Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Sat, 5 Aug 2023 11:42:59 +1000
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] policy for firmware update daemon fwupd
Message-ID: <ZM2pI5k5DlTJ/1X6@xev.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk

This adds policy for the firmware update daemon, it updates system BIOS as
well as connected devices such as Thunderbolt docks.  I think it's ready to
merge.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20230629/policy/modules/system/fwupd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20230629/policy/modules/system/fwupd.fc
@@ -0,0 +1,5 @@
+/usr/bin/fwupdmgr	--	gen_context(system_u:object_r:fwupd_exec_t,s0)
+/usr/libexec/fwupd/fwupd --	gen_context(system_u:object_r:fwupd_exec_t,s0)
+/var/lib/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_var_lib_t,s0)
+/var/cache/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_cache_t,s0)
+/etc/fwupd(/.*)?		gen_context(system_u:object_r:fwupd_conf_t,s0)
Index: refpolicy-2.20230629/policy/modules/system/fwupd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20230629/policy/modules/system/fwupd.if
@@ -0,0 +1,29 @@
+## <summary>Policy for firmwate update daemon and utility.</summary>
+
+########################################
+## <summary>
+##      Execute fwupd in the user role
+##      the kmod domain, and use the caller's terminal.
+##      Has a sigchld backchannel.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fwupd_run',`
+	gen_require(`
+		attribute_role fwupd_roles;
+		type fwupd_exec_t, fwupd_t;
+	')
+
+	domtrans_pattern($1, fwupd_exec_t, fwupd_t)
+	roleattribute $2 fwupd_roles;
+')
Index: refpolicy-2.20230629/policy/modules/system/fwupd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20230629/policy/modules/system/fwupd.te
@@ -0,0 +1,153 @@
+policy_module(fwupd)
+
+
+attribute_role fwupd_roles;
+type fwupd_t;
+type fwupd_exec_t;
+init_daemon_domain(fwupd_t, fwupd_exec_t)
+role fwupd_roles types fwupd_t;
+
+type fwupd_var_lib_t;
+files_type(fwupd_var_lib_t)
+
+type fwupd_cache_t;
+files_type(fwupd_cache_t)
+
+type fwupd_conf_t;
+files_type(fwupd_conf_t)
+
+type fwupd_tmpfs_t;
+files_tmpfs_file(fwupd_tmpfs_t)
+
+type fwupd_runtime_t;
+files_runtime_file(fwupd_runtime_t)
+
+# sys_admin is for "FuPluginUefiCapsule  skipping device that failed coldplug: failed to read fw_class"
+allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_rawio sys_admin };
+
+allow fwupd_t self:process { signal getsched setsched };
+allow fwupd_t self:fifo_file { getattr read write };
+allow fwupd_t self:fd use;
+
+allow fwupd_t self:netlink_kobject_uevent_socket { create getattr setopt bind read };
+sysnet_dns_name_resolve(fwupd_t)
+corenet_tcp_connect_generic_port(fwupd_t)
+corenet_tcp_connect_http_port(fwupd_t)
+
+allow fwupd_t fwupd_conf_t:dir { watch list_dir_perms };
+allow fwupd_t fwupd_conf_t:file read_file_perms;
+
+allow fwupd_t fwupd_var_lib_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_var_lib_t:file { manage_file_perms };
+
+allow fwupd_t fwupd_cache_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_cache_t:file { map manage_file_perms };
+
+auth_write_pam_motd_files(fwupd_t)
+
+fs_tmpfs_filetrans(fwupd_t, fwupd_tmpfs_t, { file })
+allow fwupd_t fwupd_tmpfs_t:file manage_file_perms;
+
+allow fwupd_t fwupd_runtime_t:file manage_file_perms;
+
+kernel_read_kernel_sysctls(fwupd_t)
+# for /proc/filesystems etc
+kernel_read_system_state(fwupd_t)
+kernel_read_vm_overcommit_sysctl(fwupd_t)
+
