[refpolicy] [PATCH] Declare a virtio device node type

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Declare a virtio device node type
@ 2012-09-12  9:27 Dominick Grift
  2012-10-03 14:04 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2012-09-12  9:27 UTC (permalink / raw)
  To: refpolicy


Label virtio character device nodes accordingly

Create term_use_virtio_console() for vdagent

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 7d45d15..0ea25b6 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -19,6 +19,7 @@
 /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
 /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/vport[0-9]p[0-9]+	-c	gen_context(system_u:object_r:virtio_device_t,s0)
 /dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 01dd2f1..bfaff9f 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1493,3 +1493,22 @@
 	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
 	term_dontaudit_use_all_ttys($1)
 ')
+
+########################################
+## <summary>
+##	Read from and write to virtio console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_use_virtio_console',`
+	gen_require(`
+		type virtio_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 virtio_device_t:chr_file rw_chr_file_perms;
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 9d64659..bc57297 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -56,3 +56,6 @@
 #
 type usbtty_device_t, serial_device;
 dev_node(usbtty_device_t)
+
+type virtio_device_t, serial_device;
+dev_node(virtio_device_t)

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH] Declare a virtio device node type
  2012-09-12  9:27 [refpolicy] [PATCH] Declare a virtio device node type Dominick Grift
@ 2012-10-03 14:04 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2012-10-03 14:04 UTC (permalink / raw)
  To: refpolicy

On 09/12/12 05:27, Dominick Grift wrote:
> 
> Label virtio character device nodes accordingly
> 
> Create term_use_virtio_console() for vdagent
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
> index 7d45d15..0ea25b6 100644
> --- a/policy/modules/kernel/terminal.fc
> +++ b/policy/modules/kernel/terminal.fc
> @@ -19,6 +19,7 @@
>  /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
>  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
>  /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
> +/dev/vport[0-9]p[0-9]+	-c	gen_context(system_u:object_r:virtio_device_t,s0)
>  /dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
>  
>  /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
> diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
> index 01dd2f1..bfaff9f 100644
> --- a/policy/modules/kernel/terminal.if
> +++ b/policy/modules/kernel/terminal.if
> @@ -1493,3 +1493,22 @@
>  	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
>  	term_dontaudit_use_all_ttys($1)
>  ')
> +
> +########################################
> +## <summary>
> +##	Read from and write to virtio console.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`term_use_virtio_console',`
> +	gen_require(`
> +		type virtio_device_t;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 virtio_device_t:chr_file rw_chr_file_perms;
> +')

Is this really only a console/serial device?  The bits that I can find seem to imply its more than just a console, but I'm not sure.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-10-03 14:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-12  9:27 [refpolicy] [PATCH] Declare a virtio device node type Dominick Grift
2012-10-03 14:04 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.