policy/modules/apps/pulseaudio.if

   1 ## <summary>Pulseaudio network sound server.</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Role access for pulseaudio
   6 ## </summary>
   7 ## <param name="role">
   8 ##      <summary>
   9 ##      Role allowed access
  10 ##      </summary>
  11 ## </param>
  12 ## <param name="domain">
  13 ##      <summary>
  14 ##      User domain for the role
  15 ##      </summary>
  16 ## </param>
  17 #
  18 interface(`pulseaudio_role',`
  19         gen_require(`
  20                 type pulseaudio_t, pulseaudio_exec_t;
  21                 class dbus { acquire_svc send_msg };
  22         ')
  23
  24         role $1 types pulseaudio_t;
  25
  26         # Transition from the user domain to the derived domain.
  27         domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
  28
  29         ps_process_pattern($2, pulseaudio_t)
  30
  31         allow pulseaudio_t $2:process { signal signull };
  32         allow $2 pulseaudio_t:process { signal signull sigkill };
  33         ps_process_pattern(pulseaudio_t, $2)
  34
  35         allow pulseaudio_t $2:unix_stream_socket connectto;
  36         allow $2 pulseaudio_t:unix_stream_socket connectto;
  37
  38         allow $2 pulseaudio_t:dbus send_msg;
  39         allow pulseaudio_t $2:dbus { acquire_svc send_msg };
  40 ')
  41
  42 ########################################
  43 ## <summary>
  44 ##      Execute a domain transition to run pulseaudio.
  45 ## </summary>
  46 ## <param name="domain">
  47 ## <summary>
  48 ##      Domain allowed to transition.
  49 ## </summary>
  50 ## </param>
  51 #
  52 interface(`pulseaudio_domtrans',`
  53         gen_require(`
  54                 type pulseaudio_t, pulseaudio_exec_t;
  55         ')
  56
  57         domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
  58 ')
  59
  60 ########################################
  61 ## <summary>
  62 ##      Execute pulseaudio in the pulseaudio domain, and
  63 ##      allow the specified role the pulseaudio domain.
  64 ## </summary>
  65 ## <param name="domain">
  66 ##      <summary>
  67 ##      Domain allowed to transition.
  68 ##      </summary>
  69 ## </param>
  70 ## <param name="role">
  71 ##      <summary>
  72 ##      Role allowed access.
  73 ##      </summary>
  74 ## </param>
  75 #
  76 interface(`pulseaudio_run',`
  77         gen_require(`
  78                 type pulseaudio_t;
  79         ')
  80
  81         pulseaudio_domtrans($1)
  82         role $2 types pulseaudio_t;
  83 ')
  84
  85 ########################################
  86 ## <summary>
  87 ##      Execute a pulseaudio in the current domain.
  88 ## </summary>
  89 ## <param name="domain">
  90 ## <summary>
  91 ##      Domain allowed access.
  92 ## </summary>
  93 ## </param>
  94 #
  95 interface(`pulseaudio_exec',`
  96         gen_require(`
  97                 type pulseaudio_exec_t;
  98         ')
  99
 100         can_exec($1, pulseaudio_exec_t)
 101 ')
 102
 103 ########################################
 104 ## <summary>
 105 ##      Do not audit to execute a pulseaudio.
 106 ## </summary>
 107 ## <param name="domain">
 108 ## <summary>
 109 ##      Domain to not audit.
 110 ## </summary>
 111 ## </param>
 112 #
 113 interface(`pulseaudio_dontaudit_exec',`
 114         gen_require(`
 115                 type pulseaudio_exec_t;
 116         ')
 117
 118         dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
 119 ')
 120
 121 ########################################
 122 ## <summary>
 123 ##      Send signull signal to pulseaudio
 124 ##      processes.
 125 ## </summary>
 126 ## <param name="domain">
 127 ##      <summary>
 128 ##      Domain allowed access.
 129 ##      </summary>
 130 ## </param>
 131 #
 132 interface(`pulseaudio_signull',`
 133         gen_require(`
 134                 type pulseaudio_t;
 135         ')
 136
 137         allow $1 pulseaudio_t:process signull;
 138 ')
 139
 140 #####################################
 141 ## <summary>
 142 ##      Connect to pulseaudio over a unix domain
 143 ##      stream socket.
 144 ## </summary>
 145 ## <param name="domain">
 146 ##      <summary>
 147 ##      Domain allowed access.
 148 ##      </summary>
 149 ## </param>
 150 #
 151 interface(`pulseaudio_stream_connect',`
 152         gen_require(`
 153                 type pulseaudio_t, pulseaudio_var_run_t;
 154         ')
 155
 156         files_search_pids($1)
 157         allow $1 pulseaudio_t:process signull;
 158         allow pulseaudio_t $1:process signull;
 159         stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
 160 ')
 161
 162 ########################################
 163 ## <summary>
 164 ##      Send and receive messages from
 165 ##      pulseaudio over dbus.
 166 ## </summary>
 167 ## <param name="domain">
 168 ##      <summary>
 169 ##      Domain allowed access.
 170 ##      </summary>
 171 ## </param>
 172 #
 173 interface(`pulseaudio_dbus_chat',`
 174         gen_require(`
 175                 type pulseaudio_t;
 176                 class dbus send_msg;
 177         ')
 178
 179         allow $1 pulseaudio_t:dbus send_msg;
 180         allow pulseaudio_t $1:dbus send_msg;
 181 ')
 182
 183 ########################################
 184 ## <summary>
 185 ##      Set the attributes of the pulseaudio homedir.
 186 ## </summary>
 187 ## <param name="user_domain">
 188 ##      <summary>
 189 ##      Domain allowed access.
 190 ##      </summary>
 191 ## </param>
 192 #
 193 interface(`pulseaudio_setattr_home_dir',`
 194         gen_require(`
 195                 type pulseaudio_home_t;
 196         ')
 197
 198         allow $1 pulseaudio_home_t:dir setattr;
 199 ')
 200
 201 ########################################
 202 ## <summary>
 203 ##      Read pulseaudio homedir files.
 204 ## </summary>
 205 ## <param name="user_domain">
 206 ##      <summary>
 207 ##      Domain allowed access.
 208 ##      </summary>
 209 ## </param>
 210 #
 211 interface(`pulseaudio_read_home_files',`
 212         gen_require(`
 213                 type pulseaudio_home_t;
 214         ')
 215
 216         userdom_search_user_home_dirs($1)
 217         read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 218         read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 219 ')
 220
 221 ########################################
 222 ## <summary>
 223 ##      Read and write Pulse Audio files.
 224 ## </summary>
 225 ## <param name="user_domain">
 226 ##      <summary>
 227 ##      Domain allowed access.
 228 ##      </summary>
 229 ## </param>
 230 #
 231 interface(`pulseaudio_rw_home_files',`
 232         gen_require(`
 233                 type pulseaudio_home_t;
 234         ')
 235
 236         rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 237         read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 238         userdom_search_user_home_dirs($1)
 239 ')
 240
 241 ########################################
 242 ## <summary>
 243 ##      Create, read, write, and delete pulseaudio
 244 ##      home directory files.
 245 ## </summary>
 246 ## <param name="user_domain">
 247 ##      <summary>
 248 ##      Domain allowed access.
 249 ##      </summary>
 250 ## </param>
 251 #
 252 interface(`pulseaudio_manage_home_files',`
 253         gen_require(`
 254                 type pulseaudio_home_t;
 255         ')
 256
 257         userdom_search_user_home_dirs($1)
 258         manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 259         read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 260 ')