Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/mplayer.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/mplayer.te')
-rw-r--r--policy/modules/contrib/mplayer.te311
1 files changed, 311 insertions, 0 deletions
diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
new file mode 100644
index 000000000..0cdea57ae
--- /dev/null
+++ b/policy/modules/contrib/mplayer.te
@@ -0,0 +1,311 @@
+policy_module(mplayer, 2.4.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow mplayer executable stack
+## </p>
+## </desc>
+gen_tunable(allow_mplayer_execstack, false)
+
+type mencoder_t;
+type mencoder_exec_t;
+typealias mencoder_t alias { user_mencoder_t staff_mencoder_t sysadm_mencoder_t };
+typealias mencoder_t alias { auditadm_mencoder_t secadm_mencoder_t };
+userdom_user_application_domain(mencoder_t, mencoder_exec_t)
+
+type mplayer_t;
+type mplayer_exec_t;
+typealias mplayer_t alias { user_mplayer_t staff_mplayer_t sysadm_mplayer_t };
+typealias mplayer_t alias { auditadm_mplayer_t secadm_mplayer_t };
+userdom_user_application_domain(mplayer_t, mplayer_exec_t)
+
+type mplayer_etc_t;
+files_config_file(mplayer_etc_t)
+
+type mplayer_home_t;
+typealias mplayer_home_t alias { user_mplayer_home_t staff_mplayer_home_t sysadm_mplayer_home_t };
+typealias mplayer_home_t alias { auditadm_mplayer_home_t secadm_mplayer_home_t };
+userdom_user_home_content(mplayer_home_t)
+
+type mplayer_tmpfs_t;
+typealias mplayer_tmpfs_t alias { user_mplayer_tmpfs_t staff_mplayer_tmpfs_t sysadm_mplayer_tmpfs_t };
+typealias mplayer_tmpfs_t alias { auditadm_mplayer_tmpfs_t secadm_mplayer_tmpfs_t };
+userdom_user_tmpfs_file(mplayer_tmpfs_t)
+
+########################################
+#
+# mencoder local policy
+#
+
+manage_dirs_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mencoder_t, mplayer_home_t, mplayer_home_t)
+
+# Read global config
+allow mencoder_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mencoder_t, mplayer_etc_t, mplayer_etc_t)
+
+# Read /proc files and directories
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mencoder_t)
+# Sysctl on kernel version
+kernel_read_kernel_sysctls(mencoder_t)
+
+# Required for win32 binary loader
+dev_rwx_zero(mencoder_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mencoder_t)
+
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mencoder_t)
+files_read_usr_symlinks(mencoder_t)
+
+fs_search_auto_mountpoints(mencoder_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mencoder_t)
+
+miscfiles_read_localization(mencoder_t)
+
+userdom_use_user_terminals(mencoder_t)
+# Handle removable media, /tmp, and /home
+userdom_list_user_tmp(mencoder_t)
+userdom_read_user_tmp_files(mencoder_t)
+userdom_read_user_tmp_symlinks(mencoder_t)
+userdom_read_user_home_content_files(mencoder_t)
+userdom_read_user_home_content_symlinks(mencoder_t)
+
+# Read content to encode
+ifndef(`enable_mls',`
+ fs_search_removable(mencoder_t)
+ fs_read_removable_files(mencoder_t)
+ fs_read_removable_symlinks(mencoder_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mencoder_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mencoder_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mencoder_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mencoder_t)
+ fs_manage_nfs_files(mencoder_t)
+ fs_manage_nfs_symlinks(mencoder_t)
+
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mencoder_t)
+ fs_manage_cifs_files(mencoder_t)
+ fs_manage_cifs_symlinks(mencoder_t)
+
+')
+
+# Read content to encode
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mencoder_t)
+ files_list_home(mencoder_t)
+ fs_read_nfs_files(mencoder_t)
+ fs_read_nfs_symlinks(mencoder_t)
+
+',`
+ files_dontaudit_list_home(mencoder_t)
+ fs_dontaudit_list_auto_mountpoints(mencoder_t)
+ fs_dontaudit_read_nfs_files(mencoder_t)
+ fs_dontaudit_list_nfs(mencoder_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mencoder_t)
+ files_list_home(mencoder_t)
+ fs_read_cifs_files(mencoder_t)
+ fs_read_cifs_symlinks(mencoder_t)
+',`
+ files_dontaudit_list_home(mencoder_t)
+ fs_dontaudit_list_auto_mountpoints(mencoder_t)
+ fs_dontaudit_read_cifs_files(mencoder_t)
+ fs_dontaudit_list_cifs(mencoder_t)
+')
+
+########################################
+#
+# mplayer local policy
+#
+
+allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:fifo_file rw_fifo_file_perms;
+allow mplayer_t self:sem create_sem_perms;
+allow mplayer_t self:netlink_route_socket create_netlink_socket_perms;
+allow mplayer_t self:tcp_socket create_socket_perms;
+allow mplayer_t self:unix_dgram_socket sendto;
+
+manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
+
+manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_fifo_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+manage_sock_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Read global config
+allow mplayer_t mplayer_etc_t:dir list_dir_perms;
+read_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+read_lnk_files_pattern(mplayer_t, mplayer_etc_t, mplayer_etc_t)
+
+kernel_dontaudit_list_unlabeled(mplayer_t)
+kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
+kernel_dontaudit_read_unlabeled_files(mplayer_t)
+# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
+kernel_read_system_state(mplayer_t)
+# Sysctl on kernel version
+kernel_read_kernel_sysctls(mplayer_t)
+
+corenet_all_recvfrom_netlabel(mplayer_t)
+corenet_all_recvfrom_unlabeled(mplayer_t)
+corenet_tcp_sendrecv_generic_if(mplayer_t)
+corenet_tcp_sendrecv_generic_node(mplayer_t)
+corenet_tcp_bind_generic_node(mplayer_t)
+corenet_tcp_connect_pulseaudio_port(mplayer_t)
+corenet_sendrecv_pulseaudio_client_packets(mplayer_t)
+
+# Run bash/sed (??)