+dev_getattr_sysfs(fwupd_t)
+dev_read_urand(fwupd_t)
+dev_read_sysfs(fwupd_t)
+dev_rw_cpu_microcode(fwupd_t)
+dev_rw_mei_device(fwupd_t)
+dev_rw_tpm(fwupd_t)
+dev_rw_xserver_misc(fwupd_t)
+dev_rx_raw_memory(fwupd_t)
+
+corecmd_exec_bin(fwupd_t)
+corecmd_list_bin(fwupd_t)
+corecmd_watch_bin_dirs(fwupd_t)
+
+dbus_system_bus_client(fwupd_t)
+dbus_connect_system_bus(fwupd_t)
+
+files_map_usr_files(fwupd_t)
+files_read_etc_files(fwupd_t)
+files_read_etc_symlinks(fwupd_t)
+files_read_usr_files(fwupd_t)
+files_search_var_lib(fwupd_t)
+files_search_boot(fwupd_t)
+files_watch_etc_dirs(fwupd_t)
+files_watch_usr_dirs(fwupd_t)
+
+fs_manage_efivarfs_files(fwupd_t)
+fs_getattr_dos_fs(fwupd_t)
+fs_getattr_efivarfs(fwupd_t)
+
+fs_manage_dos_dirs(fwupd_t)
+fs_manage_dos_files(fwupd_t)
+fs_mmap_read_dos_files(fwupd_t)
+
+init_get_generic_units_status(fwupd_t)
+init_get_system_status(fwupd_t)
+
+# for cgroup file of init_t process
+init_read_state(fwupd_t)
+
+miscfiles_read_generic_certs(fwupd_t)
+miscfiles_read_localization(fwupd_t)
+
+mount_read_runtime_files(fwupd_t)
+
+selinux_get_enforce_mode(fwupd_t)
+selinux_get_fs_mount(fwupd_t)
+seutil_search_default_contexts(fwupd_t)
+
+storage_raw_read_fixed_disk(fwupd_t)
+
+sysnet_read_config(fwupd_t)
+
+udev_read_runtime_files(fwupd_t)
+userdom_use_user_ptys(fwupd_t)
+userdom_use_user_ttys(fwupd_t)
+# for dconf
+userdom_map_user_tmp_files(fwupd_t)
+userdom_rw_user_tmp_files(fwupd_t)
+userdom_search_user_runtime_root(fwupd_t)
+userdom_search_user_runtime(fwupd_t)
+
+optional_policy(`
+	bluetooth_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	devicekit_dbus_chat_disk(fwupd_t)
+	devicekit_dbus_chat_power(fwupd_t)
+')
+
+optional_policy(`
+	gpg_exec(fwupd_t)
+')
+
+optional_policy(`
+	init_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	networkmanager_read_runtime_files(fwupd_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+	systemd_dbus_chat_logind(fwupd_t)
+	systemd_use_logind_fds(fwupd_t)
+	systemd_write_inherited_logind_inhibit_pipes(fwupd_t)
+')
+
+optional_policy(`
+	unconfined_dbus_send(fwupd_t)
+')
+
Index: refpolicy-2.20230629/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20230629.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20230629/policy/modules/roles/sysadm.te
@@ -448,6 +448,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fwupd_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	gatekeeper_admin(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy-2.20230629/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20230629.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20230629/policy/modules/system/unconfined.te
@@ -107,6 +107,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fwupd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	hadoop_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')
 
Index: refpolicy-2.20230629/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20230629.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20230629/policy/modules/kernel/devices.if
@@ -2826,6 +2826,24 @@ interface(`dev_delete_lvm_control_dev',`
 
 ########################################
 ## <summary>
+##	Read and write the Intel mei control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_mei_device',`
+	gen_require(`
+		type device_t, mei_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, mei_device_t)
+')
+
+########################################
+## <summary>
 ##	dontaudit getattr raw memory devices (e.g. /dev/mem).
 ## </summary>
 ## <param name="domain">