The pulseaudio daemon and client do not normally need to use

the network for most computer systems that need to play and
record audio.

So, network access by pulseaudio should normally be restricted.

This patch restricts all network access by using tunable policy
and a new boolean to control it.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/pulseaudio.te |   47 ++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 17 deletions(-)
This commit is contained in:
Guido Trentalancia 2023-04-05 16:06:19 +02:00
parent 8e8f5e3ca3
commit 8f7064490d

View File

@ -13,6 +13,14 @@ policy_module(pulseaudio)
## </desc>
gen_tunable(pulseaudio_execmem, false)
## <desc>
## <p>
## Determine whether pulseaudio
## can use the network.
## </p>
## </desc>
gen_tunable(pulseaudio_can_network, false)
attribute pulseaudio_client;
attribute pulseaudio_tmpfsfile;
@ -54,7 +62,6 @@ allow pulseaudio_t self:process { getcap getsched setcap setrlimit setsched sign
allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
allow pulseaudio_t self:unix_dgram_socket sendto;
allow pulseaudio_t self:tcp_socket { accept listen };
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
@ -107,21 +114,6 @@ kernel_read_kernel_sysctls(pulseaudio_t)
corecmd_exec_bin(pulseaudio_t)
corenet_all_recvfrom_netlabel(pulseaudio_t)
corenet_tcp_sendrecv_generic_if(pulseaudio_t)
corenet_udp_sendrecv_generic_if(pulseaudio_t)
corenet_tcp_sendrecv_generic_node(pulseaudio_t)
corenet_udp_sendrecv_generic_node(pulseaudio_t)
corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
corenet_sendrecv_soundd_server_packets(pulseaudio_t)
corenet_tcp_bind_soundd_port(pulseaudio_t)
corenet_sendrecv_sap_server_packets(pulseaudio_t)
corenet_udp_bind_sap_port(pulseaudio_t)
dev_watch_dev_dirs(pulseaudio_t)
dev_read_sound(pulseaudio_t)
dev_write_sound(pulseaudio_t)
@ -161,6 +153,25 @@ tunable_policy(`pulseaudio_execmem',`
allow pulseaudio_t self:process execmem;
')
tunable_policy(`pulseaudio_can_network',`
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
corenet_all_recvfrom_netlabel(pulseaudio_t)
corenet_tcp_sendrecv_generic_if(pulseaudio_t)
corenet_udp_sendrecv_generic_if(pulseaudio_t)
corenet_tcp_sendrecv_generic_node(pulseaudio_t)
corenet_udp_sendrecv_generic_node(pulseaudio_t)
corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
corenet_sendrecv_soundd_server_packets(pulseaudio_t)
corenet_tcp_bind_soundd_port(pulseaudio_t)
corenet_sendrecv_sap_server_packets(pulseaudio_t)
corenet_udp_bind_sap_port(pulseaudio_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(pulseaudio_t)
fs_manage_nfs_files(pulseaudio_t)
@ -258,13 +269,6 @@ xdg_config_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse")
fs_getattr_tmpfs(pulseaudio_client)
corenet_all_recvfrom_netlabel(pulseaudio_client)
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client)
corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
pulseaudio_stream_connect(pulseaudio_client)
pulseaudio_manage_home(pulseaudio_client)
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
@ -277,6 +281,15 @@ userdom_read_user_tmpfs_files(pulseaudio_client)
userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse")
# userdom_delete_user_tmpfs_files(pulseaudio_client)
tunable_policy(`pulseaudio_can_network',`
corenet_all_recvfrom_netlabel(pulseaudio_client)
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
corenet_sendrecv_pulseaudio_client_packets(pulseaudio_client)
corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
')
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(pulseaudio_client)
fs_manage_nfs_dirs(pulseaudio_client)