2016-03-05 22:53:44

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] New policy for tboot utilities

tboot is an OSS project for using the features of Intel TXT. Some of its
included utilities (might) need special permissions. For now, there's
only a policy for txt-stat (it needs access to /dev/mem).
---
tboot.fc | 1 +
tboot.if | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
tboot.te | 24 ++++++++++++++++++++++
3 files changed, 97 insertions(+)
create mode 100644 tboot.fc
create mode 100644 tboot.if
create mode 100644 tboot.te

diff --git a/tboot.fc b/tboot.fc
new file mode 100644
index 0000000..437e1d5
--- /dev/null
+++ b/tboot.fc
@@ -0,0 +1 @@
+/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
diff --git a/tboot.if b/tboot.if
new file mode 100644
index 0000000..a593dc3
--- /dev/null
+++ b/tboot.if
@@ -0,0 +1,72 @@
+## <summary>Utilities for the tboot TXT module.</summary>
+
+########################################
+## <summary>
+## Execute txt-stat in the txtstat domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tboot_domtrans_txtstat',`
+ gen_require(`
+ type txtstat_t, txtstat_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, txtstat_exec_t, txtstat_t)
+')
+
+########################################
+## <summary>
+## Execute txt-stat in the txtstat domain, and
+## allow the specified role the txtstat domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the txtstat domain.
+## </summary>
+## </param>
+#
+interface(`tboot_run_txtstat',`
+ gen_require(`
+ type txtstat_t;
+ attribute_role txtstat_roles;
+ ')
+
+ tboot_domtrans_txtstat($1)
+ roleattribute $2 txtstat_roles;
+')
+
+########################################
+## <summary>
+## Role access for txt-stat
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`tboot_txtstat_role',`
+ gen_require(`
+ type txtstat_t;
+ ')
+
+ tboot_run_txtstat($2, $1)
+
+ ps_process_pattern($2, txtstat_t)
+ allow $2 txtstat_t:process { signull signal sigkill };
+')
diff --git a/tboot.te b/tboot.te
new file mode 100644
index 0000000..4961a36
--- /dev/null
+++ b/tboot.te
@@ -0,0 +1,24 @@
+policy_module(tboot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role txtstat_roles;
+roleattribute system_r txtstat_roles;
+
+type txtstat_t;
+type txtstat_exec_t;
+application_domain(txtstat_t, txtstat_exec_t)
+role txtstat_roles types txtstat_t;
+
+########################################
+#
+# Local policy
+#
+
+dev_read_raw_memory(txtstat_t)
+
+domain_use_interactive_fds(txtstat_t)
+userdom_use_user_terminals(txtstat_t)
--
2.7.2


2016-03-07 15:13:29

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] New policy for tboot utilities

On 3/5/2016 5:53 PM, Luis Ressel wrote:
> tboot is an OSS project for using the features of Intel TXT. Some of its
> included utilities (might) need special permissions. For now, there's
> only a policy for txt-stat (it needs access to /dev/mem).


> +########################################
> +## <summary>
> +## Role access for txt-stat
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## User domain for the role
> +## </summary>
> +## </param>
> +#
> +interface(`tboot_txtstat_role',`
> + gen_require(`
> + type txtstat_t;
> + ')
> +
> + tboot_run_txtstat($2, $1)
> +
> + ps_process_pattern($2, txtstat_t)
> + allow $2 txtstat_t:process { signull signal sigkill };
> +')

Are all of the utilities simple command line tools (the ones that may
need domains in the future)? If so, this interface doesn't seem
necessary. The role interfaces are usually for complicated apps that
have their own derived types e.g. for home directory content.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2016-03-07 15:18:38

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] New policy for tboot utilities

On Mon, 7 Mar 2016 10:13:29 -0500
"Christopher J. PeBenito" <[email protected]> wrote:

> Are all of the utilities simple command line tools (the ones that may
> need domains in the future)? If so, this interface doesn't seem
> necessary. The role interfaces are usually for complicated apps that
> have their own derived types e.g. for home directory content.
>

Yes, all of them are simple CLI tools. The ps_process_pattern() isn't
really needed either, root has those permissions anyway. I'll send an
updated patch.

--
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160307/30c40c91/attachment.bin