Separate sound specific items frmo general entropyd

Introduce a tunable called "entropyd_use_audio". This boolean triggers the privileges that are specific for audio support (both device access as well as the alsa-specific ones). The idea to use a boolean is to support other entropy management applications/daemons which use different sources (like haveged using the HAVEGE algorithm). Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-07-20 20:59:34 +02:00 · 2011-07-20 20:59:34 +02:00 · 34aea93484
parent 95995f5048
commit 34aea93484
1 changed files with 18 additions and 7 deletions
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0)
 # Declarations
 #

+## <desc>
+## <p>
+##   Allow the use of the audio devices as the source for the entropy feeds
+## </p>
+## </desc>
+gen_tunable(entropyd_use_audio, false)
+
 type entropyd_t;
 type entropyd_exec_t;
 init_daemon_domain(entropyd_t, entropyd_exec_t)
@ -33,11 +40,6 @@ dev_read_urand(entropyd_t)
 dev_write_urand(entropyd_t)
 dev_read_rand(entropyd_t)
 dev_write_rand(entropyd_t)
-dev_read_sound(entropyd_t)
-# set sound card parameters such as
-# sample format, number of channels
-# and sample rate.
-dev_write_sound(entropyd_t)

 files_read_etc_files(entropyd_t)
 files_read_usr_files(entropyd_t)
@ -54,9 +56,18 @@ miscfiles_read_localization(entropyd_t)
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
 userdom_dontaudit_search_user_home_dirs(entropyd_t)

+tunable_policy(`entropyd_use_audio',`
+	dev_read_sound(entropyd_t)
+	# set sound card parameters such as sample format, number of channels
+	# and sample rate.
+	dev_write_sound(entropyd_t)
+')
+
 optional_policy(`
-	alsa_read_lib(entropyd_t)
-	alsa_read_rw_config(entropyd_t)
+	tunable_policy(`entropyd_use_audio',`
+		alsa_read_lib(entropyd_t)
+		alsa_read_rw_config(entropyd_t)
+	')
 ')

 optional_policy(`