2023-08-05 03:07:51

by Russell Coker

[permalink] [raw]
Subject: [PATCH] policy for firmware update daemon fwupd

This adds policy for the firmware update daemon, it updates system BIOS as
well as connected devices such as Thunderbolt docks. I think it's ready to
merge.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20230629/policy/modules/system/fwupd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20230629/policy/modules/system/fwupd.fc
@@ -0,0 +1,5 @@
+/usr/bin/fwupdmgr -- gen_context(system_u:object_r:fwupd_exec_t,s0)
+/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
+/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0)
+/var/cache/fwupd(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
+/etc/fwupd(/.*)? gen_context(system_u:object_r:fwupd_conf_t,s0)
Index: refpolicy-2.20230629/policy/modules/system/fwupd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20230629/policy/modules/system/fwupd.if
@@ -0,0 +1,29 @@
+## <summary>Policy for firmwate update daemon and utility.</summary>
+
+########################################
+## <summary>
+## Execute fwupd in the user role
+## the kmod domain, and use the caller's terminal.
+## Has a sigchld backchannel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fwupd_run',`
+ gen_require(`
+ attribute_role fwupd_roles;
+ type fwupd_exec_t, fwupd_t;
+ ')
+
+ domtrans_pattern($1, fwupd_exec_t, fwupd_t)
+ roleattribute $2 fwupd_roles;
+')
Index: refpolicy-2.20230629/policy/modules/system/fwupd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20230629/policy/modules/system/fwupd.te
@@ -0,0 +1,153 @@
+policy_module(fwupd)
+
+
+attribute_role fwupd_roles;
+type fwupd_t;
+type fwupd_exec_t;
+init_daemon_domain(fwupd_t, fwupd_exec_t)
+role fwupd_roles types fwupd_t;
+
+type fwupd_var_lib_t;
+files_type(fwupd_var_lib_t)
+
+type fwupd_cache_t;
+files_type(fwupd_cache_t)
+
+type fwupd_conf_t;
+files_type(fwupd_conf_t)
+
+type fwupd_tmpfs_t;
+files_tmpfs_file(fwupd_tmpfs_t)
+
+type fwupd_runtime_t;
+files_runtime_file(fwupd_runtime_t)
+
+# sys_admin is for "FuPluginUefiCapsule skipping device that failed coldplug: failed to read fw_class"
+allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_rawio sys_admin };
+
+allow fwupd_t self:process { signal getsched setsched };
+allow fwupd_t self:fifo_file { getattr read write };
+allow fwupd_t self:fd use;
+
+allow fwupd_t self:netlink_kobject_uevent_socket { create getattr setopt bind read };
+sysnet_dns_name_resolve(fwupd_t)
+corenet_tcp_connect_generic_port(fwupd_t)
+corenet_tcp_connect_http_port(fwupd_t)
+
+allow fwupd_t fwupd_conf_t:dir { watch list_dir_perms };
+allow fwupd_t fwupd_conf_t:file read_file_perms;
+
+allow fwupd_t fwupd_var_lib_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_var_lib_t:file { manage_file_perms };
+
+allow fwupd_t fwupd_cache_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_cache_t:file { map manage_file_perms };
+
+auth_write_pam_motd_files(fwupd_t)
+
+fs_tmpfs_filetrans(fwupd_t, fwupd_tmpfs_t, { file })
+allow fwupd_t fwupd_tmpfs_t:file manage_file_perms;
+
+allow fwupd_t fwupd_runtime_t:file manage_file_perms;
+
+kernel_read_kernel_sysctls(fwupd_t)
+# for /proc/filesystems etc
+kernel_read_system_state(fwupd_t)
+kernel_read_vm_overcommit_sysctl(fwupd_t)
+
+dev_getattr_sysfs(fwupd_t)
+dev_read_urand(fwupd_t)
+dev_read_sysfs(fwupd_t)
+dev_rw_cpu_microcode(fwupd_t)
+dev_rw_mei_device(fwupd_t)
+dev_rw_tpm(fwupd_t)
+dev_rw_xserver_misc(fwupd_t)
+dev_rx_raw_memory(fwupd_t)
+
+corecmd_exec_bin(fwupd_t)
+corecmd_list_bin(fwupd_t)
+corecmd_watch_bin_dirs(fwupd_t)
+
+dbus_system_bus_client(fwupd_t)
+dbus_connect_system_bus(fwupd_t)
+
+files_map_usr_files(fwupd_t)
+files_read_etc_files(fwupd_t)
+files_read_etc_symlinks(fwupd_t)
+files_read_usr_files(fwupd_t)
+files_search_var_lib(fwupd_t)
+files_search_boot(fwupd_t)
+files_watch_etc_dirs(fwupd_t)
+files_watch_usr_dirs(fwupd_t)
+
+fs_manage_efivarfs_files(fwupd_t)
+fs_getattr_dos_fs(fwupd_t)
+fs_getattr_efivarfs(fwupd_t)
+
+fs_manage_dos_dirs(fwupd_t)
+fs_manage_dos_files(fwupd_t)
+fs_mmap_read_dos_files(fwupd_t)
+
+init_get_generic_units_status(fwupd_t)
+init_get_system_status(fwupd_t)
+
+# for cgroup file of init_t process
+init_read_state(fwupd_t)
+
+miscfiles_read_generic_certs(fwupd_t)
+miscfiles_read_localization(fwupd_t)
+
+mount_read_runtime_files(fwupd_t)
+
+selinux_get_enforce_mode(fwupd_t)
+selinux_get_fs_mount(fwupd_t)
+seutil_search_default_contexts(fwupd_t)
+
+storage_raw_read_fixed_disk(fwupd_t)
+
+sysnet_read_config(fwupd_t)
+
+udev_read_runtime_files(fwupd_t)
+userdom_use_user_ptys(fwupd_t)
+userdom_use_user_ttys(fwupd_t)
+# for dconf
+userdom_map_user_tmp_files(fwupd_t)
+userdom_rw_user_tmp_files(fwupd_t)
+userdom_search_user_runtime_root(fwupd_t)
+userdom_search_user_runtime(fwupd_t)
+
+optional_policy(`
+ bluetooth_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_disk(fwupd_t)
+ devicekit_dbus_chat_power(fwupd_t)
+')
+
+optional_policy(`
+ gpg_exec(fwupd_t)
+')
+
+optional_policy(`
+ init_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+ networkmanager_read_runtime_files(fwupd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(fwupd_t)
+ systemd_use_logind_fds(fwupd_t)
+ systemd_write_inherited_logind_inhibit_pipes(fwupd_t)
+')
+
+optional_policy(`
+ unconfined_dbus_send(fwupd_t)
+')
+
Index: refpolicy-2.20230629/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20230629.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20230629/policy/modules/roles/sysadm.te
@@ -448,6 +448,10 @@ optional_policy(`
')

optional_policy(`
+ fwupd_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
gatekeeper_admin(sysadm_t, sysadm_r)
')

Index: refpolicy-2.20230629/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20230629.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20230629/policy/modules/system/unconfined.te
@@ -107,6 +107,10 @@ optional_policy(`
')

optional_policy(`
+ fwupd_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
hadoop_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
')

Index: refpolicy-2.20230629/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20230629.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20230629/policy/modules/kernel/devices.if
@@ -2826,6 +2826,24 @@ interface(`dev_delete_lvm_control_dev',`

########################################
## <summary>
+## Read and write the Intel mei control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_mei_device',`
+ gen_require(`
+ type device_t, mei_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, mei_device_t)
+')
+
+########################################
+## <summary>
## dontaudit getattr raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">