Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp622124rwb; Fri, 4 Aug 2023 20:07:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFTH1g5zahsePD/TBipmUBWo9JbC7T70YTl87fw9I4tgXuHMUAcpOPZMmCUi2gcUjbxC5CA X-Received: by 2002:a05:6a00:3990:b0:67a:553d:3bc3 with SMTP id fi16-20020a056a00399000b0067a553d3bc3mr4293056pfb.6.1691204870686; Fri, 04 Aug 2023 20:07:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691204870; cv=none; d=google.com; s=arc-20160816; b=rkazyXcFKWIjtqA591d4C4K4I0QgqyfUfJithDSMXmEBAch4MZCqbsKA3exk9gXMTi XoOCbo5nZTgiEMV+92IUjFLYzgfXnJxw+bNawIZFK5rRxxHVtDbBzzMfL8zX3v851N1a guo09TjErEIWCpZRu73UqFWWtp2s6hPiqh1Ok5m6VqcIazpkC5V9xZgQeezmdLbcUsVs 9x60bCQ6WrFb1gzFCdOiLLEAcnHQBujIV+WiZx1ZyHC7/ftc7djw+thgLXX+mTXeXQBP PwP/5pmxEZ/QLIPXJtiXUC0RujVWWsHITndo5jcp9hWL1l9Q+FCOspTGMT0FcHnA7UO4 4nbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=y30H4DNtNMhfj71ba3Av2v8F+NzlargJ3q9TU6HFni0=; fh=aQPIx/vTkHfX3hx56OQPPJtWhOSklM8rd4anPyOx5P8=; b=hasNDQM8v8j7Qe+5J1waE0EhZgv/dnakGduEfr0t1IvC2vrj/ero/mbcRoCMlmSYn7 QhbzlO9i6MC4vGeTWpUoOb1s1UwzGYAiT5uo0Yek4/Pm+QuZGtae1sXwtOlxpuFjrxTX dhE7ffgOcSRGEWZPSkkigXDi7gU4g5dEEQrwP2Xaek3LODe1YYqVTpM0wX5EbUY+0nNB xLy9F2BNJy3FPMy2qGmTNHLq1rihNbwDiZz8CXoYHGU8X2BbnrOGTCzIXbYUqME7GS1o 2/nKvuiof1+u5bo9W66jGtMb3Ww02C6B5sJmrN7/0jkaA6nuMoFnFHVJTXMQPpvyxJpq DVgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=L6Mnk8S7; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w19-20020a056a0014d300b00686ee44513bsi762217pfu.124.2023.08.04.20.07.45; Fri, 04 Aug 2023 20:07:50 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=L6Mnk8S7; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229675AbjHEBnS (ORCPT + 21 others); Fri, 4 Aug 2023 21:43:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54610 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229673AbjHEBnR (ORCPT ); Fri, 4 Aug 2023 21:43:17 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:200:641c::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6417F10C1 for ; Fri, 4 Aug 2023 18:43:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1691199784; bh=y30H4DNtNMhfj71ba3Av2v8F+NzlargJ3q9TU6HFni0=; l=7658; h=Date:From:To:Subject:From; b=L6Mnk8S7SIR/bs9xUy37tb+GU6hv1yAmcprCUO/wCzHeSesjkzsBL08PG99pp6O2U o2oHep9fjt/vIHSrHM4trqk+H131xyKfFQrGh2FKBHjzdxfYTMBpAwJGNftXW89QFb GOUwWQnTNjl9Znv0IzerQlOAtQiw844BocvmIHaw= Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 9FFF9F531 for ; Sat, 5 Aug 2023 11:43:04 +1000 (AEST) Received: by xev.coker.com.au (Postfix, from userid 1001) id A6CE11E9E0DE; Sat, 5 Aug 2023 11:42:59 +1000 (AEST) Date: Sat, 5 Aug 2023 11:42:59 +1000 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] policy for firmware update daemon fwupd Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This adds policy for the firmware update daemon, it updates system BIOS as well as connected devices such as Thunderbolt docks. I think it's ready to merge. Signed-off-by: Russell Coker Index: refpolicy-2.20230629/policy/modules/system/fwupd.fc =================================================================== --- /dev/null +++ refpolicy-2.20230629/policy/modules/system/fwupd.fc @@ -0,0 +1,5 @@ +/usr/bin/fwupdmgr -- gen_context(system_u:object_r:fwupd_exec_t,s0) +/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) +/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0) +/var/cache/fwupd(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) +/etc/fwupd(/.