Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6583050ybi; Wed, 31 Jul 2019 17:28:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqwU0+U0H1H6ifaqnvHbi955xBKsry+I//s2CCiAym8+CStZpyfUgWpiIOMONk7wVLoLgQgQ X-Received: by 2002:a17:902:724a:: with SMTP id c10mr114780990pll.298.1564619294624; Wed, 31 Jul 2019 17:28:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564619294; cv=none; d=google.com; s=arc-20160816; b=ifLeu59Hq0Vrc6d/dJYwRxkas4Oq9URULVXE8Q8Aw2YCgp4u1myCPO3ekpGcjP/ctW gcm75aDYruugH+87021pQ2I29unpobD2NMBRRfim5EQDxqenFlEznHMl9uWdWa+v3h1/ LK6gt8xExfQfA7+cfyIhB7TJldhnP7FUkQzAF9DhDLOK4FdIolkO0lGiaRsLYxAp2ShU tpH1X33nbibV8z+fHT4ATp49ZjGHztgEodg06rjlSJAqfRCFsujqnDal+t5eDQkVAk1k 0mNhB6ZZMtpxOigickuzKjDWTACGg4eJekgkSnsa0N4v3WOnbaa20HZFG7UFJbosCHzM TlIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=H1uRYDZ46ecFhscC7EvT1x+JDfG66Qs6wc00k/hjwn4=; b=s7r95XspGJ0xbcLn/L2SowqmvMRC1HPiRJ7jRTqoCtiX/mBEscvz2T6VhpwAlTpbJF DKuI2FTnxOm0Z5Nrqobaj4mbzQl8Ro1WbIg8oXbKkFzuqGhQLVPopt3L/UTDuHZD2azC DfxAkGPzQCqJ6lFaUHhYrxCZetOLf8UgPJPXCXL4lN7JScdYdazAh89Cd2fBaEW3miq7 8Sn3cgHO5wK2sH9Fvar2SEUqvah/HyVgUKSN8e2QSdu1M+XagGzuermNAeXn6W4LGUnA aPOx9GDbZlcYQsjOsIlIXXGqrIK4v3n1QEiaIoDpDQnm0oN4v8Gnf8lWpacO2WZx42/m aXQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Z6JYg7Rj; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c18si2444944pjo.105.2019.07.31.17.28.11; Wed, 31 Jul 2019 17:28:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Z6JYg7Rj; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726552AbfHAAB4 (ORCPT + 11 others); Wed, 31 Jul 2019 20:01:56 -0400 Received: from mail-qt1-f194.google.com ([209.85.160.194]:36761 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726231AbfHAABz (ORCPT ); Wed, 31 Jul 2019 20:01:55 -0400 Received: by mail-qt1-f194.google.com with SMTP id z4so68448997qtc.3 for ; Wed, 31 Jul 2019 17:01:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=H1uRYDZ46ecFhscC7EvT1x+JDfG66Qs6wc00k/hjwn4=; b=Z6JYg7RjJ6L2zusYEpAJQDDRpwxO8ehmpsDq+XH4sc53NsAQdPi0ljFLaKYHYc1LRO Rpiq8VMqfcqpRD2U/k5/K7a91YmnLON4lfawchO4h/LmatBHm0rOV1wPrSFHOTHUK3w7 Z1rZPa7PYBrrTVeJ2cCC8lmIcqKvgy+LHQkUI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=H1uRYDZ46ecFhscC7EvT1x+JDfG66Qs6wc00k/hjwn4=; b=lEl3Lebklt1DjBheMhRgZu/V4jn/MpfA6uMEF7kkxXqw3mZmHpUAbbLQEg2HcHzenZ CBEFPtLe2/CJUzskwLPQGZ4NlS+onWhyuUniXGBqYrhrCH4hF6Q1+JOWMoxk7dhnMY4Q 8pOfqWI5dgit9VwianH6q8MOjFaH9ch2pxhMBAcIclqIQHR/4DMwHmlNSPZ7DTQXF0fG H4ZlJQ05oCHAa4fcmVvLlYALrFy3gLZRUr3umZ2GCMBgEq02NCQViDPTfZfW8aB8l8If 4PArVlwqpApLvBRmcvEn2K8wJXGZZqixNNmigBShlzau6/yfCuhGWOLk+DnDM9+uXDhM SwPg== X-Gm-Message-State: APjAAAUOuVDNTwwY2TInQ/xpkyFZvhv42IZkNXTYM8y5Lk2xFudEQ36f 7VgzA6TZGFZELOBWqkkW0yLot+RRr8Q= X-Received: by 2002:ac8:4697:: with SMTP id g23mr63868002qto.285.1564617714468; Wed, 31 Jul 2019 17:01:54 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id x42sm35641166qth.24.2019.07.31.17.01.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 Jul 2019 17:01:53 -0700 (PDT) Subject: Re: [PATCH] Module for tpm2-abrmd To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190725144316.10409-1-dsugar@tresys.com> <4438bc8f-0322-bd10-eab7-5556ecf49278@ieee.org> <9b4106cc-010b-806b-f046-f8938fa31be3@tresys.com> From: Chris PeBenito Message-ID: <1957a621-eac9-fdcf-0b6d-9bced8d244b1@ieee.org> Date: Wed, 31 Jul 2019 20:01:53 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <9b4106cc-010b-806b-f046-f8938fa31be3@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 7/29/19 9:48 PM, Sugar, David wrote: > > > On 7/29/19 8:49 PM, Chris PeBenito wrote: >> On 7/25/19 10:43 AM, Sugar, David wrote: >>> Signed-off-by: Dave Sugar >>> --- >>>   policy/modules/services/tpm2_abrmd.fc |  3 ++ >>>   policy/modules/services/tpm2_abrmd.if | 58 +++++++++++++++++++++++++++ >>>   policy/modules/services/tpm2_abrmd.te | 29 ++++++++++++++ >>>   3 files changed, 90 insertions(+) >>>   create mode 100644 policy/modules/services/tpm2_abrmd.fc >>>   create mode 100644 policy/modules/services/tpm2_abrmd.if >>>   create mode 100644 policy/modules/services/tpm2_abrmd.te >> >> I think my only question is about the module name.  Why not tpm2?  