commit: 4751bfa9ef38a4d38494cadea1fa83a69881d5fa
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sat Oct 7 02:56:52 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 20 21:28:39 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4751bfa9
Changes to eg25manager and modemmanager needed for firmware upload on
pinephonepro
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/eg25manager.te | 11 ++++++++++-
policy/modules/services/modemmanager.te | 18 ++++++++++++++++--
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/eg25manager.te
b/policy/modules/services/eg25manager.te
index 92fd3e4f8..f305a9a01 100644
--- a/policy/modules/services/eg25manager.te
+++ b/policy/modules/services/eg25manager.te
@@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t)
logging_send_syslog_msg(eg25manager_t)
miscfiles_read_generic_certs(eg25manager_t)
+miscfiles_read_localization(eg25manager_t)
-modemmanager_dbus_chat(eg25manager_t)
+# will not upload to pinephone modem without this
+selinux_get_fs_mount(eg25manager_t)
sysnet_read_config(eg25manager_t)
@@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t)
systemd_read_resolved_runtime(eg25manager_t)
systemd_use_logind_fds(eg25manager_t)
systemd_write_inherited_logind_inhibit_pipes(eg25manager_t)
+
+term_use_unallocated_ttys(eg25manager_t)
+
+optional_policy(`
+ modemmanager_dbus_chat(eg25manager_t)
+')
+
diff --git a/policy/modules/services/modemmanager.te
b/policy/modules/services/modemmanager.te
index 5801baedd..b94117bff 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
#
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal setpgid };
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket { connectto
create_stream_socket_perms };
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow modemmanager_t self:netlink_route_socket { create getattr getopt
nlmsg_write read write };
+allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write };
+
+# ModemManager calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC)
+allow modemmanager_t self:process execmem;
kernel_read_system_state(modemmanager_t)
+kernel_request_load_module(modemmanager_t)
+
+# for qmi/pass_through
+dev_create_sysfs_files(modemmanager_t)
+dev_getattr_sysfs(modemmanager_t)
dev_read_sysfs(modemmanager_t)
+dev_write_sysfs(modemmanager_t)
dev_rw_modem(modemmanager_t)
+# for /usr/libexec/qmi-proxy
+corecmd_exec_bin(modemmanager_t)
+
files_read_etc_files(modemmanager_t)
term_use_generic_ptys(modemmanager_t)