*)? gen_context(system_u:object_r:fwupd_conf_t,s0) Index: refpolicy-2.20230629/policy/modules/system/fwupd.if =================================================================== --- /dev/null +++ refpolicy-2.20230629/policy/modules/system/fwupd.if @@ -0,0 +1,29 @@ +## Policy for firmwate update daemon and utility. + +######################################## +## +## Execute fwupd in the user role +## the kmod domain, and use the caller's terminal. +## Has a sigchld backchannel. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`fwupd_run',` + gen_require(` + attribute_role fwupd_roles; + type fwupd_exec_t, fwupd_t; + ') + + domtrans_pattern($1, fwupd_exec_t, fwupd_t) + roleattribute $2 fwupd_roles; +') Index: refpolicy-2.20230629/policy/modules/system/fwupd.te =================================================================== --- /dev/null +++ refpolicy-2.20230629/policy/modules/system/fwupd.te @@ -0,0 +1,153 @@ +policy_module(fwupd) + + +attribute_role fwupd_roles; +type fwupd_t; +type fwupd_exec_t; +init_daemon_domain(fwupd_t, fwupd_exec_t) +role fwupd_roles types fwupd_t; + +type fwupd_var_lib_t; +files_type(fwupd_var_lib_t) + +type fwupd_cache_t; +files_type(fwupd_cache_t) + +type fwupd_conf_t; +files_type(fwupd_conf_t) + +type fwupd_tmpfs_t; +files_tmpfs_file(fwupd_tmpfs_t) + +type fwupd_runtime_t; +files_runtime_file(fwupd_runtime_t) + +# sys_admin is for "FuPluginUefiCapsule skipping device that failed coldplug: failed to read fw_class" +allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_rawio sys_admin }; + +allow fwupd_t self:process { signal getsched setsched }; +allow fwupd_t self:fifo_file { getattr read write }; +allow fwupd_t self:fd use; + +allow fwupd_t self:netlink_kobject_uevent_socket { create getattr setopt bind read }; +sysnet_dns_name_resolve(fwupd_t) +corenet_tcp_connect_generic_port(fwupd_t) +corenet_tcp_connect_http_port(fwupd_t) + +allow fwupd_t fwupd_conf_t:dir { watch list_dir_perms }; +allow fwupd_t fwupd_conf_t:file read_file_perms; + +allow fwupd_t fwupd_var_lib_t:dir { watch manage_dir_perms }; +allow fwupd_t fwupd_var_lib_t:file { manage_file_perms }; + +allow fwupd_t fwupd_cache_t:dir { watch manage_dir_perms }; +allow fwupd_t fwupd_cache_t:file { map manage_file_perms }; + +auth_write_pam_motd_files(fwupd_t) + +fs_tmpfs_filetrans(fwupd_t, fwupd_tmpfs_t, { file }) +allow fwupd_t fwupd_tmpfs_t:file manage_file_perms; + +allow fwupd_t fwupd_runtime_t:file manage_file_perms; + +kernel_read_kernel_sysctls(fwupd_t) +# for /proc/filesystems etc +kernel_read_system_state(fwupd_t) +kernel_read_vm_overcommit_sysctl(fwupd_t) + +dev_getattr_sysfs(fwupd_t) +dev_read_urand(fwupd_t) +dev_read_sysfs(fwupd_t) +dev_rw_cpu_microcode(fwupd_t) +dev_rw_mei_device(fwupd_t) +dev_rw_tpm(fwupd_t) +dev_rw_xserver_misc(fwupd_t) +dev_rx_raw_memory(fwupd_t) + +corecmd_exec_bin(fwupd_t) +corecmd_list_bin(fwupd_t) +corecmd_watch_bin_dirs(fwupd_t) + +dbus_system_bus_client(fwupd_t) +dbus_connect_system_bus(fwupd_t) + +files_map_usr_files(fwupd_t) +files_read_etc_files(fwupd_t) +files_read_etc_symlinks(fwupd_t) +files_read_usr_files(fwupd_t) +files_search_var_lib(fwupd_t) +files_search_boot(fwupd_t) +files_watch_etc_dirs(fwupd_t) +files_watch_usr_dirs(fwupd_t) + +fs_manage_efivarfs_files(fwupd_t) +fs_getattr_dos_fs(fwupd_t) +fs_getattr_efivarfs(fwupd_t) + +fs_manage_dos_dirs(fwupd_t) +fs_manage_dos_files(fwupd_t) +fs_mmap_read_dos_files(fwupd_t) + +init_get_generic_units_status(fwupd_t) +init_get_system_status(fwupd_t) + +# for cgroup file of init_t process +init_read_state(fwupd_t) + +miscfiles_read_generic_certs(fwupd_t) +miscfiles_read_localization(fwupd_t) + +mount_read_runtime_files(fwupd_t) + +selinux_get_enforce_mode(fwupd_t) +selinux_get_fs_mount(fwupd_t) +seutil_search_default_contexts(fwupd_t) + +storage_raw_read_fixed_disk(fwupd_t) + +sysnet_read_config(fwupd_t) + +udev_read_runtime_files(fwupd_t) +userdom_use_user_ptys(fwupd_t) +userdom_use_user_ttys(fwupd_t) +# for dconf +userdom_map_user_tmp_files(fwupd_t) +userdom_rw_user_tmp_files(fwupd_t) +userdom_search_user_runtime_root(fwupd_t) +userdom_search_user_runtime(fwupd_t) + +optional_policy(` + bluetooth_dbus_chat(fwupd_t) +') + +optional_policy(` + devicekit_dbus_chat_disk(fwupd_t) + devicekit_dbus_chat_power(fwupd_t) +') + +optional_policy(` + gpg_exec(fwupd_t) +') + +optional_policy(` + init_dbus_chat(fwupd_t) +') + +optional_policy(` + networkmanager_read_runtime_files(fwupd_t) +') + +optional_policy(` + policykit_dbus_chat(fwupd_t) +') + +optional_policy(` + systemd_dbus_chat_logind(fwupd_t) + systemd_use_logind_fds(fwupd_t) + systemd_write_inherited_logind_inhibit_pipes(fwupd_t) +') + +optional_policy(` + unconfined_dbus_send(fwupd_t) +') + Index: refpolicy-2.20230629/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20230629.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20230629/policy/modules/roles/sysadm.te @@ -448,6 +448,10 @@ optional_policy(` ') optional_policy(` + fwupd_run(sysadm_t, sysadm_r) +') + +optional_policy(` gatekeeper_admin(sysadm_t, sysadm_r) ') Index: refpolicy-2.20230629/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20230629.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20230629/policy/modules/system/unconfined.te @@ -107,6 +107,10 @@ optional_policy(` ') optional_policy(` + fwupd_run(unconfined_t, unconfined_r) +') + +optional_policy(` hadoop_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r) ') Index: refpolicy-2.20230629/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20230629.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20230629/policy/modules/kernel/devices.if @@ -2826,6 +2826,24 @@ interface(`dev_delete_lvm_control_dev',` ######################################## ## +## Read and write the Intel mei control device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_mei_device',` + gen_require(` + type device_t, mei_device_t; + ') + + rw_chr_files_pattern($1, device_t, mei_device_t) +') + +######################################## +## ## dontaudit getattr raw memory devices (e.g. /dev/mem). ## ##