From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 17 Aug 2013 20:51:41 +0200 Subject: [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online In-Reply-To: <1376765506-28924-1-git-send-email-sven.vermeulen@siphos.be> References: <1376765506-28924-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1376765506-28924-3-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need to grant most domains read access to this file. As we don't want them to have read access on sysfs_t by default, create a new type (cpu_online_t) and assign it to the file, and grant domains read access to the file. This does require systems to relabel the file upon every boot, something distributions do in their bootup scripts, as /sys devices don't keep their context. Signed-off-by: Sven Vermeulen --- policy/modules/kernel/devices.fc | 1 + policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++ policy/modules/kernel/devices.te | 7 +++++++ policy/modules/kernel/domain.te | 2 ++ 4 files changed, 35 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index b31c054..d6ebfcd 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -199,6 +199,7 @@ ifdef(`distro_debian',` /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) +/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0) ifdef(`distro_redhat',` # originally from named.fc diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 76f285e..49f0acb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',` ######################################## ## +## Read cpu online hardware state information +## +## +##

+## Allow the specified domain to read /sys/devices/system/cpu/online +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`dev_read_cpu_online',` + gen_require(` + type cpu_online_t; + ') + + allow $1 cpu_online_t:file read_file_perms; + + dev_search_sysfs($1) +') + +######################################## +## ## Unconfined access to devices. ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 0b1a871..0d7790c 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -60,6 +60,13 @@ type cpu_device_t; dev_node(cpu_device_t) # +# /sys/devices/system/cpu/online device +# +type cpu_online_t; +files_type(cpu_online_t) +dev_associate_sysfs(cpu_online_t) + +# # Type for /dev/crash # type crash_device_t; diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index cf04cb5..ea5cdee 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain) # create child processes in the domain allow domain self:process { fork sigchld }; +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online +dev_read_cpu_online(domain) # Use trusted objects in /dev dev_rw_null(domain) dev_rw_zero(domain) -- 1.8.1.5