From: guido@trentalancia.com (Guido Trentalancia)
Date: Fri, 24 Aug 2012 16:02:34 +0200
Subject: [refpolicy] [PATCH 1/2]: cpucontrol module updates (stricter policy
 for CPU microcode updates)
Message-ID: <5037897A.5050305@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

cpucontrol module updates:
- introduce the file contexts according to the standard location
   of the most common application named microcode_ctl
   (http://www.urbanmyth.org/microcode);
- add file contexts for CPUs from two different vendors, taking
   into consideration specific customization of the location
   for one distribution;
- add file contexts and declarations for the init script;
- introduce the ability to update the CPU microcode as
   tunable policy, as apparently such operation might
   modify the original licensing conditions (under some or
   all circumstances: "personal, non-commercial use only");
- create a new device type specifically for the CPU microcode
   updating functionality and modify the cpucontrol module so
   that such distinct new type is used for the microcode
   updating operation, thus leaving an open door for further
   modifications that distinguish different CPU-related
   applications/utilities to create further isolation;
- modify the interface definitions so that the CPU microcode
   update utility can only write and not read (unneeded) the
   corresponding above mentioned device type.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
  policy/modules/contrib/cpucontrol.fc |   18 +++++++++-
  policy/modules/contrib/cpucontrol.te |   16 ++++++++-
  policy/modules/kernel/devices.fc     |    3 +
  policy/modules/kernel/devices.if     |   62 
+++++++++++++++++++++++++++++++----
  policy/modules/kernel/devices.te     |    8 +++-
  5 files changed, 96 insertions(+), 11 deletions(-)

diff -pruN refpolicy-08082012/policy/modules/contrib/cpucontrol.fc 
refpolicy-08082012-microcode/policy/modules/contrib/cpucontrol.fc
--- refpolicy-08082012/policy/modules/contrib/cpucontrol.fc	2011-09-09 
18:29:23.563610858 +0200
+++ refpolicy-08082012-microcode/policy/modules/contrib/cpucontrol.fc 
2012-08-09 01:13:59.615119168 +0200
@@ -1,7 +1,23 @@
+/etc/microcode\.dat	--	gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/etc/microcode_amd\.bin	-- 
gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/etc/firmware/microcode\.dat	-- 
gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/etc/firmware/microcode_amd.bin	-- 
gen_context(system_u:object_r:cpucontrol_conf_t,s0)

-/etc/firmware/.*	--	gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/etc/rc\.d/init\.d/microcode	-- 
gen_context(system_u:object_r:cpucontrol_initrc_exec_t,s0)

+ifdef(`distro_redhat',`
+/lib/firmware/intel-ucode(/.*)? 
gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/lib/firmware/amd-ucode(/.*)? 
gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/lib/firmware/microcode\.dat	-- 
gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+/lib/firmware/microcode_amd\.bat	-- 
gen_context(system_u:object_r:cpucontrol_conf_t,s0)
+')
+
+/usr/sbin/microcode_ctl	-- 
gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+/usr/local/sbin/microcode_ctl	-- 
gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+
+ifdef(`distro_redhat',`
  /sbin/microcode_ctl	--	gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+')

  /usr/sbin/cpufreqd	--	gen_context(system_u:object_r:cpuspeed_exec_t,s0)
  /usr/sbin/cpuspeed	--	gen_context(system_u:object_r:cpuspeed_exec_t,s0)
diff -pruN refpolicy-08082012/policy/modules/contrib/cpucontrol.te 
refpolicy-08082012-microcode/policy/modules/contrib/cpucontrol.te
--- refpolicy-08082012/policy/modules/contrib/cpucontrol.te	2011-09-09 
18:29:23.563610858 +0200
+++ refpolicy-08082012-microcode/policy/modules/contrib/cpucontrol.te 
2012-08-09 00:23:07.079532236 +0200
@@ -5,10 +5,21 @@ policy_module(cpucontrol, 1.3.0)
  # Declarations
  #

+## <desc>
+## <p>
+## Allow cpucontrol to upload new microcode
+## to the CPU.
+## </p>
+## </desc>
+gen_tunable(cpucontrol_can_upload_cpu_microcode, false)
+
  type cpucontrol_t;
  type cpucontrol_exec_t;
  init_system_domain(cpucontrol_t, cpucontrol_exec_t)

+type cpucontrol_initrc_exec_t;
+init_script_file(cpucontrol_initrc_exec_t)
+
  type cpucontrol_conf_t;
  files_type(cpucontrol_conf_t)

@@ -37,7 +48,6 @@ kernel_read_proc_symlinks(cpucontrol_t)
  kernel_read_kernel_sysctls(cpucontrol_t)

  dev_read_sysfs(cpucontrol_t)
-dev_rw_cpu_microcode(cpucontrol_t)

  fs_search_auto_mountpoints(cpucontrol_t)

