Separate the tunable permissions to write xserver

tmpfs files from the tunable permissions to write X server shared memory. Indeed some applications such as vlc (media player) only require the former, so this change opts for a stricter, yet more customizable policy. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/services/xserver.if | 7 +++++++ policy/modules/services/xserver.te | 8 ++++++++ 2 files changed, 15 insertions(+)
2023-09-03 17:33:15 +02:00 · 2023-09-03 17:33:15 +02:00 · ad1f2d2ae3
commit ad1f2d2ae3
parent f3f761c4a8
2 changed files with 15 additions and 0 deletions
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@ -125,8 +125,12 @@ template(`xserver_restricted_role',`
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
+	')
+
+	tunable_policy(`allow_write_xserver_tmpfs',`
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
+
 	tunable_policy(`xserver_allow_dri',`
 		dev_rw_dri($2)
 	')
@ -482,6 +486,9 @@ template(`xserver_user_x_domain_template',`
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
+	')
+
+	tunable_policy(`allow_write_xserver_tmpfs',`
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
 	')
 ')
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@ -33,6 +33,14 @@ gen_require(`
 ## </desc>
 gen_tunable(allow_write_xshm, false)

+## <desc>
+## <p>
+## Allows clients to write to the X server tmpfs
+## files.
+## </p>
+## </desc>
+gen_tunable(allow_write_xserver_tmpfs, false)
+
 ## <desc>
 ## <p>
 ## Allow xdm logins as sysadm