* [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions
@ 2016-12-17 16:49 Guido Trentalancia
2016-12-18 22:29 ` Chris PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Guido Trentalancia @ 2016-12-17 16:49 UTC (permalink / raw)
To: refpolicy
The X Display Manager (XDM) does not normally require execheap
and execmem permissions.
Modify the current xserver module so that execheap and/or
execmem are enabled only when the global booleans allow_execheap
and/or allow_execmem are enabled.
This applies only to systems other than RedHat.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/services/xserver.te | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/policy/modules/services/xserver.te 2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.te 2016-12-17 17:23:59.955264997 +0100
@@ -584,7 +584,14 @@ optional_policy(`
unconfined_domtrans(xdm_t)
ifndef(`distro_redhat',`
- allow xdm_t self:process { execheap execmem };
+ tunable_policy(`allow_execheap',`
+ allow xdm_t self:process execheap;
+ ')
+
+ # gnome-shell in gdm mode requires execmem
+ tunable_policy(`allow_execmem',`
+ allow xdm_t self:process execmem;
+ ')
')
')
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions
2016-12-17 16:49 [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions Guido Trentalancia
@ 2016-12-18 22:29 ` Chris PeBenito
2016-12-18 22:35 ` Guido Trentalancia
0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2016-12-18 22:29 UTC (permalink / raw)
To: refpolicy
On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote:
> The X Display Manager (XDM) does not normally require execheap
> and execmem permissions.
>
> Modify the current xserver module so that execheap and/or
> execmem are enabled only when the global booleans allow_execheap
> and/or allow_execmem are enabled.
>
> This applies only to systems other than RedHat.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/services/xserver.te | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/services/xserver.te 2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.te 2016-12-17 17:23:59.955264997 +0100
> @@ -584,7 +584,14 @@ optional_policy(`
> unconfined_domtrans(xdm_t)
>
> ifndef(`distro_redhat',`
> - allow xdm_t self:process { execheap execmem };
> + tunable_policy(`allow_execheap',`
> + allow xdm_t self:process execheap;
> + ')
> +
> + # gnome-shell in gdm mode requires execmem
> + tunable_policy(`allow_execmem',`
> + allow xdm_t self:process execmem;
> + ')
> ')
> ')
I't probably should just be removed from the ifndef, if the rules are
conditional.
A more important question is if xserver actually still needs these perms.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions
2016-12-18 22:29 ` Chris PeBenito
@ 2016-12-18 22:35 ` Guido Trentalancia
0 siblings, 0 replies; 3+ messages in thread
From: Guido Trentalancia @ 2016-12-18 22:35 UTC (permalink / raw)
To: refpolicy
Hello!
It only needs execmem when gnome-shell runs in gdm mode.
Regards,
Guido
On the 18th of December 2016 23:29:05 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote:
>> The X Display Manager (XDM) does not normally require execheap
>> and execmem permissions.
>>
>> Modify the current xserver module so that execheap and/or
>> execmem are enabled only when the global booleans allow_execheap
>> and/or allow_execmem are enabled.
>>
>> This applies only to systems other than RedHat.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>> policy/modules/services/xserver.te | 9 ++++++++-
>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> --- a/policy/modules/services/xserver.te 2016-12-07
>13:39:08.670449307 +0100
>> +++ b/policy/modules/services/xserver.te 2016-12-17
>17:23:59.955264997 +0100
>> @@ -584,7 +584,14 @@ optional_policy(`
>> unconfined_domtrans(xdm_t)
>>
>> ifndef(`distro_redhat',`
>> - allow xdm_t self:process { execheap execmem };
>> + tunable_policy(`allow_execheap',`
>> + allow xdm_t self:process execheap;
>> + ')
>> +
>> + # gnome-shell in gdm mode requires execmem
>> + tunable_policy(`allow_execmem',`
>> + allow xdm_t self:process execmem;
>> + ')
>> ')
>> ')
>
>I't probably should just be removed from the ifndef, if the rules are
>conditional.
>
>A more important question is if xserver actually still needs these
>perms.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-12-18 22:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-17 16:49 [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions Guido Trentalancia
2016-12-18 22:29 ` Chris PeBenito
2016-12-18 22:35 ` Guido Trentalancia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.