From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online
Date: Mon, 26 Aug 2013 08:49:30 -0400 [thread overview]
Message-ID: <521B4EDA.3090902@tresys.com> (raw)
In-Reply-To: <1376765506-28924-3-git-send-email-sven.vermeulen@siphos.be>
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need
> to grant most domains read access to this file. As we don't want them to have
> read access on sysfs_t by default, create a new type (cpu_online_t) and assign
> it to the file, and grant domains read access to the file.
>
> This does require systems to relabel the file upon every boot, something
> distributions do in their bootup scripts, as /sys devices don't keep their
> context.
Adding permissions to all domains shouldn't be taken lightly, so I'll have to do some additional research.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
> policy/modules/kernel/devices.te | 7 +++++++
> policy/modules/kernel/domain.te | 2 ++
> 4 files changed, 35 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index b31c054..d6ebfcd 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -199,6 +199,7 @@ ifdef(`distro_debian',`
> /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
>
> /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
> +/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0)
>
> ifdef(`distro_redhat',`
> # originally from named.fc
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 76f285e..49f0acb 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',`
>
> ########################################
> ## <summary>
> +## Read cpu online hardware state information
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read /sys/devices/system/cpu/online
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_read_cpu_online',`
> + gen_require(`
> + type cpu_online_t;
> + ')
> +
> + allow $1 cpu_online_t:file read_file_perms;
> +
> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Unconfined access to devices.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 0b1a871..0d7790c 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -60,6 +60,13 @@ type cpu_device_t;
> dev_node(cpu_device_t)
>
> #
> +# /sys/devices/system/cpu/online device
> +#
> +type cpu_online_t;
> +files_type(cpu_online_t)
> +dev_associate_sysfs(cpu_online_t)
> +
> +#
> # Type for /dev/crash
> #
> type crash_device_t;
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index cf04cb5..ea5cdee 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
> # create child processes in the domain
> allow domain self:process { fork sigchld };
>
> +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
> +dev_read_cpu_online(domain)
> # Use trusted objects in /dev
> dev_rw_null(domain)
> dev_rw_zero(domain)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2013-08-26 12:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 1/7] Get grub2-install to work properly Sven Vermeulen
2013-08-26 12:39 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online Sven Vermeulen
2013-08-26 12:49 ` Christopher J. PeBenito [this message]
2013-08-17 18:51 ` [refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system Sven Vermeulen
2013-08-26 12:38 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 4/7] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 5/7] Dontaudit access on security_t file system " Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t Sven Vermeulen
2013-08-26 12:51 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file Sven Vermeulen
2013-08-26 12:57 ` Christopher J. PeBenito
2013-08-27 10:42 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=521B4EDA.3090902@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.