[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Jason Zaman Mon, 20 Feb 2017 23:12:40 -0800

commit:     6e50d6f81946eeb21cfec280182f0ff875a9e5e8
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan  6 14:56:26 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e50d6f8


update alsa module

 policy/modules/contrib/alsa.fc | 31 ++++++++++++++---------------
 policy/modules/contrib/alsa.if |  8 --------
 policy/modules/contrib/alsa.te | 44 ++++++++++++++----------------------------
 3 files changed, 29 insertions(+), 54 deletions(-)

diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index f26e2392..0f9e5196 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -1,25 +1,22 @@
-HOME_DIR/\.asoundrc    --      gen_context(system_u:object_r:alsa_home_t,s0)
+HOME_DIR/\.asoundrc                            --      
gen_context(system_u:object_r:alsa_home_t,s0)
 
-ifdef(`distro_debian',`
-/\.config(/.*)?        gen_context(system_u:object_r:alsa_var_lib_t,s0)
-')
+/etc/alsa(/.*)?                                                
gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf                              --      
gen_context(system_u:object_r:alsa_etc_t,s0)
 
-/etc/alsa(/.*)?                gen_context(system_u:object_r:alsa_etc_t,s0)
-/etc/asound\.conf      gen_context(system_u:object_r:alsa_etc_t,s0)
+/run/alsa(/.*)?                                                
gen_context(system_u:object_r:alsa_runtime_t,s0)
 
-# Systemd unit files
-/usr/lib/systemd/system/[^/]*alsa-restore.* -- 
gen_context(system_u:object_r:alsa_unit_t,s0)
-/usr/lib/systemd/system/[^/]*alsa-state.* --   
gen_context(system_u:object_r:alsa_unit_t,s0)
-/usr/lib/systemd/system/[^/]*alsa-store.* --   
gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/bin/ainit                                 --      
gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/bin/alsaunmute                            --      
gen_context(system_u:object_r:alsa_exec_t,s0)
 
-/usr/bin/ainit --      gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/bin/alsaunmute    --      gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-restore.*    --      
gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-state.*      --      
gen_context(system_u:object_r:alsa_unit_t,s0)
+/usr/lib/systemd/system/[^/]*alsa-store.*      --      
gen_context(system_u:object_r:alsa_unit_t,s0)
 
-/usr/sbin/alsactl      --      gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/sbin/salsa        --      gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/sbin/alsactl                              --      
gen_context(system_u:object_r:alsa_exec_t,s0)
+/usr/sbin/salsa                                        --      
gen_context(system_u:object_r:alsa_exec_t,s0)
 
-/usr/share/alsa(/.*)?          gen_context(system_u:object_r:alsa_etc_t,s0)
+/usr/share/alsa(/.*)?                                  
gen_context(system_u:object_r:alsa_etc_t,s0)
 
-/var/lib/alsa(/.*)?    gen_context(system_u:object_r:alsa_var_lib_t,s0)
+/var/lib/alsa(/.*)?                                    
gen_context(system_u:object_r:alsa_var_lib_t,s0)
 
-/var/lock/asound\.state\.lock  --      
gen_context(system_u:object_r:alsa_var_lock_t,s0)
+/var/lock/asound\.state\.lock                  --      
gen_context(system_u:object_r:alsa_var_lock_t,s0)

diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 9ffed049..d50f5e33 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -135,10 +135,6 @@ interface(`alsa_read_config',`
        allow $1 alsa_etc_t:dir list_dir_perms;
        read_files_pattern($1, alsa_etc_t, alsa_etc_t)
        read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
-
-       ifdef(`distro_debian',`
-               files_search_usr($1)
-       ')
 ')
 
 ########################################
@@ -176,10 +172,6 @@ interface(`alsa_manage_config',`
        allow $1 alsa_etc_t:dir list_dir_perms;
        manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
        read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
-
-       ifdef(`distro_debian',`
-               files_search_usr($1)
-       ')
 ')
 
 ########################################

diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index f82e39ca..ed579965 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -15,6 +15,12 @@ role alsa_roles types alsa_t;
 type alsa_etc_t alias alsa_etc_rw_t;
 files_config_file(alsa_etc_t)
 
+type alsa_home_t;
+userdom_user_home_content(alsa_home_t)
+
+type alsa_runtime_t;
+files_pid_file(alsa_runtime_t)
+
 type alsa_tmp_t;
 files_tmp_file(alsa_tmp_t)
 
@@ -30,16 +36,14 @@ files_type(alsa_var_lib_t)
 type alsa_var_lock_t;
 files_lock_file(alsa_var_lock_t)
 
-type alsa_home_t;
-userdom_user_home_content(alsa_home_t)
-
 ########################################
 #
 # Local policy
 #
 
 allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid 
setuid };
-dontaudit alsa_t self:capability sys_admin;
+# kill : kill pulseaudio
+dontaudit alsa_t self:capability { kill sys_admin };
 allow alsa_t self:sem create_sem_perms;
 allow alsa_t self:shm create_shm_perms;
 allow alsa_t self:unix_stream_socket { accept listen };
@@ -52,6 +56,10 @@ read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 
 can_exec(alsa_t, alsa_exec_t)
 
+allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
+files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+
 manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
@@ -71,6 +79,7 @@ kernel_read_system_state(alsa_t)
 corecmd_exec_bin(alsa_t)
 
 dev_getattr_fs(alsa_t)
+dev_read_input(alsa_t)
 dev_read_sound(alsa_t)
 dev_read_sysfs(alsa_t)
 dev_read_urand(alsa_t)
@@ -79,14 +88,14 @@ dev_write_sound(alsa_t)
 files_read_usr_files(alsa_t)
 files_search_var_lib(alsa_t)
 
+fs_getattr_tmpfs(alsa_t)
+
 term_dontaudit_use_console(alsa_t)
 term_dontaudit_use_generic_ptys(alsa_t)
 term_dontaudit_use_all_ptys(alsa_t)
 
 auth_use_nsswitch(alsa_t)
 
-init_use_fds(alsa_t)
-
 logging_send_syslog_msg(alsa_t)
 
 miscfiles_read_localization(alsa_t)
@@ -95,29 +104,6 @@ userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
 userdom_search_user_home_dirs(alsa_t)
 
-ifdef(`distro_debian',`
-       term_dontaudit_use_unallocated_ttys(alsa_t)
-
-       # Gnome 3.4 bug
-       dev_associate(alsa_tmpfs_t)
-
-       allow alsa_t self:capability kill;
-
-       manage_lnk_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
-       files_root_filetrans(alsa_t, alsa_var_lib_t, dir, ".config")
-
-       fs_list_tmpfs(alsa_t)
-
-       optional_policy(`
-               dbus_read_lib_files(alsa_t)
-       ')
-
-       optional_policy(`
-               pulseaudio_run(alsa_t, system_r)
-               pulseaudio_tmpfs_content(alsa_tmpfs_t)
-       ')
-')
-
 optional_policy(`
        hal_use_fds(alsa_t)
        hal_write_log(alsa_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to