commit: 31afb6134c5d0dca49042de96801d28601a905d3
Author: Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys
<DOT> com>
AuthorDate: Sat Sep 10 16:26:46 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:06:32 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31afb613
mozilla: let mozilla play audio
Let mozilla play audio:
- add new interfaces to the pulseaudio module;
- let mozilla read alsa configuration files;
- add further permissions to mozilla needed to use
pulseaudio to play audio.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/mozilla.te | 9 +++++
policy/modules/contrib/pulseaudio.if | 77 ++++++++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
diff --git a/policy/modules/contrib/mozilla.te
b/policy/modules/contrib/mozilla.te
index cd1aea3..ca45f5c 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -217,6 +217,11 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ alsa_read_config(mozilla_t)
+ alsa_read_home_files(mozilla_t)
+')
+
+optional_policy(`
apache_read_user_scripts(mozilla_t)
apache_read_user_content(mozilla_t)
')
@@ -269,6 +274,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_t, mozilla_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_t)
+ pulseaudio_use_fds(mozilla_t)
')
optional_policy(`
@@ -493,6 +500,8 @@ optional_policy(`
optional_policy(`
pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+ pulseaudio_rw_tmpfs_files(mozilla_plugin_t)
+ pulseaudio_use_fds(mozilla_plugin_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/pulseaudio.if
b/policy/modules/contrib/pulseaudio.if
index f057680..11238f2 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -371,3 +371,80 @@ interface(`pulseaudio_client_domain',`
pulseaudio_domtrans($1)
pulseaudio_tmpfs_content($2)
')
+
+#######################################
+## <summary>
+## Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+## Read and write pulseaudio tmpfs
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Use file descriptors for
+## pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use the
+## file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ dontaudit $1 pulseaudio_t:fd use;
+')
