From mboxrd@z Thu Jan  1 00:00:00 1970
From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 27 Sep 2016 17:01:40 +0200
Subject: [refpolicy] [PATCH v3] gnome: add support for the OIL Runtime
 Compiler (ORC) optimized code execution
In-Reply-To: <28b4e09b-c69d-bf7d-844a-4a0ad7319bd0@ieee.org>
References: <1473937414.22997.3.camel@trentalancia.net>
	<1473945982.12561.0.camel@trentalancia.net>
	<1474283744.10971.1.camel@trentalancia.net>
	<28b4e09b-c69d-bf7d-844a-4a0ad7319bd0@ieee.org>
Message-ID: <1474988500.2265.5.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher.

I have checked the current git tree, but unfortunately I couldn't find
any trace of this patch.

Can you please double-check that it has been applied ?

Thanks,

Guido

On Mon, 19/09/2016 at 18.36 -0400, Chris PeBenito wrote:
> On 09/19/16 07:15, Guido Trentalancia via refpolicy wrote:
> > 
> > Add a new gstreamer_orcexec_t type and file context to the gnome
> > module in order to support the OIL Runtime Compiler (ORC) optimized
> > code execution (used for example by pulseaudio).
> > 
> > Add optional policy to the pulseaudio module to support the ORC
> > optimized code execution.
> > 
> > This patch has been anticipated a few weeks ago as part of a
> > larger gnome patch. It has now been split as a smaller patch,
> > as required.
> 
> Merged.
> 
> 
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/contrib/gnome.fc??????|????5 +
> > ?policy/modules/contrib/gnome.if??????|???98
> > +++++++++++++++++++++++++++++++++++
> > ?policy/modules/contrib/gnome.te??????|????3 +
> > ?policy/modules/contrib/pulseaudio.te |????6 ++
> > ?4 files changed, 112 insertions(+)
> > 
> > --- refpolicy-git-orig/policy/modules/contrib/gnome.fc	2016-
> > 08-14 21:28:11.493519589 +0200
> > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc	20
> > 16-09-15 12:45:49.974216884 +0200
> > @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)?	gen_context(syst
> > ?HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:objec
> > t_r:gnome_keyring_home_t,s0)
> > ?HOME_DIR/\.gnome2_private(/.*)?	gen_context(system_u:object
> > _r:gnome_home_t,s0)
> > 
> > +HOME_DIR/orcexec\..*	gen_context(system_u:object_r:gstreame
> > r_orcexec_t,s0)
> > +
> > ?/etc/gconf(/.*)?	gen_context(system_u:object_r:gconf_etc_t,
> > s0)
> > 
> > ?/tmp/gconfd-USER/.*	--	gen_context(system_u:object_r
> > :gconf_tmp_t,s0)
> > @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)?	gen_cont
> > 
> > ?/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_
> > u:object_r:gconfd_exec_t,s0)
> > ?/usr/libexec/gconfd-2	--	gen_context(system_u:object
> > _r:gconfd_exec_t,s0)
> > +
> > +/var/run/user/[^/]*/orcexec\..*	--	gen_context(syste
> > m_u:object_r:gstreamer_orcexec_t,s0)
> > +/var/run/user/%{USERID}/orcexec\..*	--	gen_context(s
> > ystem_u:object_r:gstreamer_orcexec_t,s0)
> > --- refpolicy-git-orig/policy/modules/contrib/gnome.if	2016-
> > 08-14 21:28:11.493519589 +0200
> > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if	20
> > 16-09-19 13:03:01.904972915 +0200
> > @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',`
> > 
> > ?########################################
> > ?## <summary>
> > +##	Create objects in user home
> > +##	directories with the gstreamer
> > +##	orcexec type.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="object_class">
> > +##	<summary>
> > +##	Class of the object being created.
> > +##	</summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +##	<summary>
> > +##	The name of the object being created.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
> > +	gen_require(`
> > +		type gstreamer_orcexec_t;
> > +	')
> > +
> > +	userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t,
> > $2, $3)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Create objects in the user
> > +##	runtime directories with the
> > +##	gstreamer orcexec type.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +## <param name="object_class">
> > +##	<summary>
> > +##	Class of the object being created.
> > +##	</summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +##	<summary>
> > +##	The name of the object being created.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> > +	gen_require(`
> > +		type gstreamer_orcexec_t;
> > +	')
> > +
> > +	userdom_user_runtime_filetrans($1, gstreamer_orcexec_t,
> > $2, $3)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	Read generic gnome keyring home files.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -735,3 +795,41 @@ interface(`gnome_stream_connect_all_gkey
> > ?	files_search_tmp($1)
> > ?	stream_connect_pattern($1, gnome_keyring_tmp_t,
> > gnome_keyring_tmp_t, gkeyringd_domain)
> > ?')
> > +
> > +########################################
> > +## <summary>
> > +##	Manage gstreamer ORC optimized
> > +##	code.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`gnome_manage_gstreamer_orcexec',`
> > +	gen_require(`
> > +		type gstreamer_orcexec_t;
> > +	')
> > +
> > +	allow $1 gstreamer_orcexec_t:file manage_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +##	Mmap gstreamer ORC optimized
> > +##	code.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`gnome_mmap_gstreamer_orcexec',`
> > +	gen_require(`
> > +		type gstreamer_orcexec_t;
> > +	')
> > +
> > +	allow $1 gstreamer_orcexec_t:file mmap_file_perms;
> > +')
> > --- refpolicy-git-orig/policy/modules/contrib/gnome.te	2016-
> > 08-14 21:28:11.494519604 +0200
> > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te	20
> > 16-09-15 12:51:26.107456172 +0200
> > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
> > ?type gnome_keyring_tmp_t;
> > ?userdom_user_tmp_file(gnome_keyring_tmp_t)
> > 
> > +type gstreamer_orcexec_t;
> > +application_executable_file(gstreamer_orcexec_t)
> > +
> > ?##############################
> > ?#
> > ?# Common local Policy
> > --- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te	
> > 2016-08-15 23:39:24.063783236 +0200
> > +++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te	
> > 2016-09-19 13:06:10.485531536 +0200
> > @@ -193,6 +193,12 @@ optional_policy(`
> > 
> > ?optional_policy(`
> > ?	gnome_stream_connect_gconf(pulseaudio_t)
> > +
> > +	# OIL Runtime Compiler (ORC) optimized code execution
> > +	gnome_manage_gstreamer_orcexec(pulseaudio_t)
> > +	gnome_mmap_gstreamer_orcexec(pulseaudio_t)
> > +	gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_
> > t, file)
> > +	gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio
> > _t, file)
> > ?')
> > 
> > ?optional_policy(`
> 
> 
>