+corecmd_exec_bin(mplayer_t)
+corecmd_exec_shell(mplayer_t)
+
+dev_read_rand(mplayer_t)
+dev_read_urand(mplayer_t)
+# Required for win32 binary loader
+dev_rwx_zero(mplayer_t)
+# Access to DVD/CD/V4L
+dev_read_video_dev(mplayer_t)
+dev_write_video_dev(mplayer_t)
+# Audio, alsa.conf
+dev_read_sound_mixer(mplayer_t)
+dev_write_sound_mixer(mplayer_t)
+# RTC clock
+dev_read_realtime_clock(mplayer_t)
+
+domain_use_interactive_fds(mplayer_t)
+
+# Access to DVD/CD/V4L
+storage_raw_read_removable_device(mplayer_t)
+
+files_read_etc_files(mplayer_t)
+files_dontaudit_list_non_security(mplayer_t)
+files_dontaudit_getattr_non_security_files(mplayer_t)
+files_read_non_security_files(mplayer_t)
+# Unfortunately the ancient file dialog starts in /
+files_list_home(mplayer_t)
+# Read /etc/mtab
+files_read_etc_runtime_files(mplayer_t)
+# Read data in /usr/share (fonts, icons..)
+files_read_usr_files(mplayer_t)
+files_read_usr_symlinks(mplayer_t)
+
+fs_dontaudit_getattr_all_fs(mplayer_t)
+fs_search_auto_mountpoints(mplayer_t)
+fs_list_inotifyfs(mplayer_t)
+
+miscfiles_read_localization(mplayer_t)
+miscfiles_read_fonts(mplayer_t)
+
+userdom_use_user_terminals(mplayer_t)
+# Read media files
+userdom_list_user_tmp(mplayer_t)
+userdom_read_user_tmp_files(mplayer_t)
+userdom_read_user_tmp_symlinks(mplayer_t)
+userdom_read_user_home_content_files(mplayer_t)
+userdom_read_user_home_content_symlinks(mplayer_t)
+userdom_write_user_tmp_sockets(mplayer_t)
+
+xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+
+# Read songs
+ifdef(`enable_mls',`',`
+ fs_search_removable(mplayer_t)
+ fs_read_removable_files(mplayer_t)
+ fs_read_removable_symlinks(mplayer_t)
+')
+
+tunable_policy(`allow_execmem',`
+ allow mplayer_t self:process execmem;
+')
+
+tunable_policy(`allow_execmod',`
+ dev_execmod_zero(mplayer_t)
+')
+
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t self:process { execmem execstack };
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(mplayer_t)
+ fs_manage_nfs_files(mplayer_t)
+ fs_manage_nfs_symlinks(mplayer_t)
+')
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(mplayer_t)
+ fs_manage_cifs_files(mplayer_t)
+ fs_manage_cifs_symlinks(mplayer_t)
+')
+
+# Legacy domain issues
+tunable_policy(`allow_mplayer_execstack',`
+ allow mplayer_t mplayer_tmpfs_t:file execute;
+')
+
+# Read songs
+tunable_policy(`use_nfs_home_dirs',`
+ fs_list_auto_mountpoints(mplayer_t)
+ files_list_home(mplayer_t)
+ fs_read_nfs_files(mplayer_t)
+ fs_read_nfs_symlinks(mplayer_t)
+
+',`
+ files_dontaudit_list_home(mplayer_t)
+ fs_dontaudit_list_auto_mountpoints(mplayer_t)
+ fs_dontaudit_read_nfs_files(mplayer_t)
+ fs_dontaudit_list_nfs(mplayer_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_list_auto_mountpoints(mplayer_t)
+ files_list_home(mplayer_t)
+ fs_read_cifs_files(mplayer_t)
+ fs_read_cifs_symlinks(mplayer_t)
+',`
+ files_dontaudit_list_home(mplayer_t)
+ fs_dontaudit_list_auto_mountpoints(mplayer_t)
+ fs_dontaudit_read_cifs_files(mplayer_t)
+ fs_dontaudit_list_cifs(mplayer_t)
+')
+
+optional_policy(`
+ alsa_read_rw_config(mplayer_t)
+')
+
+optional_policy(`
+ nscd_socket_use(mplayer_t)
+')
+
+optional_policy(`
+ pulseaudio_exec(mplayer_t)
+ pulseaudio_stream_connect(mplayer_t)
+')