Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp3110432ybh;
        Mon, 5 Aug 2019 12:13:38 -0700 (PDT)
X-Google-Smtp-Source: APXvYqys8/MupcC5wIJOCE03fkqI+0AqzbdTuuUyXyCACePdhO05aTTJqRmiH0zSVVlqNHIS6NYL
X-Received: by 2002:a17:90a:8985:: with SMTP id v5mr19320341pjn.136.1565032418000;
        Mon, 05 Aug 2019 12:13:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1565032417; cv=pass;
        d=google.com; s=arc-20160816;
        b=iwLa/JPX92Bz37Y1SXz32L8mz2AnoHU+jymFtsBGxY37PDZo9i9h7RtkCc32ElRsZk
         9M3gmRkAEX0a+L+r7i8KPDcY06KRFJgldJuZS+kEhdiqUrnR8xV5pHtM6PwWXDWI1t42
         J9ttTpewBXjo1wkUh1GV1ZkJAmeX35cKRblQgqF0skyef4Z7V6BMeT5TykhviAFod66f
         mpE9xhMPuTz35+GvK4utWWfC5cxoHr2PrzAQCYEV2C09gErBj+0YqAGs651JkqC83Wm0
         7KhfA6zRKZHhZkkcgEUptRsPbgr0LujPhPk1BUFvu7v/v/5nxAOMqDveWnH63WsUgq4U
         Z8tg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-language:accept-language:message-id:date:thread-index
         :thread-topic:subject:to:from:dkim-signature;
        bh=uDJdfzBlLihihlrOwxgr7PWzY2UGDZs3gQ45AR7DHMA=;
        b=l2l5OiRdvYxHAuVsfya5CeVUbjcjE8QWyAcB7kjiGI/wXD6JyMJ2l+cawJTXwQB7AI
         u4o2YHuKgfZYP0JNAmVPUPeLpnZo+iCYWn3kaB0meYnOeJwAIZeJAUWA+/ZkBxJWcAup
         LLGwjBS25YB1PahCvuxEMg/Kbjp8jCmb7DJULtv14JMrrg9Jlh5mo6nRTeiwbNYPCU5/
         MgycvZ6UGixR2ZVT5mJXAbqxdjlleeEM4G2OMSH1lOMT/n6U1UjaIJa/sZ3yQ6EnqxDK
         JvYi6PgcZJesM+cfXLc03BJAKoFRcqwRuLK8DmObkZzJX2SF7jvLT/Zw0pn2yzs20Gge
         1EmQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=JOy4j6pF;
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x9si47329148pfi.211.2019.08.05.12.13.33;
        Mon, 05 Aug 2019 12:13:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=JOy4j6pF;
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730055AbfHETNI (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Mon, 5 Aug 2019 15:13:08 -0400
Received: from mail-eopbgr740091.outbound.protection.outlook.com ([40.107.74.91]:61568
        "EHLO NAM01-BN3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1728870AbfHETNI (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 5 Aug 2019 15:13:08 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=mlZMy64WqwonKBeMl86QnRQuANsqEzfhYo9Ykq8PqjV5MrMzpA/DpkvMZ/X7hxmjjzZZUHvfE8luo4cLXq3kna4rmOjDp76WRpwJ2CLFMEh+EGegQU8acWuwEgMNj7XzVGL8UePPGnICishUJf1lAXriOhztB/ecWZX0Ji82RKg0hcm8hESPJ6E25gVN2gzsat4j2ITs9WL2caHV5NgaL7mG031ukkPpZ8zmJcY17Hxf80NNA6pWO67YlpCfOcX3GNwGOd4ztuuiRQcDDnFtWe5wZVF3wgdKqbnEallOOF9DBVgHyipkqmkXMJySLg3e2b0YsaQErPJBdXmIzzG6Pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=uDJdfzBlLihihlrOwxgr7PWzY2UGDZs3gQ45AR7DHMA=;
 b=aEOgqyYCT7D5mxH+mVw4QHMb90Uc6kNbhq14j/8TtNWbX+J4fHJqmwVQfURCHSka+8p+dfP1Z5/VpPemGTTrFrSgcdFmKCuVChdttEfrz16CuzBevm1hkoEM9D82IuqrzSiajiUnqGhzndYoGJBdlaFzVmmoovBEBk8dd3crZ/klxCkOtOH3q8AR2qR9Pqh0H1+n7+iZuOrsaJzAlXm3FcsRSHq38Wa8eP0ZF+0FKRU+Y+PdeqmKNmfYCGC9ZsqGmuuxZXiW1X75Y295aJKyN2ti/DDkpI/MvwILwQaALuYHORWjIbh5xRlkCRvjB5vqlSqVgoytyoxQExDVo0BiHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass
 smtp.mailfrom=tresys.com;dmarc=pass action=none
 header.from=tresys.com;dkim=pass header.d=tresys.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=uDJdfzBlLihihlrOwxgr7PWzY2UGDZs3gQ45AR7DHMA=;
 b=JOy4j6pFs0GxX3CW5s1BVd4c2vA6MMynuAQxlTpq6gTfbdcDUEqFkkUzw+zmD1wNKEN9Lsae/TcefUCI/f2H0H2mMxQo/M2TZDkdNjxaDqxutbqWgHbZFGZJ/DLMCoK++fYR5VYb4F6i1LozhBjv47v/qfnZSFlJSplCXVruzd4=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1169.namprd15.prod.outlook.com (10.172.208.20) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2136.19; Mon, 5 Aug 2019 19:13:03 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::821:1970:ec38:1f08]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::821:1970:ec38:1f08%6]) with mapi id 15.20.2136.018; Mon, 5 Aug 2019
 19:13:03 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH v2] Module for tpm2
Thread-Topic: [PATCH v2] Module for tpm2
Thread-Index: AQHVS8HN0lGMtleDA0GbkM5z8C8VNg==
Date:   Mon, 5 Aug 2019 19:13:02 +0000
Message-ID: <20190805191253.17089-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.234.151.2]
x-clientproxiedby: MN2PR04CA0003.namprd04.prod.outlook.com
 (2603:10b6:208:d4::16) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.21.0
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7234d5dc-1cbc-4e1a-04c1-08d719d8efec
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:BN6PR15MB1169;
x-ms-traffictypediagnostic: BN6PR15MB1169:
x-microsoft-antispam-prvs: <BN6PR15MB11691079A0ACF5AD6CAAC3FFB9DA0@BN6PR15MB1169.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:275;
x-forefront-prvs: 01208B1E18
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(396003)(366004)(136003)(39830400003)(376002)(346002)(189003)(199004)(8936002)(52116002)(6916009)(6486002)(66476007)(6436002)(316002)(6506007)(64756008)(386003)(5640700003)(66946007)(2501003)(66556008)(102836004)(66446008)(5660300002)(1076003)(8676002)(7736002)(81166006)(2906002)(81156014)(50226002)(305945005)(53936002)(36756003)(3846002)(6116002)(25786009)(186003)(256004)(486006)(71200400001)(71190400001)(2616005)(476003)(99286004)(6512007)(14444005)(14454004)(68736007)(66066001)(86362001)(2351001)(508600001)(26005);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1169;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: eDPhqkIrXhHxlhc8W1rNKTeYtOFbpnA8Bnuj2BX8kpiibKQgaYZXefIUIgoKBM9Z1LTg6hIsg+TlRlLIVkwUFnUuITcgOgDcUGb0oJcCbhzLlHgXpkA5Iv2ccFxQM5vfqM7GC4wMWNkXUPNIQuE+Vee3ZQq11dbY1U4RlFEOM08P9y0j65k7HvGjMRzCvGE/sv3yUwbPtxDUYL+/L0limvqtyLWblFJkra+lE8RZnXq3gg6kaA8zBaozayNVd7sarHmZy+s/GN5+9XzFEibvQbJhmprcGfDb1nKPB70iz/x22F11bFpOan8Dq/knEFlr4GsvzcsBuxglSlQwg/bzxKHYDL8VyJCVgJa/zTZZI2W5I2ds7LErxmZU9Hq1UOnXyDRZsfayaMFZE+7CGhCzY8IPc5nUt29mQlMXFDvOPTo=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7234d5dc-1cbc-4e1a-04c1-08d719d8efec
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2019 19:13:03.0184
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1169
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Module for tpm2

