From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 4 Apr 2014 16:09:47 -0400
Subject: [refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online
In-Reply-To: <1395779408-29213-4-git-send-email-sven.vermeulen@siphos.be>
References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be>
	<1395779408-29213-4-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <533F118B.1060601@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
> we need to grant most domains read access to this file. As we don't want
> them to have read access on sysfs_t by default, create a new type
> (cpu_online_t) and assign it to the file, and grant domains read access
> to the file.
> 
> This does require systems to relabel the file upon every boot, something
> distributions do in their bootup scripts, as /sys devices don't keep
> their context.

Merged.


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/devices.fc |  1 +
>  policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
>  policy/modules/kernel/devices.te |  7 +++++++
>  policy/modules/kernel/domain.te  |  3 +++
>  4 files changed, 36 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index b31c054..d6ebfcd 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -199,6 +199,7 @@ ifdef(`distro_debian',`
>  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
>  
>  /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
> +/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
>  
>  ifdef(`distro_redhat',`
>  # originally from named.fc
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 1884413..c2d0f08 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4854,6 +4854,31 @@ interface(`dev_create_zero_dev',`
>  
>  ########################################
>  ## <summary>
> +##	Read cpu online hardware state information
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to read /sys/devices/system/cpu/online
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_read_cpu_online',`
> +	gen_require(`
> +		type cpu_online_t;
> +	')
> +
> +	allow $1 cpu_online_t:file read_file_perms;
> +
> +	dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Unconfined access to devices.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 520f4ee..d34807f 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -60,6 +60,13 @@ type cpu_device_t;
>  dev_node(cpu_device_t)
>  
>  #
> +# /sys/devices/system/cpu/online device
> +#
> +type cpu_online_t;
> +files_type(cpu_online_t)
> +dev_associate_sysfs(cpu_online_t)
> +
> +#
>  # Type for /dev/crash
>  #
>  type crash_device_t;
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index cf04cb5..3a55334 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -96,6 +96,9 @@ kernel_dontaudit_link_key(domain)
>  # create child processes in the domain
>  allow domain self:process { fork sigchld };
>  
> +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
> +dev_read_cpu_online(domain)
> +
>  # Use trusted objects in /dev
>  dev_rw_null(domain)
>  dev_rw_zero(domain)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com