From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online
Date: Fri, 4 Apr 2014 16:09:47 -0400 [thread overview]
Message-ID: <533F118B.1060601@tresys.com> (raw)
In-Reply-To: <1395779408-29213-4-git-send-email-sven.vermeulen@siphos.be>
On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
> we need to grant most domains read access to this file. As we don't want
> them to have read access on sysfs_t by default, create a new type
> (cpu_online_t) and assign it to the file, and grant domains read access
> to the file.
>
> This does require systems to relabel the file upon every boot, something
> distributions do in their bootup scripts, as /sys devices don't keep
> their context.
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
> policy/modules/kernel/devices.te | 7 +++++++
> policy/modules/kernel/domain.te | 3 +++
> 4 files changed, 36 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index b31c054..d6ebfcd 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -199,6 +199,7 @@ ifdef(`distro_debian',`
> /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
>
> /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
> +/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0)
>
> ifdef(`distro_redhat',`
> # originally from named.fc
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 1884413..c2d0f08 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4854,6 +4854,31 @@ interface(`dev_create_zero_dev',`
>
> ########################################
> ## <summary>
> +## Read cpu online hardware state information
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read /sys/devices/system/cpu/online
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_read_cpu_online',`
> + gen_require(`
> + type cpu_online_t;
> + ')
> +
> + allow $1 cpu_online_t:file read_file_perms;
> +
> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Unconfined access to devices.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 520f4ee..d34807f 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -60,6 +60,13 @@ type cpu_device_t;
> dev_node(cpu_device_t)
>
> #
> +# /sys/devices/system/cpu/online device
> +#
> +type cpu_online_t;
> +files_type(cpu_online_t)
> +dev_associate_sysfs(cpu_online_t)
> +
> +#
> # Type for /dev/crash
> #
> type crash_device_t;
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index cf04cb5..3a55334 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -96,6 +96,9 @@ kernel_dontaudit_link_key(domain)
> # create child processes in the domain
> allow domain self:process { fork sigchld };
>
> +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
> +dev_read_cpu_online(domain)
> +
> # Use trusted objects in /dev
> dev_rw_null(domain)
> dev_rw_zero(domain)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-04-04 20:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-25 20:30 [refpolicy] [PATCH 0/5] Upstreaming Gentoo policy updates Sven Vermeulen
2014-03-25 20:30 ` [refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation Sven Vermeulen
2014-04-04 20:09 ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd Sven Vermeulen
2014-04-04 20:07 ` Christopher J. PeBenito
2014-04-09 16:52 ` Sven Vermeulen
2014-04-11 12:57 ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online Sven Vermeulen
2014-04-04 20:09 ` Christopher J. PeBenito [this message]
2014-03-25 20:30 ` [refpolicy] [PATCH 4/5] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
2014-04-04 20:00 ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 5/5] Dontaudit access on security_t file system " Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=533F118B.1060601@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.