Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4172204ybi; Mon, 29 Jul 2019 20:51:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqxmSvz5iU9oNHvX31FfSPM+NpbDZ5pUQYWd7r89fsZElMW1lXnyBdh1LwpGJgMkEfi+jlm7 X-Received: by 2002:a17:90a:9f0b:: with SMTP id n11mr75981282pjp.98.1564458664381; Mon, 29 Jul 2019 20:51:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564458664; cv=none; d=google.com; s=arc-20160816; b=kVCheL7fxSKYjyzd09j7kukhDCTxI78D/NXBoSc/k/flZkCBxa/uI5kp1jTB6zprny 6zngaXW1kY+mYzLm6myIesafDPURxuk6FMlTTP859jL9k0y6wcOX9tn2b1kfsunXxwV9 y0IZyLYy2DAi30MvMGeza+L2wD2EPjNN9yhORx59M/cv+Sp5KGR11n5HpfDrWR/hZ1XR Xa5LCVAtu8YaFPZBqGw/tgpVzO472cnkDj8EnIRcUFbM66o6dcw6dqyAwVCoYlgF2yAC 5sIq8RDRtuJtiLqI31I9kgTupcRqO9j2++G393mAektTRls53vOAB0PaB7L4y1L9RWfT f5+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=s2ZW1Ihjb8oaUqrartiFLQok0C0ri5nhEYSd6PGpjXM=; b=wJjv5PJo9Yu7vnf7+8lN3HYH0ew1ho2K/775jihI5V5QsaF6oskPocFhUThItC55JC caFHi/StaqyqTLOg7f7JT/5Aoq4IvYomyUJGnuO14SfPwvnsx3piP8zcTOF3I2MgJYbE EelgvtJa64B3vtM1sAeKOH+34h2HgsoXQBEqb3Fb1qKf7XlXI7aYsaEslrt5y12Hta9K MSpiBQihrylkWbZpH5iDCxqVfIhI03w5x+qZz9xGcBvcIAUfbbcn+tW51vRO4fmSvvsz lTI+kWisx0g3t5bz9Wyzxr/dEHhsQPcgeKf4ZRION3ajFfZbN35QTl5qbv7LJ8Vo1I3P Qlqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=FoZfk2Je; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 22si27887422pgu.226.2019.07.29.20.51.00; Mon, 29 Jul 2019 20:51:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=FoZfk2Je; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730317AbfG3AtY (ORCPT + 11 others); Mon, 29 Jul 2019 20:49:24 -0400 Received: from mail-qt1-f195.google.com ([209.85.160.195]:36631 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729305AbfG3AtX (ORCPT ); Mon, 29 Jul 2019 20:49:23 -0400 Received: by mail-qt1-f195.google.com with SMTP id z4so61438202qtc.3 for ; Mon, 29 Jul 2019 17:49:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=s2ZW1Ihjb8oaUqrartiFLQok0C0ri5nhEYSd6PGpjXM=; b=FoZfk2JeRBV6HPpI53kbfYg2vzzSmlQJQx5+IhZF5xR85gNeuhpX+8BYkdV6uU2/FC bNXQKTi1Q0BLxXc5sk2knXlKDkWHRCbVdijggfRKR86kssjNHUcbybKXtjFpbtcfbgr3 2NMRwhCMYmUlNosej/HhMpYCBjr2IRfPek6AU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=s2ZW1Ihjb8oaUqrartiFLQok0C0ri5nhEYSd6PGpjXM=; b=LyrPWpwW99rclYiJOYRUeon1WnRKagTsiG8Jw/bA7a4PlgR3DZV+y9F72+TrYwhxWU QZy0nzUqABLMgQcnbVRbn/iuOy651yWVOBbDOgU/IM/rfkVE9sfsFfIipf7A8zRA5DZ3 HMuUIpoRBcnBV/JI9muCMVAM3NUIibhD6GYJE4JDzbrxclzd4AJ5MoGumrRMu1Va9nOL aOP02mUIhcJ+VFIx+Gd++kxXXR06qlTnaK4SMxF5Gbu0Z+YUaOgkiraCWgBYnajTUUix 7HN6mOapc2JH3cRdbBxNti+JPu741FJQH4hcB5WHyVPxabtB/VckBqpDpfCBnG2i0aBR a2jw== X-Gm-Message-State: APjAAAVy4J8z2neIIU5x/1hzXFdI8LHZBmsumY6yjT3jPMaqZDzZhFD3 mcZ8CEqdFsZL/ZRaH0n84M3DzUNeBVw= X-Received: by 2002:aed:3b02:: with SMTP id p2mr80488034qte.62.1564447762378; Mon, 29 Jul 2019 17:49:22 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id r189sm27936030qkc.60.2019.07.29.17.49.