Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp2547112ybv; Mon, 24 Feb 2020 07:12:11 -0800 (PST) X-Google-Smtp-Source: APXvYqwmuI26RdcRuOFkTfxzqOi8PN8FQ1eXjBXcqKYCBiXjdpT+dInWQn1S5kGNXxpOyvg2lXhF X-Received: by 2002:a54:4010:: with SMTP id x16mr13425102oie.174.1582557130970; Mon, 24 Feb 2020 07:12:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582557130; cv=none; d=google.com; s=arc-20160816; b=x5stONXQe0TAeEnamurp2VLkX/uOFLVDqshYk51s0PtZnFWNlHwwUxRHTq9DyOzQBY l32WlJpzIAEtIQJTx157Ng+8jbjsP9WZr2WEmO0kb9C7O0ja7nrYGHAMpqK623Y+owiI ShSiqIW4KaKuoGwNS4U6yLsUXqNHLBBWHVL2QPFyaOnEjopvwqjLJbloNVDRYB+eldmE WWEmsWep0qfTm99CPEI48k8l7lU1FH5CsaQJYIJ/X+rWRjo+hZ1OJev3pWLQ8gyrqJES uMroeKOWChw/42xhBLKnGM2TF+TV6kwIbHq9Mq+OxjuwyDctsAt0d293LZZ89ZIC61Ey hIGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:mime-version:user-agent:date:message-id:subject :from:to:dkim-signature; bh=RvnorISGN0y5RjLAtmmPc3b9+GIk7M+OdwfUtlsRMy4=; b=WS0qzWM6l6fr0FP03Pq4sPqZqoukITxBKIahcZtNe1d0G9x9ENC3ZeHJhoiX2w/Wo6 7N4YE7KsCOXX7yB1K4nrmMK63BTH7IvZ0HNrW0yTEql+K7TnwMTtRaahyXLYcfTs4rh1 sxWAXtwugztmxeNlUlQTEMQYIcxWIendpmqtSy+sHu4RhjEDvfTCgRN+BM/bpwryoe/O 5zwmlHLcIYCSklPqBdKBj9nGXb8424Qo8RooLXFtqemZbpwzc9VLud3iyzNMt5JY3ItB l+3pGUs+eq7LHT/QeviZTLjmSvA0TUp87JXQGxOCEpy9V/Kh+7kiBeRAArKKyoTSIA6b 6L4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZvgRvqgZ; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v25si5816850ote.90.2020.02.24.07.12.05; Mon, 24 Feb 2020 07:12:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZvgRvqgZ; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727686AbgBXPMB (ORCPT + 14 others); Mon, 24 Feb 2020 10:12:01 -0500 Received: from mail-lf1-f48.google.com ([209.85.167.48]:43596 "EHLO mail-lf1-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727299AbgBXPMB (ORCPT ); Mon, 24 Feb 2020 10:12:01 -0500 Received: by mail-lf1-f48.google.com with SMTP id s23so7030468lfs.10 for ; Mon, 24 Feb 2020 07:11:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=RvnorISGN0y5RjLAtmmPc3b9+GIk7M+OdwfUtlsRMy4=; b=ZvgRvqgZweLPCY4Ri65fyYiawcPRDV2RBafoXBUJN4lSjoaS2+CjGJF1nTN+G9P12k JAGpGIMre4QoMCfr/xazlbEkPHdKmqfiWSTM2mne1KnUeAYr/MQVIBiSIyfVvapWuObj nq0XCv79LWP346ZDzHMTHENn6SllJtM4IPTT7ui8q2/Xmlb6rQfID87gOIql3CvFt1/H V7MfvZs7w3kPSkcFp61t1U45oQCqscaGu+ORQ5h2aRenNz1cjnC23Nel+dnXY3LFVLne ZeFgFAKkOHXEYkiS3RM7iOeIgQSB9EIxhLsqdG16voEpPEmAWo3d0i+a+aGcYfX8iXL0 vAGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=RvnorISGN0y5RjLAtmmPc3b9+GIk7M+OdwfUtlsRMy4=; b=NaVRN03A31JHSbVEDuDbmiwoBqQkHMwLEEMbdzQczaS4krB0DpddSkfl5ynxcV3dID 7leB2ITSoAXyW2EAf2bpJbATJStF6v9ufnegJ4foqlbNgCZqOfUR9m58eudjWTgD7SGo BxHDCIRo5ZeUtdRo6zgNV34DaqjEp2eTyR5sIdOkZpkkVMkH7BMdxoElZBxhh52eI2QW tG76q7TL/M3svtgqHzlP8Jk7YhUPjIHD/1BHgipRgRum8mzEwkoL2M5LU2wcElKhptL+ TUEQXqZAAIj3mgNw01IedjKkcIr5kJqzLYwdEpnQog8lWyrQ1l62dFEDs17riQQOHcb/ wVfQ== X-Gm-Message-State: APjAAAWMHiuRImimdfOSnlRLLAZFnSXn/uyhRTvp/zSWjdLRKbzsXnHm l6O7Lj+TjkeucCxiaGPBeLLLfgB4 X-Received: by 2002:a19:3f4f:: with SMTP id m76mr9253708lfa.63.1582557118753; Mon, 24 Feb 2020 07:11:58 -0800 (PST) Received: from [192.168.1.38] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id b17sm224590lff.79.2020.02.24.07.11.57 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 24 Feb 2020 07:11:58 -0800 (PST) To: selinux-refpolicy@vger.kernel.org From: Topi Miettinen Subject: Access to raw memory: remove or make boolean? Message-ID: <11011d01-844e-c526-a85f-92a7fc985d16@gmail.com> Date: Mon, 24 Feb 2020 17:11:46 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hi, I made a PR 192 (https://github.com/SELinuxProject/refpolicy/pull/192) for introducing a new boolean to disable access to raw memory devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port) because on modern systems, direct access shouldn't be needed anymore. Chris PeBenito asked to propose to this list whether instead of boolean, the access should be removed unconditionally if it's no longer needed. I think boolean could be useful for those systems where this is still needed but still use latest reference policy. -Topi Miettinen