commit: 7d05690ceeb7213d6854fa1b4f5599f7c76b335a
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Apr 28 10:02:04 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 04:50:47 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d05690c
Add hwloc-dump-hwdata SELinux policy
The Portable Hardware Locality (hwloc) software package
provides a portable abstraction (across OS, versions, architectures, ...)
of the hierarchical topology of modern architectures,
including NUMA memory nodes, sockets, shared caches,
cores and simultaneous multithreading.
It also gathers various system attributes such as cache and memory information
as well as the locality of I/O devices such as network interfaces,
InfiniBand HCAs or GPUs.
New hwloc utility (hwloc-dump-hwdata) reads firmware entries and generates
intermediate files to be used later by hwloc utils.
This cannot be done when MLS is in enforicing mode because SELinux blocks
access to var_run_t for user_t.
The policy does the following:
- adds hwloc_dhwd_exec_t type for hwloc-dump-hwdata executable
- adds hwloc_dhwd_t system domain with entry point in
hwloc_dhwd_exec_t
- allows hwloc_dhwd_exec_t to be run as application
- allows hwloc_dhwd_t access sysfs
- allows hwloc_dhwd_t to create dir and file in /var/run
- makes transition for hwloc-dump-hwdata output file from var_run_t to
var_t.
The data is derived from proprietary SMBIOS entries containing MCDRAM memory
side cache configuration : cache size, associativity, inclusiveness and
line size.
V3:
Add hwloc_admin()
Remove hwloc_manage_runtime()
Add hwloc_dhwd_unit_t
Rename run, domtrans and exec interfaces
Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>
policy/modules/contrib/hwloc.fc | 5 ++
policy/modules/contrib/hwloc.if | 106 ++++++++++++++++++++++++++++++++++++++++
policy/modules/contrib/hwloc.te | 31 ++++++++++++
3 files changed, 142 insertions(+)
diff --git a/policy/modules/contrib/hwloc.fc b/policy/modules/contrib/hwloc.fc
new file mode 100644
index 0000000..d0c5a15
--- /dev/null
+++ b/policy/modules/contrib/hwloc.fc
@@ -0,0 +1,5 @@
+/usr/sbin/hwloc-dump-hwdata --
gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
+
+/usr/lib/systemd/system/hwloc-dump-hwdata.* --
gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
+
+/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0)
diff --git a/policy/modules/contrib/hwloc.if b/policy/modules/contrib/hwloc.if
new file mode 100644
index 0000000..c2349ec
--- /dev/null
+++ b/policy/modules/contrib/hwloc.if
@@ -0,0 +1,106 @@
+## <summary>Dump topology and locality information from hardware
tables.</summary>
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the hwloc dhwd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`hwloc_domtrans_dhwd',`
+ gen_require(`
+ type hwloc_dhwd_t, hwloc_dhwd_exec_t;
+ ')
+
+ domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
+')
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the hwloc dhwd domain, and
+## allow the specified role the hwloc dhwd domain,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_run_dhwd',`
+ gen_require(`
+ attribute_role hwloc_dhwd_roles;
+ ')
+
+ hwloc_domtrans_dhwd($1)
+ roleattribute $2 hwloc_dhwd_roles;
+')
+
+########################################
+## <summary>
+## Execute hwloc dhwd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hwloc_exec_dhwd',`
+ gen_require(`
+ type hwloc_dhwd_exec_t;
+ ')
+
+ can_exec($1, hwloc_dhwd_exec_t)
+')
+
+########################################
+## <summary>
+## Read hwloc runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`hwloc_read_runtime_files',`
+ gen_require(`
+ type hwloc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an hwloc environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`hwloc_admin',`
+ gen_require(`
+ type hwloc_dhwd_t, hwloc_var_run_t;
+ ')
+
+ allow $1 hwloc_dhwd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, hwloc_dhwd_t)
+
+ admin_pattern($1, hwloc_var_run_t)
+ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
+')
diff --git a/policy/modules/contrib/hwloc.te b/policy/modules/contrib/hwloc.te
new file mode 100644
index 0000000..afe13cc
--- /dev/null
+++ b/policy/modules/contrib/hwloc.te
@@ -0,0 +1,31 @@
+policy_module(hwloc, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role hwloc_dhwd_roles;
+roleattribute system_r hwloc_dhwd_roles;
+
+type hwloc_dhwd_t;
+type hwloc_dhwd_exec_t;
+init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
+role hwloc_dhwd_roles types hwloc_dhwd_t;
+
+type hwloc_var_run_t;
+files_pid_file(hwloc_var_run_t)
+
+type hwloc_dhwd_unit_t;
+init_unit_file(hwloc_dhwd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
+allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
+files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
+
+dev_read_sysfs(hwloc_dhwd_t)