v2 - updated to rename module and interface names, different dbus
interface

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/tpm2.fc |  3 ++
 policy/modules/services/tpm2.if | 58 +++++++++++++++++++++++++++++++++
 policy/modules/services/tpm2.te | 30 +++++++++++++++++
 3 files changed, 91 insertions(+)
 create mode 100644 policy/modules/services/tpm2.fc
 create mode 100644 policy/modules/services/tpm2.if
 create mode 100644 policy/modules/services/tpm2.te

diff --git a/policy/modules/services/tpm2.fc b/policy/modules/services/tpm2=
.fc
new file mode 100644
index 00000000..4ccf2f25
--- /dev/null
+++ b/policy/modules/services/tpm2.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tpm2-abrmd								--	gen_context(system_u:object_r:tpm2_abrmd_ex=
ec_t,s0)
+
+/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service	--	gen_context(system_u:o=
bject_r:tpm2_abrmd_unit_t,s0)
diff --git a/policy/modules/services/tpm2.if b/policy/modules/services/tpm2=
.if
new file mode 100644
index 00000000..55133e4a
--- /dev/null
+++ b/policy/modules/services/tpm2.if
@@ -0,0 +1,58 @@
+## <summary>Trusted Platform Module 2.0</summary>
+
+########################################
+## <summary>
+##	Allow specified domain to enable/disable tpm2-abrmd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_enabledisable_abrmd',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service { enable disable };
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start/stop tpm2-abrmd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_startstop_abrmd',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of tpm2-abrmd unit
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_status_abrmd',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service status;
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service status;
+')
diff --git a/policy/modules/services/tpm2.te b/policy/modules/services/tpm2=
.te
new file mode 100644
index 00000000..aa607771
--- /dev/null
+++ b/policy/modules/services/tpm2.te
@@ -0,0 +1,30 @@
+policy_module(tpm2, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tpm2_abrmd_t;
+type tpm2_abrmd_exec_t;
+init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
+
+type tpm2_abrmd_unit_t;
+init_unit_file(tpm2_abrmd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tpm2_abrmd_t self:process signal;
+allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;
+
+dev_rw_tpm(tpm2_abrmd_t)
+
+kernel_read_crypto_sysctls(tpm2_abrmd_t)
+kernel_read_system_state(tpm2_abrmd_t)
+
+optional_policy(`
+	dbus_system_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
+')
--=20
2.21.0