[refpolicy] [PATCH v1 0/2] Support cachefiles

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH v1 0/2] Support cachefiles
@ 2012-09-23 15:15 Dominick Grift
  2012-09-23 15:15 ` [refpolicy] [PATCH v1 1/2] Declare a cachfiles device node type Dominick Grift
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Dominick Grift @ 2012-09-23 15:15 UTC (permalink / raw)
  To: refpolicy

These are needed by cachefilesd

Dominick Grift (2):
  Declare a cachfiles device node type
  Implement files_create_all_files_as() for cachefilesd

 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 19 +++++++++++++++++++
 policy/modules/kernel/devices.te |  3 +++
 policy/modules/kernel/files.if   | 18 ++++++++++++++++++
 4 files changed, 41 insertions(+)

-- 
1.7.11.4

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v1 1/2] Declare a cachfiles device node type
  2012-09-23 15:15 [refpolicy] [PATCH v1 0/2] Support cachefiles Dominick Grift
@ 2012-09-23 15:15 ` Dominick Grift
  2012-09-23 15:15 ` [refpolicy] [PATCH v1 2/2] Implement files_create_all_files_as() for cachefilesd Dominick Grift
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Dominick Grift @ 2012-09-23 15:15 UTC (permalink / raw)
  To: refpolicy

Used by kernel to communicate with user space (cachefilesd)
Label the character file accordingly

Create a dev_rw_cachefiles_dev() for cachefilesd

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 19 +++++++++++++++++++
 policy/modules/kernel/devices.te |  3 +++
 3 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5214c08..ddbfa12 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -17,6 +17,7 @@
 /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/cachefiles	-c	gen_context(system_u:object_r:cachefiles_dev_t,s0)
 /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/crash		-c	gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
 /dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index d820975..7b585be 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1560,6 +1560,25 @@ interface(`dev_relabel_autofs_dev',`
 
 ########################################
 ## <summary>
+##	Read and write cachefiles character
+##	device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_cachefiles',`
+	gen_require(`
+		type device_t, cachefiles_dev_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, cachefiles_dev_t)
+')
+
+########################################
+## <summary>
 ##	Read and write the PCMCIA card manager device.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 108b68b..52519e3 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -43,6 +43,9 @@ type cardmgr_dev_t;
 dev_node(cardmgr_dev_t)
 files_tmp_file(cardmgr_dev_t)
 
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
 #
 # clock_device_t is the type of
 # /dev/rtc.
-- 
1.7.11.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v1 2/2] Implement files_create_all_files_as() for cachefilesd
  2012-09-23 15:15 [refpolicy] [PATCH v1 0/2] Support cachefiles Dominick Grift
  2012-09-23 15:15 ` [refpolicy] [PATCH v1 1/2] Declare a cachfiles device node type Dominick Grift
@ 2012-09-23 15:15 ` Dominick Grift
  2012-10-04 12:25 ` [refpolicy] [PATCH v1 0/2] Support cachefiles Christopher J. PeBenito
  2012-10-04 12:42 ` Sven Vermeulen
  3 siblings, 0 replies; 6+ messages in thread
From: Dominick Grift @ 2012-09-23 15:15 UTC (permalink / raw)
  To: refpolicy

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/files.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e1e814d..d1e42ac 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1182,6 +1182,24 @@ interface(`files_list_all',`
 
 ########################################
 ## <summary>
+##	Create all files as is.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_create_all_files_as',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 file_type:kernel_service create_files_as;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search the
 ##	contents of any directories on extended
 ##	attribute filesystems.
-- 
1.7.11.4

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v1 0/2] Support cachefiles
  2012-09-23 15:15 [refpolicy] [PATCH v1 0/2] Support cachefiles Dominick Grift
  2012-09-23 15:15 ` [refpolicy] [PATCH v1 1/2] Declare a cachfiles device node type Dominick Grift
  2012-09-23 15:15 ` [refpolicy] [PATCH v1 2/2] Implement files_create_all_files_as() for cachefilesd Dominick Grift
@ 2012-10-04 12:25 ` Christopher J. PeBenito
  2012-10-04 12:42 ` Sven Vermeulen
  3 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2012-10-04 12:25 UTC (permalink / raw)
  To: refpolicy

On 09/23/12 11:15, Dominick Grift wrote:
> These are needed by cachefilesd
> 
> Dominick Grift (2):
>   Declare a cachfiles device node type
>   Implement files_create_all_files_as() for cachefilesd
> 
>  policy/modules/kernel/devices.fc |  1 +
>  policy/modules/kernel/devices.if | 19 +++++++++++++++++++
>  policy/modules/kernel/devices.te |  3 +++
>  policy/modules/kernel/files.if   | 18 ++++++++++++++++++
>  4 files changed, 41 insertions(+)
 
This set is merged, though I renamed the type to cachefiles_device_t.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v1 0/2] Support cachefiles
  2012-09-23 15:15 [refpolicy] [PATCH v1 0/2] Support cachefiles Dominick Grift
                   ` (2 preceding siblings ...)
  2012-10-04 12:25 ` [refpolicy] [PATCH v1 0/2] Support cachefiles Christopher J. PeBenito
@ 2012-10-04 12:42 ` Sven Vermeulen
  2012-10-04 14:16   ` Dominick Grift
  3 siblings, 1 reply; 6+ messages in thread
From: Sven Vermeulen @ 2012-10-04 12:42 UTC (permalink / raw)
  To: refpolicy

What is the kernel_service class and create_file_as permission for?
On Sep 23, 2012 5:16 PM, "Dominick Grift" <dominick.grift@gmail.com> wrote:

> These are needed by cachefilesd
>
> Dominick Grift (2):
>   Declare a cachfiles device node type
>   Implement files_create_all_files_as() for cachefilesd
>
>  policy/modules/kernel/devices.fc |  1 +
>  policy/modules/kernel/devices.if | 19 +++++++++++++++++++
>  policy/modules/kernel/devices.te |  3 +++
>  policy/modules/kernel/files.if   | 18 ++++++++++++++++++
>  4 files changed, 41 insertions(+)
>
> --
> 1.7.11.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20121004/4357fca7/attachment-0001.html 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [refpolicy] [PATCH v1 0/2] Support cachefiles
  2012-10-04 12:42 ` Sven Vermeulen
@ 2012-10-04 14:16   ` Dominick Grift
  0 siblings, 0 replies; 6+ messages in thread
From: Dominick Grift @ 2012-10-04 14:16 UTC (permalink / raw)
  To: refpolicy



On Thu, 2012-10-04 at 14:42 +0200, Sven Vermeulen wrote:
> What is the kernel_service class and create_file_as permission for?

http://www.mail-archive.com/linux-security-module at vger.kernel.org/msg02892.html

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2012-10-04 14:16 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-23 15:15 [refpolicy] [PATCH v1 0/2] Support cachefiles Dominick Grift
2012-09-23 15:15 ` [refpolicy] [PATCH v1 1/2] Declare a cachfiles device node type Dominick Grift
2012-09-23 15:15 ` [refpolicy] [PATCH v1 2/2] Implement files_create_all_files_as() for cachefilesd Dominick Grift
2012-10-04 12:25 ` [refpolicy] [PATCH v1 0/2] Support cachefiles Christopher J. PeBenito
2012-10-04 12:42 ` Sven Vermeulen
2012-10-04 14:16   ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.