From 0a78bb05ebe4faeae6bc76f4d5a3a003bdc94cd0 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Sun, 8 Aug 2021 12:16:19 -0400 Subject: [PATCH] pulseaudio, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge --- policy/modules/apps/pulseaudio.if | 39 +++++++++++++++++++++-------- policy/modules/roles/staff.te | 2 +- policy/modules/roles/unprivuser.te | 2 +- policy/modules/system/userdomain.if | 2 +- 4 files changed, 32 insertions(+), 13 deletions(-) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index 4fe32c93c..ea109ee96 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -4,29 +4,41 @@ ## ## Role access for pulseaudio. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`pulseaudio_role',` +template(`pulseaudio_role',` gen_require(` attribute pulseaudio_tmpfsfile; type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; type pulseaudio_tmp_t; ') - pulseaudio_run($2, $1) + pulseaudio_run($2, $4) + pulseaudio_domtrans($3) - allow $2 pulseaudio_t:process { ptrace signal_perms }; - allow $2 pulseaudio_t:fd use; - ps_process_pattern($2, pulseaudio_t) + allow $3 pulseaudio_t:process { ptrace signal_perms }; + allow $3 pulseaudio_t:fd use; + ps_process_pattern($3, pulseaudio_t) allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; @@ -39,8 +51,12 @@ interface(`pulseaudio_role',` allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; - allow pulseaudio_t $2:unix_stream_socket connectto; - allow pulseaudio_t $2:process signull; + allow pulseaudio_t $3:unix_stream_socket connectto; + allow pulseaudio_t $3:process signull; + + optional_policy(` + systemd_user_app_status($1, pulseaudio_t) + ') ') ######################################## @@ -84,9 +100,12 @@ interface(`pulseaudio_domtrans',` # interface(`pulseaudio_run',` gen_require(` + attribute pulseaudio_client; attribute_role pulseaudio_roles; ') + typeattribute $1 pulseaudio_client; + pulseaudio_domtrans($1) roleattribute $2 pulseaudio_roles; ') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 3dbd82c2f..84ee2ae3d 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -151,7 +151,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(staff_r, staff_t) + pulseaudio_role(staff, staff_t, staff_application_exec_domain, staff_r) ') optional_policy(` diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index c11f7faeb..b7cec5976 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -123,7 +123,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(user_r, user_t) + pulseaudio_role(user, user_t, user_application_exec_domain, user_r) ') optional_policy(` diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 456c54163..6e6d21429 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1146,7 +1146,7 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` - pulseaudio_role($1_r, $1_t) + pulseaudio_role($1, $1_t, $1_application_exec_domain, $1_r) ') optional_policy(`