@@ -54,6 +64,10 @@ logging_send_syslog_msg(cpucontrol_t)

  userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)

+tunable_policy(`cpucontrol_can_upload_cpu_microcode',`
+	dev_write_cpu_microcode(cpucontrol_t)
+')
+
  optional_policy(`
  	nscd_socket_use(cpucontrol_t)
  ')
diff -pruN refpolicy-08082012/policy/modules/kernel/devices.fc 
refpolicy-08082012-microcode/policy/modules/kernel/devices.fc
--- refpolicy-08082012/policy/modules/kernel/devices.fc	2011-12-13 
12:26:37.664737865 +0100
+++ refpolicy-08082012-microcode/policy/modules/kernel/devices.fc 
2012-08-08 16:09:47.217636016 +0200
@@ -63,7 +63,7 @@
  /dev/mergemem		-c 
gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-/dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/microcode		-c	gen_context(system_u:object_r:cpu_microcode_device_t,s0)
  /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/misc/dlm.*		-c	gen_context(system_u:object_r:dlm_control_device_t,s0)
  /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -137,6 +137,7 @@ ifdef(`distro_suse', `

  /dev/cpu_dma_latency	-c 
gen_context(system_u:object_r:netcontrol_device_t,s0)
  /dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/cpu/microcode	-c 
gen_context(system_u:object_r:cpu_microcode_device_t,s0)
  /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)

  /dev/biometric/sensor.*	-c 
gen_context(system_u:object_r:event_device_t,s0)
diff -pruN refpolicy-08082012/policy/modules/kernel/devices.if 
refpolicy-08082012-microcode/policy/modules/kernel/devices.if
--- refpolicy-08082012/policy/modules/kernel/devices.if	2012-05-29 
21:13:09.426703690 +0200
+++ refpolicy-08082012-microcode/policy/modules/kernel/devices.if 
2012-08-09 01:09:21.472605055 +0200
@@ -1664,7 +1664,7 @@ interface(`dev_filetrans_cardmgr',`
  ########################################
  ## <summary>
  ##	Get the attributes of the CPU
-##	microcode and id interfaces.
+##	id interfaces.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -1682,8 +1682,27 @@ interface(`dev_getattr_cpu_dev',`

  ########################################
  ## <summary>
+##	Get the attributes of the CPU
+##	microcode interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_cpu_microcode_dev',`
+	gen_require(`
+		type device_t, cpu_microcode_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, cpu_microcode_device_t)
+')
+
+########################################
+## <summary>
  ##	Set the attributes of the CPU
-##	microcode and id interfaces.
+##	id interfaces.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -1701,6 +1720,25 @@ interface(`dev_setattr_cpu_dev',`

  ########################################
  ## <summary>
+##	Set the attributes of the CPU
+##	id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_cpu_microcode_dev',`
+	gen_require(`
+		type device_t, cpu_microcode_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, cpu_microcode_device_t)
+')
+
+########################################
+## <summary>
  ##	Read the CPU identity.
  ## </summary>
  ## <param name="domain">
@@ -1719,21 +1757,31 @@ interface(`dev_read_cpuid',`

  ########################################
  ## <summary>
-##	Read and write the the CPU microcode device. This
-##	is required to load CPU microcode.
+##	Write the CPU microcode device. This
+##	is required to upload the CPU microcode.
  ## </summary>
+## <desc>
+##      <p>
+##	Write the CPU microcode device.
+##	This interface can be used to upload the
+##	CPU microcode.
+##      </p>
+##      <p>
+##	There might be license modifications.
+##	</p>
+## </desc>
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
-interface(`dev_rw_cpu_microcode',`
+interface(`dev_write_cpu_microcode',`
  	gen_require(`
-		type device_t, cpu_device_t;
+		type device_t, cpu_microcode_device_t;
  	')

-	rw_chr_files_pattern($1, device_t, cpu_device_t)
+	write_chr_files_pattern($1, device_t, cpu_microcode_device_t)
  ')

  ########################################
diff -pruN refpolicy-08082012/policy/modules/kernel/devices.te 
refpolicy-08082012-microcode/policy/modules/kernel/devices.te
--- refpolicy-08082012/policy/modules/kernel/devices.te	2012-05-29 
21:13:09.427703699 +0200
+++ refpolicy-08082012-microcode/policy/modules/kernel/devices.te 
2012-08-09 00:20:34.721158261 +0200
@@ -51,12 +51,18 @@ type clock_device_t;
  dev_node(clock_device_t)

  #
-# cpu control devices /dev/cpu/0/*
+# cpu control devices /dev/cpu/?/*
  #
  type cpu_device_t;
  dev_node(cpu_device_t)

  #
+# cpu microcode device /dev/cpu/microcode
+#
+type cpu_microcode_device_t;
+dev_node(cpu_microcode_device_t)
+
+#
  # Type for /dev/crash
  #
  type crash_device_t;