All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions
@ 2016-12-17 16:49 Guido Trentalancia
  2016-12-18 22:29 ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Guido Trentalancia @ 2016-12-17 16:49 UTC (permalink / raw)
  To: refpolicy

The X Display Manager (XDM) does not normally require execheap
and execmem permissions.

Modify the current xserver module so that execheap and/or
execmem are enabled only when the global booleans allow_execheap
and/or allow_execmem are enabled.

This applies only to systems other than RedHat.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/services/xserver.te |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/policy/modules/services/xserver.te	2016-12-07 13:39:08.670449307 +0100
+++ b/policy/modules/services/xserver.te	2016-12-17 17:23:59.955264997 +0100
@@ -584,7 +584,14 @@ optional_policy(`
 	unconfined_domtrans(xdm_t)
 
 	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
+		tunable_policy(`allow_execheap',`
+			allow xdm_t self:process execheap;
+		')
+
+		# gnome-shell in gdm mode requires execmem
+		tunable_policy(`allow_execmem',`
+			allow xdm_t self:process execmem;
+		')
 	')
 ')
 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions
  2016-12-17 16:49 [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions Guido Trentalancia
@ 2016-12-18 22:29 ` Chris PeBenito
  2016-12-18 22:35   ` Guido Trentalancia
  0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2016-12-18 22:29 UTC (permalink / raw)
  To: refpolicy

On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote:
> The X Display Manager (XDM) does not normally require execheap
> and execmem permissions.
>
> Modify the current xserver module so that execheap and/or
> execmem are enabled only when the global booleans allow_execheap
> and/or allow_execmem are enabled.
>
> This applies only to systems other than RedHat.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/services/xserver.te |    9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/services/xserver.te	2016-12-07 13:39:08.670449307 +0100
> +++ b/policy/modules/services/xserver.te	2016-12-17 17:23:59.955264997 +0100
> @@ -584,7 +584,14 @@ optional_policy(`
>  	unconfined_domtrans(xdm_t)
>
>  	ifndef(`distro_redhat',`
> -		allow xdm_t self:process { execheap execmem };
> +		tunable_policy(`allow_execheap',`
> +			allow xdm_t self:process execheap;
> +		')
> +
> +		# gnome-shell in gdm mode requires execmem
> +		tunable_policy(`allow_execmem',`
> +			allow xdm_t self:process execmem;
> +		')
>  	')
>  ')

I't probably should just be removed from the ifndef, if the rules are 
conditional.

A more important question is if xserver actually still needs these perms.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions
  2016-12-18 22:29 ` Chris PeBenito
@ 2016-12-18 22:35   ` Guido Trentalancia
  0 siblings, 0 replies; 3+ messages in thread
From: Guido Trentalancia @ 2016-12-18 22:35 UTC (permalink / raw)
  To: refpolicy

Hello! 

It only needs execmem when gnome-shell runs in gdm mode. 

Regards, 

Guido 

On the 18th of December 2016 23:29:05 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>On 12/17/16 11:49, Guido Trentalancia via refpolicy wrote:
>> The X Display Manager (XDM) does not normally require execheap
>> and execmem permissions.
>>
>> Modify the current xserver module so that execheap and/or
>> execmem are enabled only when the global booleans allow_execheap
>> and/or allow_execmem are enabled.
>>
>> This applies only to systems other than RedHat.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/services/xserver.te |    9 ++++++++-
>>  1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> --- a/policy/modules/services/xserver.te	2016-12-07
>13:39:08.670449307 +0100
>> +++ b/policy/modules/services/xserver.te	2016-12-17
>17:23:59.955264997 +0100
>> @@ -584,7 +584,14 @@ optional_policy(`
>>  	unconfined_domtrans(xdm_t)
>>
>>  	ifndef(`distro_redhat',`
>> -		allow xdm_t self:process { execheap execmem };
>> +		tunable_policy(`allow_execheap',`
>> +			allow xdm_t self:process execheap;
>> +		')
>> +
>> +		# gnome-shell in gdm mode requires execmem
>> +		tunable_policy(`allow_execmem',`
>> +			allow xdm_t self:process execmem;
>> +		')
>>  	')
>>  ')
>
>I't probably should just be removed from the ifndef, if the rules are 
>conditional.
>
>A more important question is if xserver actually still needs these
>perms.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-12-18 22:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-17 16:49 [refpolicy] [PATCH] xserver: curb on execheap and execmem permissions Guido Trentalancia
2016-12-18 22:29 ` Chris PeBenito
2016-12-18 22:35   ` Guido Trentalancia

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.