file) + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file) ') optional_policy(`