From: domg472@gmail.com (Dominick Grift)
Date: Mon, 24 Jan 2011 15:01:51 +0100
Subject: [refpolicy] [PATCH/RFC 9/19]: patch set to update the git
 reference policy
In-Reply-To: <1295829854.3862.68.camel@tesla.lan>
References: <1295829854.3862.68.camel@tesla.lan>
Message-ID: <4D3D864F.3040402@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/24/2011 01:44 AM, Guido Trentalancia wrote:
> diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if
> --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.if	2011-01-23 23:13:48.169284451 +0100
> +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.if	2011-01-23 23:30:29.918756977 +0100
> @@ -240,3 +240,22 @@ interface(`devicekit_admin',`
>  	admin_pattern($1, devicekit_var_run_t)
>  	files_search_pids($1)
>  ')
> +
> +########################################
> +## <summary>
> +##      DeviceKit power getattr on APM
> +##      bios character device node files.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`devicekit_getattr_apm_bios_files_power',`
> +	gen_require(`
> +		type apm_bios_t;
> +	')
> +
> +	getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
> +')

This interface name is wrong. It should be prefixed by the module name
that defined it (which is not devicekit)

You should also allow access to the location of the apm_bios_t
chr_files. This interface may provide access to get attribute of
apm_bios_t chr_files, but it does not do any good if the caller cannot
traverse its parent(s)

> diff -pruN refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te
> --- refpolicy-git-18012011-update-work/policy/modules/services/devicekit.te	2011-01-23 23:13:48.170284646 +0100
> +++ refpolicy-git-18012011-devicekit/policy/modules/services/devicekit.te	2011-01-23 23:31:31.456301488 +0100
> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
>  dev_read_urand(devicekit_t)
>  
>  files_read_etc_files(devicekit_t)
> +files_read_etc_runtime_files(devicekit_t)
>  
>  miscfiles_read_localization(devicekit_t)
>  
> @@ -188,7 +189,7 @@ optional_policy(`
>  #
>  
>  allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
> -allow devicekit_power_t self:process getsched;
> +allow devicekit_power_t self:process { getsched signal };
>  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
>  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
>  allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
> @@ -197,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
>  manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
>  files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
>  
> +kernel_search_fs_sysctl(devicekit_power_t)
> +kernel_rw_vm_sysctls(devicekit_power_t)
>  kernel_read_network_state(devicekit_power_t)
>  kernel_read_system_state(devicekit_power_t)
>  kernel_rw_hotplug_sysctls(devicekit_power_t)
>  kernel_rw_kernel_sysctl(devicekit_power_t)
>  kernel_search_debugfs(devicekit_power_t)
>  kernel_write_proc_files(devicekit_power_t)
> +kernel_setsched(devicekit_power_t)
>  
>  corecmd_exec_bin(devicekit_power_t)
>  corecmd_exec_shell(devicekit_power_t)
> @@ -219,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
>  
>  files_read_kernel_img(devicekit_power_t)
>  files_read_etc_files(devicekit_power_t)
> +files_rw_etc_runtime_files(devicekit_power_t)
>  files_read_usr_files(devicekit_power_t)
>  
>  fs_list_inotifyfs(devicekit_power_t)
> +fs_remount_xattr_fs(devicekit_power_t)
>  
>  term_use_all_terms(devicekit_power_t)
>  
> @@ -234,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
>  
>  userdom_read_all_users_state(devicekit_power_t)
>  
> +devicekit_getattr_apm_bios_files_power(devicekit_power_t)
> +
> +mount_exec_getattr(devicekit_power_t)

This interface name doesnt make sense to me

> +mount_exec(devicekit_power_t)
> +
>  optional_policy(`
>  	bootloader_domtrans(devicekit_power_t)
>  ')
> @@ -280,6 +291,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	storage_raw_read_fixed_disk(devicekit_power_t)
> +')
> +
> +optional_policy(`
>  	udev_read_db(devicekit_power_t)
>  ')
>  
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk09hk8ACgkQMlxVo39jgT8ivACfebUqxIup1uLhdPBqnPMyIyk1
5RoAoIzgwDxb0BY+3TzwigGJ1W0e3a++
=qdkU
-----END PGP SIGNATURE-----