[refpolicy] [PATCH/RFC v2] Haveged support in (audio)entropyd

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH/RFC v2] Haveged support in (audio)entropyd
@ 2011-07-20 17:33 Sven Vermeulen
  2011-07-20 17:35 ` [refpolicy] [PATCH 1/3] Separate sound-specific items from general entropyd_t definitions Sven Vermeulen
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-07-20 17:33 UTC (permalink / raw)
  To: refpolicy

This patch set segregates the obvious audio-related privileges within
entropyd_t (in the audioentropyd module) through the use of a SELinux
boolean "entropyd_use_audio", enhances the entropyd_t with the privileges
needed by haveged, and adds the proper file contexts for haveged support.

Comments always appreciated. This obsoletes the previous patch set titled
"Haveged definition".

Wkr,
	Sven Vermeulen

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 1/3] Separate sound-specific items from general entropyd_t definitions
  2011-07-20 17:33 [refpolicy] [PATCH/RFC v2] Haveged support in (audio)entropyd Sven Vermeulen
@ 2011-07-20 17:35 ` Sven Vermeulen
  2011-07-20 17:43 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileges needed for haveged support Sven Vermeulen
  2011-07-20 17:43 ` [refpolicy] [PATCH 3/3] Add file context rules for haveged Sven Vermeulen
  2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-07-20 17:35 UTC (permalink / raw)
  To: refpolicy

Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).

The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/audioentropy.te |   26 ++++++++++++++++++--------
 1 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 2b348c7..08c1d8c 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+##   Allow the use of the audio devices as the source for the entropy feeds
+## </p>
+## </desc>
+gen_tunable(entropyd_use_audio, false)
+
 type entropyd_t;
 type entropyd_exec_t;
 init_daemon_domain(entropyd_t, entropyd_exec_t)
@@ -33,11 +40,6 @@ dev_read_urand(entropyd_t)
 dev_write_urand(entropyd_t)
 dev_read_rand(entropyd_t)
 dev_write_rand(entropyd_t)
-dev_read_sound(entropyd_t)
-# set sound card parameters such as
-# sample format, number of channels
-# and sample rate.
-dev_write_sound(entropyd_t)
 
 files_read_etc_files(entropyd_t)
 files_read_usr_files(entropyd_t)
@@ -54,9 +56,17 @@ miscfiles_read_localization(entropyd_t)
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
 userdom_dontaudit_search_user_home_dirs(entropyd_t)
 
-optional_policy(`
-	alsa_read_lib(entropyd_t)
-	alsa_read_rw_config(entropyd_t)
+tunable_policy(`entropyd_use_audio',`
+
+	dev_read_sound(entropyd_t)
+	# set sound card parameters such as sample format, number of channels
+	# and sample rate.
+	dev_write_sound(entropyd_t)
+
+	optional_policy(`
+		alsa_read_lib(entropyd_t)
+		alsa_read_rw_config(entropyd_t)
+	')
 ')
 
 optional_policy(`
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 2/3] Update entropyd_t with privileges needed for haveged support
  2011-07-20 17:33 [refpolicy] [PATCH/RFC v2] Haveged support in (audio)entropyd Sven Vermeulen
  2011-07-20 17:35 ` [refpolicy] [PATCH 1/3] Separate sound-specific items from general entropyd_t definitions Sven Vermeulen
@ 2011-07-20 17:43 ` Sven Vermeulen
  2011-07-20 17:43 ` [refpolicy] [PATCH 3/3] Add file context rules for haveged Sven Vermeulen
  2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-07-20 17:43 UTC (permalink / raw)
  To: refpolicy

Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/audioentropy.te |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 08c1d8c..b224ebf 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -27,11 +27,12 @@ files_pid_file(entropyd_var_run_t)
 allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
 dontaudit entropyd_t self:capability sys_tty_config;
 allow entropyd_t self:process signal_perms;
+allow entropyd_t self:unix_dgram_socket create_socket_perms;
 
 manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
 files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
 
-kernel_read_kernel_sysctls(entropyd_t)
+kernel_rw_kernel_sysctl(entropyd_t)
 kernel_list_proc(entropyd_t)
 kernel_read_proc_symlinks(entropyd_t)
 
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 3/3] Add file context rules for haveged
  2011-07-20 17:33 [refpolicy] [PATCH/RFC v2] Haveged support in (audio)entropyd Sven Vermeulen
  2011-07-20 17:35 ` [refpolicy] [PATCH 1/3] Separate sound-specific items from general entropyd_t definitions Sven Vermeulen
  2011-07-20 17:43 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileges needed for haveged support Sven Vermeulen
@ 2011-07-20 17:43 ` Sven Vermeulen
  2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-07-20 17:43 UTC (permalink / raw)
  To: refpolicy

Add file context rules for haveged within the audioentropyd module.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/audioentropy.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
index 001235e..d2d8ce3 100644
--- a/policy/modules/services/audioentropy.fc
+++ b/policy/modules/services/audioentropy.fc
@@ -2,5 +2,7 @@
 # /usr
 #
 /usr/sbin/audio-entropyd	--	gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged		--	gen_context(system_u:object_r:entropyd_exec_t,s0)
 
 /var/run/audio-entropyd\.pid	--	gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid		--	gen_context(system_u:object_r:entropyd_var_run_t,s0)
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-07-20 17:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-20 17:33 [refpolicy] [PATCH/RFC v2] Haveged support in (audio)entropyd Sven Vermeulen
2011-07-20 17:35 ` [refpolicy] [PATCH 1/3] Separate sound-specific items from general entropyd_t definitions Sven Vermeulen
2011-07-20 17:43 ` [refpolicy] [PATCH 2/3] Update entropyd_t with privileges needed for haveged support Sven Vermeulen
2011-07-20 17:43 ` [refpolicy] [PATCH 3/3] Add file context rules for haveged Sven Vermeulen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.