[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

Sven Vermeulen Tue, 08 Apr 2014 09:03:09 -0700

commit:     891859b30d8ed3a32c815c1fa2648cbe4109d899
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar 25 20:30:06 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr  8 15:25:15 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=891859b3


Support /sys/devices/system/cpu/online

In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 31 ++++++++++++++++---------------
 policy/modules/kernel/devices.te |  7 +++++++
 policy/modules/kernel/domain.te  |  3 ++-
 4 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5bf5ef2..053cfa7 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@ ifdef(`distro_debian',`
 /lib/udev/devices/zero -c      gen_context(system_u:object_r:zero_device_t,s0)
 
 /sys(/.*)?                     gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online --      
gen_context(system_u:object_r:cpu_online_t,s0)
 
 ifdef(`distro_redhat',`
 # originally from named.fc

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 41eb2ca..56dd021 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4929,48 +4929,49 @@ interface(`dev_create_zero_dev',`
 
 ########################################
 ## <summary>
-##     Unconfined access to devices.
+##     Read cpu online hardware state information
 ## </summary>
+## <desc>
+##     <p>
+##     Allow the specified domain to read /sys/devices/system/cpu/online
+##     </p>
+## </desc>
 ## <param name="domain">
 ##     <summary>
 ##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
-interface(`dev_unconfined',`
+interface(`dev_read_cpu_online',`
        gen_require(`
-               attribute devices_unconfined_type;
+               type cpu_online_t;
        ')
 
-       typeattribute $1 devices_unconfined_type;
+       dev_search_sysfs($1)
+       read_files_pattern($1, cpu_online_t, cpu_online_t)
 ')
 
-# We cannot use ifdef distro_gentoo for interfaces
 
 ########################################
 ## <summary>
-##     Read cpu online hardware state information.
+##     Unconfined access to devices.
 ## </summary>
-## <desc>
-##     <p>
-##     Allow the specified domain to read /sys/devices/system/cpu/online file.
-##     </p>
-## </desc>
 ## <param name="domain">
 ##     <summary>
 ##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
-interface(`dev_read_cpu_online',`
+interface(`dev_unconfined',`
        gen_require(`
-               type cpu_online_t;
+               attribute devices_unconfined_type;
        ')
 
-       dev_search_sysfs($1)
-       read_files_pattern($1, cpu_online_t, cpu_online_t)
+       typeattribute $1 devices_unconfined_type;
 ')
 
+# We cannot use ifdef distro_gentoo for interfaces
+
 ########################################
 ## <summary>
 ##     Relabel cpu online hardware state information.

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 14c178e..948b064 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -60,6 +60,13 @@ type cpu_device_t;
 dev_node(cpu_device_t)
 
 #
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
+#
 # Type for /dev/crash
 #
 type crash_device_t;

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index ea5cdee..4af7dbd 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,4 +1,4 @@
-policy_module(domain, 1.11.0)
+policy_module(domain, 1.11.1)
 
 ########################################
 #
@@ -98,6 +98,7 @@ allow domain self:process { fork sigchld };
 
 # glibc get_nprocs requires read access to /sys/devices/system/cpu/online
 dev_read_cpu_online(domain)
+
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

Reply via email to