From e3dc006c410465182a23dcea9f19c65756db3367 Mon Sep 17 00:00:00 2001 From: Guido Trentalancia Date: Fri, 24 Jan 2020 22:31:24 -0800 Subject: [PATCH 1/2] Add an interface to allow watch permission on generic device directories. Signed-off-by: Guido Trentalancia -- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 7f97cb26c..89beb51bb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -108,6 +108,24 @@ interface(`dev_getattr_fs',` allow $1 device_t:filesystem getattr; ') +######################################## +## +## Watch the directories in /dev. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_watch_dev_dirs',` + gen_require(` + type device_t; + ') + + allow $1 device_t:dir watch; +') + ######################################## ## ## Mount a filesystem on /dev From eaaaa89208d5ca15a57fa0871e6e3c54c68be74b Mon Sep 17 00:00:00 2001 From: Guido Trentalancia Date: Fri, 24 Jan 2020 22:32:37 -0800 Subject: [PATCH 2/2] Allow pulseaudio to watch generic device directories. Signed-off-by: Guido Trentalancia -- policy/modules/apps/pulseaudio.te | 1 + 1 file changed, 1 insertion(+) --- policy/modules/apps/pulseaudio.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 9f9f4ef58..bf0089b8e 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -121,6 +121,7 @@ corenet_tcp_bind_soundd_port(pulseaudio_t) corenet_sendrecv_sap_server_packets(pulseaudio_t) corenet_udp_bind_sap_port(pulseaudio_t) +dev_watch_dev_dirs(pulseaudio_t) dev_read_sound(pulseaudio_t) dev_write_sound(pulseaudio_t) dev_read_sysfs(pulseaudio_t)