sound within sandboxed firefox
Dominick Grift
dominick.grift at gmail.com
Tue Dec 10 14:37:00 UTC 2013
On Tue, 2013-12-10 at 08:56 -0500, Daniel J Walsh wrote:
> >
> Could you see if you are getting AVCs?
>
> ausearch -m avc -ts recent
>
firefox runs pulseaudio, but since there is role_transition from
unconfined_r to system_r via pulseaudio_exec_t specified the following
related avc denials/selinux_errs occur:
> type=AVC msg=audit(1386626727.085:4005): avc: denied { transition } for pid=3064 comm="firefox" path="/usr/bin/pulseaudio" dev="dm-0" ino=2109429 scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
> type=SELINUX_ERR msg=audit(1386626727.085:4005): security_compute_sid: invalid context unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 for scontext=unconfined_u:unconfined_r:sandbox_web_client_t:s0:c255,c377 tcontext=system_u:object_r:pulseaudio_exec_t:s0 tclass=process
If you allow the above with:
> domain_system_change_exemption(sandbox_web_client_t)
> allow sandbox_web_client_t self:process transition;
> role system_r types sandbox_web_client_t;
Things still fail. Mainly due to:
> type=AVC msg=audit(1386626727.097:4007): avc: denied { setcap } for pid=3064 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tclass=process
If you allow the above with:
> allow sandbox_web_client_t self:process setcap;
Then things start to work slowly. But this will expose the usual
pulseadio related event like for example:
> type=AVC msg=audit(1386626727.119:4010): avc: denied { signull } for pid=3068 comm="pulseaudio" scontext=unconfined_u:system_r:sandbox_web_client_t:s0:c255,c377 tcontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tclass=process
Which you can allow with:
application_signull(sandbox_web_client_t)
In refpolicy we added a pulseaudio_client type attribute that allows pulseaudio_clients to send null signals to eachother amongst other things. This enables us to narrow the null signals down a bit
However i have not yet created an interface that associates caller with this type attribute. Instead it is only associated to pulseaudio_t
Finally one needs to deal with the pulseaudio ipc:
> type=AVC msg=audit(1386630028.070:4182): avc: denied { read } for pid=933 comm="plugin-containe" name="pulse-shm-714554573" dev="tmpfs" ino=56617860 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
> 0.c1023 tcontext=unconfined_u:object_r:sandbox_web_client_tmpfs_t:s0 tclass=file
In refpolicy we deal with this by associating the pulseaudio_tmpfsfile type attribute to pulse audit tmpfs related file types. There is an interface in refpolicy that can be used for this:
> ########################################
> ## <summary>
> ## Make the specified tmpfs file type
> ## pulseaudio tmpfs content.
> ## </summary>
> ## <param name="file_type">
> ## <summary>
> ## File type to make pulseaudio tmpfs content.
> ## </summary>
> ## </param>
> #
> interface(`pulseaudio_tmpfs_content',`
> gen_require(`
> attribute pulseaudio_tmpfsfile;
> ')
>
> typeattribute $1 pulseaudio_tmpfsfile;
> ')
That will allow all "pulseaudio_client" to read, delete etc all pulseaudio_tmpfiles
I do not know why you decided to add a role transtion from unconfined_r to system_r via pulseaudio_t. I suspect it may have to do with the fact that pulseaudio can also be configured as a system service and that this
caused to you to add the role transition since else you would get into conflict with the init_run_daemon(unconfined_t)
In refpolicy we currently do not support pulseaudio as a system service, But if we do then we will probably create a system_pulseaudio_t, and a session_pulseaudio_t so that we avoid conflict with roles and such
More information about the selinux
mailing list