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Jul 2019 17:49:21 -0700 (PDT) Subject: Re: [PATCH] Module for tpm2-abrmd To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190725144316.10409-1-dsugar@tresys.com> From: Chris PeBenito Message-ID: <4438bc8f-0322-bd10-eab7-5556ecf49278@ieee.org> Date: Mon, 29 Jul 2019 20:49:20 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190725144316.10409-1-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 7/25/19 10:43 AM, Sugar, David wrote: > Signed-off-by: Dave Sugar > --- > policy/modules/services/tpm2_abrmd.fc | 3 ++ > policy/modules/services/tpm2_abrmd.if | 58 +++++++++++++++++++++++++++ > policy/modules/services/tpm2_abrmd.te | 29 ++++++++++++++ > 3 files changed, 90 insertions(+) > create mode 100644 policy/modules/services/tpm2_abrmd.fc > create mode 100644 policy/modules/services/tpm2_abrmd.if > create mode 100644 policy/modules/services/tpm2_abrmd.te I think my only question is about the module name. Why not tpm2? I'm not well versed on the Linux TPM stack, but isn't there other components that potentially could need policy, like tss or totp? > diff --git a/policy/modules/services/tpm2_abrmd.fc b/policy/modules/services/tpm2_abrmd.fc > new file mode 100644 > index 00000000..4ccf2f25 > --- /dev/null > +++ b/policy/modules/services/tpm2_abrmd.fc > @@ -0,0 +1,3 @@ > +/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0) > + > +/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service -- gen_context(system_u:object_r:tpm2_abrmd_unit_t,s0) > diff --git a/policy/modules/services/tpm2_abrmd.if b/policy/modules/services/tpm2_abrmd.if > new file mode 100644 > index 00000000..dabb4a65 > --- /dev/null > +++ b/policy/modules/services/tpm2_abrmd.if > @@ -0,0 +1,58 @@ > +## TPM2 Access Broker and Resource Management daemon. > + > +######################################## > +## > +## Allow specified domain to enable/disable tpm2-abrmd unit > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`tpm2_abrmd_enabledisable',` > + gen_require(` > + type tpm2_abrmd_unit_t; > + class service { enable disable }; > + ') > + > + allow $1 tpm2_abrmd_unit_t:service { enable disable }; > +') > + > +######################################## > +## > +## Allow specified domain to start/stop tpm2-abrmd unit > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`tpm2_abrmd_startstop',` > + gen_require(` > + type tpm2_abrmd_unit_t; > + class service { start stop }; > + ') > + > + allow $1 tpm2_abrmd_unit_t:service { start stop }; > +') > + > +######################################## > +## > +## Allow specified domain to get status of tpm2-abrmd unit > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`tpm2_abrmd_status',` > + gen_require(` > + type tpm2_abrmd_unit_t; > + class service status; > + ') > + > + allow $1 tpm2_abrmd_unit_t:service status; > +') > diff --git a/policy/modules/services/tpm2_abrmd.te b/policy/modules/services/tpm2_abrmd.te > new file mode 100644 > index 00000000..8a8ba5f0 > --- /dev/null > +++ b/policy/modules/services/tpm2_abrmd.te > @@ -0,0 +1,29 @@ > +policy_module(tpm2_abrmd, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type tpm2_abrmd_t; > +type tpm2_abrmd_exec_t; > +init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t) > + > +type tpm2_abrmd_unit_t; > +init_unit_file(tpm2_abrmd_unit_t) > + > +######################################## > +# > +# Local policy > +# > + > +allow tpm2_abrmd_t self:process signal; > +allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms; > + > +dev_rw_tpm(tpm2_abrmd_t) > + > +kernel_read_crypto_sysctls(tpm2_abrmd_t) > +kernel_read_system_state(tpm2_abrmd_t) > + > +dbus_system_bus_client(tpm2_abrmd_t) > +dbus_connect_system_bus(tpm2_abrmd_t) > -- Chris PeBenito