From 34aea93484210506ca25ec8649eac4c1916532dd Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Wed, 20 Jul 2011 20:59:34 +0200 Subject: [PATCH] Separate sound specific items frmo general entropyd Introduce a tunable called "entropyd_use_audio". This boolean triggers the privileges that are specific for audio support (both device access as well as the alsa-specific ones). The idea to use a boolean is to support other entropy management applications/daemons which use different sources (like haveged using the HAVEGE algorithm). Signed-off-by: Sven Vermeulen --- policy/modules/services/audioentropy.te | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te index 2b348c7eb..7ece78d47 100644 --- a/policy/modules/services/audioentropy.te +++ b/policy/modules/services/audioentropy.te @@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0) # Declarations # +## +##

+## Allow the use of the audio devices as the source for the entropy feeds +##

+## +gen_tunable(entropyd_use_audio, false) + type entropyd_t; type entropyd_exec_t; init_daemon_domain(entropyd_t, entropyd_exec_t) @@ -33,11 +40,6 @@ dev_read_urand(entropyd_t) dev_write_urand(entropyd_t) dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) -dev_read_sound(entropyd_t) -# set sound card parameters such as -# sample format, number of channels -# and sample rate. -dev_write_sound(entropyd_t) files_read_etc_files(entropyd_t) files_read_usr_files(entropyd_t) @@ -54,9 +56,18 @@ miscfiles_read_localization(entropyd_t) userdom_dontaudit_use_unpriv_user_fds(entropyd_t) userdom_dontaudit_search_user_home_dirs(entropyd_t) +tunable_policy(`entropyd_use_audio',` + dev_read_sound(entropyd_t) + # set sound card parameters such as sample format, number of channels + # and sample rate. + dev_write_sound(entropyd_t) +') + optional_policy(` - alsa_read_lib(entropyd_t) - alsa_read_rw_config(entropyd_t) + tunable_policy(`entropyd_use_audio',` + alsa_read_lib(entropyd_t) + alsa_read_rw_config(entropyd_t) + ') ') optional_policy(`