From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Feb 2011 09:16:08 -0500
Subject: [refpolicy] [PATCH 8/34]: patch to allow the devicekit module
 to	work with dbus
In-Reply-To: <1297836358.3205.44.camel@tesla.lan>
References: <1297836358.3205.44.camel@tesla.lan>
Message-ID: <4D6516A8.9010503@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/11 01:05, Guido Trentalancia wrote:
> This patch adds two new interfaces (one for the kernel and the
> other for mount). It then allows dbus chat between dbus and
> devicekit and between xdm and devicekit. It also adds some
> permissions needed to run devicekit.
> 
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/kernel/kernel.if refpolicy-git-15022011-new-modified/policy/modules/kernel/kernel.if
> --- refpolicy-git-15022011-new-before-modification/policy/modules/kernel/kernel.if	2011-01-24 00:32:54.978503593 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/kernel/kernel.if	2011-02-15 22:58:46.166838136 +0100
> @@ -1893,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
>  
>  ########################################
>  ## <summary>
> +##      Allow caller to search filesystem sysctls.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`kernel_search_fs_sysctl',`
> +	gen_require(`
> +		type proc_t, sysctl_t, sysctl_fs_t;
> +	')
> +
> +	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read filesystem sysctls.
>  ## </summary>
>  ## <param name="domain">
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/services/dbus.te refpolicy-git-15022011-new-modified/policy/modules/services/dbus.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/services/dbus.te	2011-02-15 22:53:52.507511721 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/services/dbus.te	2011-02-15 22:58:46.169838637 +0100
> @@ -145,6 +145,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	devicekit_dbus_chat_disk(system_dbusd_t)
> +	devicekit_dbus_chat_power(system_dbusd_t)
> +')
> +
> +optional_policy(`
>  	policykit_dbus_chat(system_dbusd_t)
>  	policykit_domtrans_auth(system_dbusd_t)
>  	policykit_search_lib(system_dbusd_t)
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/services/devicekit.te refpolicy-git-15022011-new-modified/policy/modules/services/devicekit.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/services/devicekit.te	2011-01-08 19:07:21.241741196 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/services/devicekit.te	2011-02-15 23:04:04.993242115 +0100
> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
>  dev_read_urand(devicekit_t)
>  
>  files_read_etc_files(devicekit_t)
> +files_read_etc_runtime_files(devicekit_t)
>  
>  miscfiles_read_localization(devicekit_t)
>  
> @@ -113,6 +114,7 @@ files_read_etc_files(devicekit_disk_t)
>  files_read_etc_runtime_files(devicekit_disk_t)
>  files_read_usr_files(devicekit_disk_t)
>  
> +fs_getattr_xattr_fs(devicekit_disk_t)
>  fs_list_inotifyfs(devicekit_disk_t)
>  fs_manage_fusefs_dirs(devicekit_disk_t)
>  fs_mount_all_fs(devicekit_disk_t)
> @@ -184,7 +186,7 @@ optional_policy(`
>  #
>  
>  allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
> -allow devicekit_power_t self:process getsched;
> +allow devicekit_power_t self:process { getsched signal };
>  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
>  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
>  allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
> @@ -197,7 +199,10 @@ kernel_read_network_state(devicekit_powe
>  kernel_read_system_state(devicekit_power_t)
>  kernel_rw_hotplug_sysctls(devicekit_power_t)
>  kernel_rw_kernel_sysctl(devicekit_power_t)
> +kernel_rw_vm_sysctls(devicekit_power_t)

Any indication as to why this is necessary?

>  kernel_search_debugfs(devicekit_power_t)
> +kernel_search_fs_sysctl(devicekit_power_t)
> +kernel_setsched(devicekit_power_t)
>  kernel_write_proc_files(devicekit_power_t)
>  
>  corecmd_exec_bin(devicekit_power_t)
> @@ -207,6 +212,7 @@ consoletype_exec(devicekit_power_t)
>  
>  domain_read_all_domains_state(devicekit_power_t)
>  
> +dev_getattr_apm_bios_dev(devicekit_power_t)
>  dev_read_input(devicekit_power_t)
>  dev_rw_generic_usb_dev(devicekit_power_t)
>  dev_rw_generic_chr_files(devicekit_power_t)
> @@ -216,8 +222,11 @@ dev_rw_sysfs(devicekit_power_t)
>  files_read_kernel_img(devicekit_power_t)
>  files_read_etc_files(devicekit_power_t)
>  files_read_usr_files(devicekit_power_t)
> +files_rw_etc_runtime_files(devicekit_power_t)

Which files are being written?

> +fs_getattr_xattr_fs(devicekit_power_t)
>  fs_list_inotifyfs(devicekit_power_t)
> +fs_remount_xattr_fs(devicekit_power_t)

Remounting filesystems?  Sounds suspect.

>  term_use_all_terms(devicekit_power_t)
>  
> @@ -230,6 +239,9 @@ sysnet_domtrans_ifconfig(devicekit_power
>  
>  userdom_read_all_users_state(devicekit_power_t)
>  
> +mount_exec(devicekit_power_t)
> +mount_getattr_executable_file(devicekit_power_t)

This getattr rule is a subset of the exec rule.

> +
>  optional_policy(`
>  	bootloader_domtrans(devicekit_power_t)
>  ')
> @@ -276,6 +288,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	storage_raw_read_fixed_disk(devicekit_power_t)
> +')
> +
> +optional_policy(`
>  	udev_read_db(devicekit_power_t)
>  ')
>  
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/services/xserver.te refpolicy-git-15022011-new-modified/policy/modules/services/xserver.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/services/xserver.te	2011-02-15 22:53:52.509512048 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/services/xserver.te	2011-02-15 22:58:46.172839117 +0100
> @@ -520,6 +520,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	devicekit_dbus_chat_disk(xdm_t)
> +	devicekit_dbus_chat_power(xdm_t)
> +')
> +
> +optional_policy(`
>  	# Talk to the console mouse server.
>  	gpm_stream_connect(xdm_t)
>  	gpm_setattr_gpmctl(xdm_t)
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.if refpolicy-git-15022011-new-modified/policy/modules/system/mount.if
> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.if	2011-01-08 19:07:21.358759676 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/system/mount.if	2011-02-15 22:58:46.177839927 +0100
> @@ -51,6 +51,26 @@ interface(`mount_run',`
>  
>  ########################################
>  ## <summary>
> +##      Get the attributes of mount
> +##      executable files.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`mount_getattr_executable_file',`
> +	gen_require(`
> +		type mount_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	allow $1 mount_exec_t:file getattr_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute mount in the caller domain.
>  ## </summary>
>  ## <param name="domain">

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com