[refpolicy] [PATCH v3] New policy for tboot utilities

[refpolicy] [PATCH v3] New policy for tboot utilities

[Luis Ressel]

tboot is an OSS project for using the features of Intel TXT. Some of its
included utilities (might) need special permissions. For now, there's
only a policy for txt-stat (it needs access to /dev/mem).
---
 tboot.fc |  1 +
 tboot.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 tboot.te | 24 ++++++++++++++++++++++++
 3 files changed, 71 insertions(+)
 create mode 100644 tboot.fc
 create mode 100644 tboot.if
 create mode 100644 tboot.te

diff --git a/tboot.fc b/tboot.fc
new file mode 100644
index 0000000..437e1d5
--- /dev/null
+++ b/tboot.fc
@@ -0,0 +1 @@
+/usr/sbin/txt-stat		--	gen_context(system_u:object_r:txtstat_exec_t,s0)
diff --git a/tboot.if b/tboot.if
new file mode 100644
index 0000000..0ffe6d8
--- /dev/null
+++ b/tboot.if
@@ -0,0 +1,46 @@
+## <summary>Utilities for the tboot TXT module.</summary>
+
+########################################
+## <summary>
+##	Execute txt-stat in the txtstat domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tboot_domtrans_txtstat',`
+	gen_require(`
+		type txtstat_t, txtstat_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, txtstat_exec_t, txtstat_t)
+')
+
+########################################
+## <summary>
+##	Execute txt-stat in the txtstat domain, and
+##	allow the specified role the txtstat domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the txtstat domain.
+##	</summary>
+## </param>
+#
+interface(`tboot_run_txtstat',`
+	gen_require(`
+		type txtstat_t;
+		attribute_role txtstat_roles;
+	')
+
+	tboot_domtrans_txtstat($1)
+	roleattribute $2 txtstat_roles;
+')
diff --git a/tboot.te b/tboot.te
new file mode 100644
index 0000000..4961a36
--- /dev/null
+++ b/tboot.te
@@ -0,0 +1,24 @@
+policy_module(tboot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role txtstat_roles;
+roleattribute system_r txtstat_roles;
+
+type txtstat_t;
+type txtstat_exec_t;
+application_domain(txtstat_t, txtstat_exec_t)
+role txtstat_roles types txtstat_t;
+
+########################################
+#
+# Local policy
+#
+
+dev_read_raw_memory(txtstat_t)
+
+domain_use_interactive_fds(txtstat_t)
+userdom_use_user_terminals(txtstat_t)
-- 
2.7.2

[refpolicy] [PATCH v3] New policy for tboot utilities

[Christopher J. PeBenito]

On 3/7/2016 10:33 AM, Luis Ressel wrote:
> tboot is an OSS project for using the features of Intel TXT. Some of its
> included utilities (might) need special permissions. For now, there's
> only a policy for txt-stat (it needs access to /dev/mem).

Merged.



> ---
>  tboot.fc |  1 +
>  tboot.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
>  tboot.te | 24 ++++++++++++++++++++++++
>  3 files changed, 71 insertions(+)
>  create mode 100644 tboot.fc
>  create mode 100644 tboot.if
>  create mode 100644 tboot.te
> 
> diff --git a/tboot.fc b/tboot.fc
> new file mode 100644
> index 0000000..437e1d5
> --- /dev/null
> +++ b/tboot.fc
> @@ -0,0 +1 @@
> +/usr/sbin/txt-stat		--	gen_context(system_u:object_r:txtstat_exec_t,s0)
> diff --git a/tboot.if b/tboot.if
> new file mode 100644
> index 0000000..0ffe6d8
> --- /dev/null
> +++ b/tboot.if
> @@ -0,0 +1,46 @@
> +## <summary>Utilities for the tboot TXT module.</summary>
> +
> +########################################
> +## <summary>
> +##	Execute txt-stat in the txtstat domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`tboot_domtrans_txtstat',`
> +	gen_require(`
> +		type txtstat_t, txtstat_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, txtstat_exec_t, txtstat_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute txt-stat in the txtstat domain, and
> +##	allow the specified role the txtstat domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed the txtstat domain.
> +##	</summary>
> +## </param>
> +#
> +interface(`tboot_run_txtstat',`
> +	gen_require(`
> +		type txtstat_t;
> +		attribute_role txtstat_roles;
> +	')
> +
> +	tboot_domtrans_txtstat($1)
> +	roleattribute $2 txtstat_roles;
> +')
> diff --git a/tboot.te b/tboot.te
> new file mode 100644
> index 0000000..4961a36
> --- /dev/null
> +++ b/tboot.te
> @@ -0,0 +1,24 @@
> +policy_module(tboot, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role txtstat_roles;
> +roleattribute system_r txtstat_roles;
> +
> +type txtstat_t;
> +type txtstat_exec_t;
> +application_domain(txtstat_t, txtstat_exec_t)
> +role txtstat_roles types txtstat_t;
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +dev_read_raw_memory(txtstat_t)
> +
> +domain_use_interactive_fds(txtstat_t)
> +userdom_use_user_terminals(txtstat_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com