[refpolicy] [PATCH 1/3] Introduce alsa domains

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 03/30/2014 10:09 AM, Sven Vermeulen wrote:
> Some plugins in the ALSA ecosystem (including the default dmix/pcm
> plugins) use SysV IPC resources to collaborate access to the sound
> subsystem between ALSA-enabled applications.
> 
> These applications thus require access to the ALSA semaphore created by
> the first application that uses access to the sound subsystem as well as
> the shared memory. If they don't, then sound is not available for the
> subsequent applications, like with mplayer:
> 
> alsa-lib: pcm_dmix.c:989:(snd_pcm_dmix_open) unable to create IPC
> semaphore
> 
> As this means that all ALSA enabled domains need access to the
> semaphores of all other ALSA enabled domains, starting to sum up all
> these domains is not manageable. As a result, an attribute called
> "alsadomain" is created which is assigned to all domains that use ALSA.
> Then, we grant the following:
> 
>   allow alsadomain alsadomain:sem create_sem_perms;
>   allow alsadomain alsadomain:shm rw_shm_perms;
> 
> The second 'failure' one would get is access to the Linux shared memory.
> This is not all covered only by the shm class, but also through tmpfs,
> as can be seen in the following denial:
> 
>   type=AVC msg=audit(1396182569.016:1763): avc:  denied  { write } for
>   pid=1047 comm="mplayer"
>   path=2F535953563030353661346435202864656C6574656429 dev="tmpfs"
>   ino=1867789 scontext=staff_u:staff_r:mplayer_t
>   tcontext=staff_u:object_r:mozilla_plugin_tmpfs_t tclass=file
> 
> In the above denial, we notice that mplayer failed to write to shared
> memory created by the mozilla_plugin_t domain (and thus labeled as
> mozilla_plugin_tmpfs_t). This is shared memory, as can be decomposed
> from the path:
> 
>   python -c 'import base64;
>   print(base64.b16decode("2F535953563030353661346435202864656C6574656429"));'
> 
>   b'/SYSV0056a4d5 (deleted)'
> 
> That means we also need to grant ALSA domains read/write access to the
> tmpfs types of the ALSA domains. For this, we create an attribute called
> "alsatmpfsfile" which is assigned to the tmpfs_t types of those ALSA
> domains, with:
> 
>   allow alsadomain alsatmpfsfile:file rw_file_perms;
> 
> With this in place, we now create an interface called "alsa_domain" that
> assigns the attributes to the ALSA enabled applications, such as this:
> 
> alsa_domain(mplayer_t, mplayer_tmpfs_t)

This is a frightening access.  Are you sure there isn't some tool we can (ab)use to run on boot so that the correct IPC objects are created, e.g. with an alsa_t type?


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  alsa.if       | 25 +++++++++++++++++++++++++
>  alsa.te       | 17 +++++++++++++++++
>  mozilla.te    |  3 +--
>  mplayer.te    |  2 +-
>  pulseaudio.te |  2 +-
>  5 files changed, 45 insertions(+), 4 deletions(-)
> 
> diff --git a/alsa.if b/alsa.if
> index ca8d8cf..ef7eb3d 100644
> --- a/alsa.if
> +++ b/alsa.if
> @@ -2,6 +2,31 @@
>  
>  ########################################
>  ## <summary>
> +##	Mark the selected domain as an ALSA-capable domain
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain that links with ALSA
> +##	</summary>
> +## </param>
> +## <param name="tmpfstype">
> +##	<summary>
> +##	Tmpfs type used for shared memory of the given domain
> +##	</summary>
> +## </param>
> +#
> +interface(`alsa_domain',`
> +	gen_require(`
> +		attribute alsadomain;
> +		attribute alsatmpfsfile;
> +	')
> +
> +	typeattribute $1 alsadomain;
> +	typeattribute $2 alsatmpfsfile;
> +')
> +
> +########################################
> +## <summary>
>  ##	Role access for alsa.
>  ## </summary>
>  ## <param name="role">
> diff --git a/alsa.te b/alsa.te
> index 814b426..4fd8018 100644
> --- a/alsa.te
> +++ b/alsa.te
> @@ -5,12 +5,16 @@ policy_module(alsa, 1.13.0)
>  # Declarations
>  #
>  
> +attribute alsadomain;
> +attribute alsatmpfsfile;
> +
>  attribute_role alsa_roles;
>  
>  type alsa_t;
>  type alsa_exec_t;
>  init_system_domain(alsa_t, alsa_exec_t)
>  role alsa_roles types alsa_t;
> +typeattribute alsa_t alsadomain;
>  
>  type alsa_etc_rw_t;
>  files_config_file(alsa_etc_rw_t)
> @@ -20,6 +24,7 @@ files_tmp_file(alsa_tmp_t)
>  
>  type alsa_tmpfs_t;
>  files_tmpfs_file(alsa_tmpfs_t)
> +typeattribute alsa_tmpfs_t alsatmpfsfile;
>  
>  type alsa_var_lib_t;
>  files_type(alsa_var_lib_t)
> @@ -29,6 +34,18 @@ userdom_user_home_content(alsa_home_t)
>  
>  ########################################
>  #
> +# alsadomain policy
> +#
> +
> +allow alsadomain alsadomain:sem create_sem_perms;
> +allow alsadomain alsadomain:shm rw_shm_perms;
> +allow alsadomain alsatmpfsfile:file rw_file_perms;
> +
> +alsa_read_rw_config(alsadomain)
> +alsa_read_home_files(alsadomain)
> +
> +########################################
> +#
>  # Local policy
>  #
>  
> diff --git a/mozilla.te b/mozilla.te
> index 11ac8e4..63f0875 100644
> --- a/mozilla.te
> +++ b/mozilla.te
> @@ -518,8 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(mozilla_plugin_t)
> -	alsa_read_home_files(mozilla_plugin_t)
> +	alsa_domain(mozilla_plugin_t, mozilla_plugin_tmpfs_t)
>  ')
>  
>  optional_policy(`
> diff --git a/mplayer.te b/mplayer.te
> index 0f03cd9..6300573 100644
> --- a/mplayer.te
> +++ b/mplayer.te
> @@ -250,7 +250,7 @@ tunable_policy(`allow_mplayer_execstack',`
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(mplayer_t)
> +	alsa_domain(mplayer_t, mplayer_tmpfs_t)
>  ')
>  
>  optional_policy(`
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 4665af2..5a8f356 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -144,7 +144,7 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>  
>  optional_policy(`
> -	alsa_read_rw_config(pulseaudio_t)
> +	alsa_domain(pulseaudio_t, pulseaudio_tmpfs_t)
>  ')
>  
>  optional_policy(`
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com