I'm >> not well versed on the Linux TPM stack, but isn't there other components >> that potentially could need policy, like tss or totp? >> >> > I used this name because the only SELinux policy needed was for the > daemon 'tpm2-abrmd'. The processes that interact with the daemon to > actually use the tpm are using default bin_t label and don't seem to > need any additional permissions. In my case I'm using /bin/tpm2_* and > /bin/clevis. > > I see a tss package but it is only adding libraries. I don't see a > package for totp. I'm working on RHEL7.6 so there could be additional > binaries on other distributions that will need labeling. > > I'm happy to go either way here. I don't have a strong feeling if other > tpm2 related stuff should get grouped into a single module or if they > should be separate. > > I'm pretty sure anything using a tpm2 will need to use abrmd to access > the TPM. I just don't have enough insight to know if those other > binaries will need labeling and policy. > > If the decision is made to use tpm2.{fc,if,te} would any of the policy > change? I feel like the fc and te files are still correct. Interface > names might be changed slightly, but also might be OK as is. I think we should go with just tpm.*. Renaming modules is painful for backwards compat. The interface names would change, e.g. tpm2_enabledisable_abrmd, otherwise it seems ok. > Dave > >> >>> diff --git a/policy/modules/services/tpm2_abrmd.fc >>> b/policy/modules/services/tpm2_abrmd.fc >>> new file mode 100644 >>> index 00000000..4ccf2f25 >>> --- /dev/null >>> +++ b/policy/modules/services/tpm2_abrmd.fc >>> @@ -0,0 +1,3 @@ >>> +/usr/sbin/tpm2-abrmd                                -- >>> gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0) >>> + >>> +/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service    -- >>> gen_context(system_u:object_r:tpm2_abrmd_unit_t,s0) >>> diff --git a/policy/modules/services/tpm2_abrmd.if >>> b/policy/modules/services/tpm2_abrmd.if >>> new file mode 100644 >>> index 00000000..dabb4a65 >>> --- /dev/null >>> +++ b/policy/modules/services/tpm2_abrmd.if >>> @@ -0,0 +1,58 @@ >>> +## TPM2 Access Broker and Resource Management daemon. >>> + >>> +######################################## >>> +## >>> +##    Allow specified domain to enable/disable tpm2-abrmd unit >>> +## >>> +## >>> +##    >>> +##    Domain allowed access. >>> +##    >>> +## >>> +# >>> +interface(`tpm2_abrmd_enabledisable',` >>> +    gen_require(` >>> +        type tpm2_abrmd_unit_t; >>> +        class service { enable disable }; >>> +    ') >>> + >>> +    allow $1 tpm2_abrmd_unit_t:service { enable disable }; >>> +') >>> + >>> +######################################## >>> +## >>> +##    Allow specified domain to start/stop tpm2-abrmd unit >>> +## >>> +## >>> +##    >>> +##    Domain allowed access. >>> +##    >>> +## >>> +# >>> +interface(`tpm2_abrmd_startstop',` >>> +    gen_require(` >>> +        type tpm2_abrmd_unit_t; >>> +        class service { start stop }; >>> +    ') >>> + >>> +    allow $1 tpm2_abrmd_unit_t:service { start stop }; >>> +') >>> + >>> +######################################## >>> +## >>> +##    Allow specified domain to get status of tpm2-abrmd unit >>> +## >>> +## >>> +##    >>> +##    Domain allowed access. >>> +##    >>> +## >>> +# >>> +interface(`tpm2_abrmd_status',` >>> +    gen_require(` >>> +        type tpm2_abrmd_unit_t; >>> +        class service status; >>> +    ') >>> + >>> +    allow $1 tpm2_abrmd_unit_t:service status; >>> +') >>> diff --git a/policy/modules/services/tpm2_abrmd.te >>> b/policy/modules/services/tpm2_abrmd.te >>> new file mode 100644 >>> index 00000000..8a8ba5f0 >>> --- /dev/null >>> +++ b/policy/modules/services/tpm2_abrmd.te >>> @@ -0,0 +1,29 @@ >>> +policy_module(tpm2_abrmd, 1.0.0) >>> + >>> +######################################## >>> +# >>> +# Declarations >>> +# >>> + >>> +type tpm2_abrmd_t; >>> +type tpm2_abrmd_exec_t; >>> +init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t) >>> + >>> +type tpm2_abrmd_unit_t; >>> +init_unit_file(tpm2_abrmd_unit_t) >>> + >>> +######################################## >>> +# >>> +# Local policy >>> +# >>> + >>> +allow tpm2_abrmd_t self:process signal; >>> +allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms; >>> + >>> +dev_rw_tpm(tpm2_abrmd_t) >>> + >>> +kernel_read_crypto_sysctls(tpm2_abrmd_t) >>> +kernel_read_system_state(tpm2_abrmd_t) >>> + >>> +dbus_system_bus_client(tpm2_abrmd_t) >>> +dbus_connect_system_bus(tpm2_abrmd_t) >>> >> >> -- Chris PeBenito