[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

Sven Vermeulen Wed, 02 Dec 2015 07:47:22 -0800

commit:     bac1f46765f49a73cdfb5a482f45f3a83487ee06
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 17:23:35 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:55:45 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bac1f467


Add sysfs_types attribute.

Collect all types used to label sysfs entries.

 policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
 policy/modules/kernel/devices.te |  5 +++--
 policy/modules/system/init.te    |  1 +
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a052db5..591b932 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4130,6 +4130,26 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##     Relabel from/to all sysfs types.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+       gen_require(`
+               attribute sysfs_types;
+       ')
+
+       allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
+       allow $1 sysfs_types:file relabel_file_perms;
+       allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##     Read and write the TPM device.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e5bcfcd..9274a82 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -9,6 +9,7 @@ attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
 attribute devices_unconfined_type;
+attribute sysfs_types;
 
 #
 # device_t is the type of /dev.
@@ -62,7 +63,7 @@ dev_node(cpu_device_t)
 #
 # /sys/devices/system/cpu/online device
 #
-type cpu_online_t;
+type cpu_online_t, sysfs_types;
 files_type(cpu_online_t)
 dev_associate_sysfs(cpu_online_t)
 
@@ -229,7 +230,7 @@ dev_node(sound_device_t)
 #
 # sysfs_t is the type for the /sys pseudofs
 #
-type sysfs_t;
+type sysfs_t, sysfs_types;
 files_mountpoint(sysfs_t)
 fs_xattr_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 79400f2..8c9cffa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -224,6 +224,7 @@ ifdef(`init_systemd',`
        dev_create_generic_dirs(init_t)
        dev_manage_input_dev(init_t)
        dev_relabel_all_dev_nodes(init_t)
+       dev_relabel_all_sysfs(init_t)
        dev_read_urand(init_t)
        dev_write_kmsg(init_t)

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/kernel/, policy/modules/system/

Reply via email to