From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 26 Aug 2013 08:49:30 -0400
Subject: [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online
In-Reply-To: <1376765506-28924-3-git-send-email-sven.vermeulen@siphos.be>
References: <1376765506-28924-1-git-send-email-sven.vermeulen@siphos.be>
	<1376765506-28924-3-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <521B4EDA.3090902@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need
> to grant most domains read access to this file. As we don't want them to have
> read access on sysfs_t by default, create a new type (cpu_online_t) and assign
> it to the file, and grant domains read access to the file.
> 
> This does require systems to relabel the file upon every boot, something
> distributions do in their bootup scripts, as /sys devices don't keep their
> context.

Adding permissions to all domains shouldn't be taken lightly, so I'll have to do some additional research.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/devices.fc |  1 +
>  policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
>  policy/modules/kernel/devices.te |  7 +++++++
>  policy/modules/kernel/domain.te  |  2 ++
>  4 files changed, 35 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index b31c054..d6ebfcd 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -199,6 +199,7 @@ ifdef(`distro_debian',`
>  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
>  
>  /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
> +/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
>  
>  ifdef(`distro_redhat',`
>  # originally from named.fc
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 76f285e..49f0acb 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',`
>  
>  ########################################
>  ## <summary>
> +##	Read cpu online hardware state information
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to read /sys/devices/system/cpu/online
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_read_cpu_online',`
> +	gen_require(`
> +		type cpu_online_t;
> +	')
> +
> +	allow $1 cpu_online_t:file read_file_perms;
> +
> +	dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Unconfined access to devices.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 0b1a871..0d7790c 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -60,6 +60,13 @@ type cpu_device_t;
>  dev_node(cpu_device_t)
>  
>  #
> +# /sys/devices/system/cpu/online device
> +#
> +type cpu_online_t;
> +files_type(cpu_online_t)
> +dev_associate_sysfs(cpu_online_t)
> +
> +#
>  # Type for /dev/crash
>  #
>  type crash_device_t;
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index cf04cb5..ea5cdee 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
>  # create child processes in the domain
>  allow domain self:process { fork sigchld };
>  
> +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
> +dev_read_cpu_online(domain)
>  # Use trusted objects in /dev
>  dev_rw_null(domain)
>  dev_rw_zero(domain)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com