#
# Macros for mplayer
#
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
#
# mplayer_domains(user) declares domains for mplayer, gmplayer,
# and mencoder

#####################################################
#    mplayer_common(role_prefix, mplayer_domain)    #
#####################################################

define(`mplayer_common',`

# Read global config
r_dir_file($1_$2_t, mplayer_etc_t)

# Allow the user domain to signal/ps.
can_ps($1_t, $1_$2_t)
allow $1_t $1_$2_t:process signal_perms;

# Read data in /usr/share (fonts, icons..)
r_dir_file($1_$2_t, usr_t)

# Read /proc files and directories
# Necessary for /proc/meminfo, /proc/cpuinfo, etc..
allow $1_$2_t proc_t:dir search;
allow $1_$2_t proc_t:file { getattr read };

# Sysctl on kernel version 
read_sysctl($1_$2_t)

# Allow ps, shared libs, locale, terminal access
can_ps($1_t, $1_$2_t)
uses_shlib($1_$2_t)
read_locale($1_$2_t)
access_terminal($1_$2_t, $1)

# Required for win32 binary loader 
allow $1_$2_t zero_device_t:chr_file { read write execute };
if (allow_execmem) {
allow $1_$2_t self:process execmem;
}

if (allow_execmod) {
allow $1_$2_t zero_device_t:chr_file execmod;
}
allow $1_$2_t texrel_shlib_t:file execmod;

# Access to DVD/CD/V4L
allow $1_$2_t device_t:dir r_dir_perms;
allow $1_$2_t device_t:lnk_file { getattr read };
allow $1_$2_t removable_device_t:blk_file { getattr read };
allow $1_$2_t v4l_device_t:chr_file { getattr read };

# Legacy domain issues
if (allow_mplayer_execstack) {
legacy_domain($1_$2)
allow $1_$2_t lib_t:file execute;
allow $1_$2_t locale_t:file execute;
allow $1_$2_t sound_device_t:chr_file execute;
}
')

###################################
#  mplayer_domain(role_prefix)    #
###################################

define(`mplayer_domain',`

type $1_mplayer_t, domain, nscd_client_domain;

# Type transition
domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
role $1_r types $1_mplayer_t;

# Home access, X access
home_domain($1, mplayer)
x_client_domain($1_mplayer, $1)

# Mplayer common stuff
mplayer_common($1, mplayer)

# Fork 
allow $1_mplayer_t self:process { fork signal_perms getsched };
allow $1_mplayer_t self:fifo_file rw_file_perms;

# Audio, alsa.conf
allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
allow $1_mplayer_t etc_t:file { getattr read };
r_dir_file($1_mplayer_t, alsa_etc_rw_t);

# RTC clock 
allow $1_mplayer_t clock_device_t:chr_file { ioctl read };

# Legacy domain issues
if (allow_mplayer_execstack) {
allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
}

#======gmplayer gui==========#
# File dialogs
dontaudit_getattr($1_mplayer_t)
dontaudit_read_dir($1_mplayer_t)
dontaudit_search_dir($1_mplayer_t)

# Unfortunately the ancient file dialog starts in /
allow $1_mplayer_t home_root_t:dir read;

# Read /etc/mtab
allow $1_mplayer_t etc_runtime_t:file { read getattr };

# Run bash/sed (??) 
allow $1_mplayer_t bin_t:dir search;
allow $1_mplayer_t bin_t:lnk_file read;
can_exec($1_mplayer_t, bin_t)
can_exec($1_mplayer_t, shell_exec_t)
#============================#

# Read songs
read_content($1_mplayer_t, $1)

') dnl end mplayer_domain

###################################
#  mencoder_domain(role_prefix)   #
###################################

define(`mencoder_domain',`

type $1_mencoder_t, domain;

# Type transition
domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
role $1_r types $1_mencoder_t;

# Access mplayer home domain
home_domain_access($1_mencoder_t, $1, mplayer)

# Mplayer common stuff
mplayer_common($1, mencoder)

# Read content to encode
read_content($1_mencoder_t, $1)

# Save encoded files
write_trusted($1_mencoder_t, $1)

') dnl end mencoder_domain

#############################
#  mplayer_domains(role)    #
#############################

define(`mplayer_domains', `
mplayer_domain($1)
mencoder_domain($1)
') dnl end mplayer_domains