From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 25 Mar 2014 21:30:06 +0100
Subject: [refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online
In-Reply-To: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be>
References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1395779408-29213-4-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
 policy/modules/kernel/devices.te |  7 +++++++
 policy/modules/kernel/domain.te  |  3 +++
 4 files changed, 36 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index b31c054..d6ebfcd 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@ ifdef(`distro_debian',`
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 
 /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
 
 ifdef(`distro_redhat',`
 # originally from named.fc
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 1884413..c2d0f08 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4854,6 +4854,31 @@ interface(`dev_create_zero_dev',`
 
 ########################################
 ## <summary>
+##	Read cpu online hardware state information
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read /sys/devices/system/cpu/online
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	allow $1 cpu_online_t:file read_file_perms;
+
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Unconfined access to devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 520f4ee..d34807f 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -60,6 +60,13 @@ type cpu_device_t;
 dev_node(cpu_device_t)
 
 #
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
+#
 # Type for /dev/crash
 #
 type crash_device_t;
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..3a55334 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -96,6 +96,9 @@ kernel_dontaudit_link_key(domain)
 # create child processes in the domain
 allow domain self:process { fork sigchld };
 
+# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
+dev_read_cpu_online(domain)
+
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)
-- 
1.8.3.2