commit: da28221423dba9c102a06afb6c7eac7cd2d0117a
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May 6 20:31:46 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:44 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da282214
bootloader: allow systemd-boot to manage EFI binaries
systemd-boot's bootctl utility is used to install and update its EFI
binaries in the EFI partition. If it is mounted with boot_t, bootctl
needs to be able to manage boot_t files.
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/bootloader.te | 4 ++++
policy/modules/kernel/files.if | 19 +++++++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index 294ce7e0c..81748a5f3 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -225,6 +225,10 @@ ifdef(`init_systemd',`
fs_getattr_cgroup(bootloader_t)
init_read_state(bootloader_t)
init_rw_inherited_stream_socket(bootloader_t)
+
+ # for systemd-boot-update to manage EFI binaries
+ domain_obj_id_change_exemption(bootloader_t)
+ files_mmap_read_boot_files(bootloader_t)
')
optional_policy(`
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e0337d044..b9c451321 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2590,6 +2590,25 @@ interface(`files_read_boot_files',`
read_files_pattern($1, boot_t, boot_t)
')
+########################################
+## <summary>
+## Read and memory map files in the /boot directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_mmap_read_boot_files',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ mmap_read_files_pattern($1, boot_t, boot_t)
+')
+
########################################
## <summary>
## Create, read, write, and delete files