Separate the tunable permissions to write xserver

tmpfs files from the tunable permissions to write
X server shared memory.

Indeed some applications such as vlc (media player)
only require the former, so this change opts for a
stricter, yet more customizable policy.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.if |    7 +++++++
 policy/modules/services/xserver.te |    8 ++++++++
 2 files changed, 15 insertions(+)
This commit is contained in:
Guido Trentalancia 2023-09-03 17:33:15 +02:00
parent f3f761c4a8
commit ad1f2d2ae3
2 changed files with 15 additions and 0 deletions

View File

@ -125,8 +125,12 @@ template(`xserver_restricted_role',`
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
')
tunable_policy(`allow_write_xserver_tmpfs',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
tunable_policy(`xserver_allow_dri',`
dev_rw_dri($2)
')
@ -482,6 +486,9 @@ template(`xserver_user_x_domain_template',`
# Client write xserver shm
tunable_policy(`allow_write_xshm',`
allow $2 xserver_t:shm rw_shm_perms;
')
tunable_policy(`allow_write_xserver_tmpfs',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
')

View File

@ -33,6 +33,14 @@ gen_require(`
## </desc>
gen_tunable(allow_write_xshm, false)
## <desc>
## <p>
## Allows clients to write to the X server tmpfs
## files.
## </p>
## </desc>
gen_tunable(allow_write_xserver_tmpfs, false)
## <desc>
## <p>
## Allow xdm logins as sysadm