From: dac.override@gmail.com (Dominick Grift)
Date: Sat, 5 Mar 2016 22:09:35 +0100
Subject: [refpolicy] [PATCH] New policy for tboot utilities
In-Reply-To: <1457208522-8926-1-git-send-email-aranea@aixah.de>
References: <1457208522-8926-1-git-send-email-aranea@aixah.de>
Message-ID: <56DB4B0F.5090501@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/05/2016 09:08 PM, Luis Ressel wrote:
> tboot is an OSS project for using the features of Intel TXT. Some
> of its included utilities (might) need special permissions. For
> now, there's only a policy for txt-stat (it needs access to
> /dev/mem).

Did you use sepolgen for this? Some comments inline

> --- tboot.fc |  1 + tboot.if | 46
> ++++++++++++++++++++++++++++++++++++++++++++++ tboot.te | 20
> ++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode
> 100644 tboot.fc create mode 100644 tboot.if create mode 100644
> tboot.te
> 
> diff --git a/tboot.fc b/tboot.fc new file mode 100644 index
> 0000000..5fdd3ad --- /dev/null +++ b/tboot.fc @@ -0,0 +1 @@ 
> +/usr/sbin/txt-stat	--
> gen_context(system_u:object_r:txtstat_exec_t,s0) diff --git
> a/tboot.if b/tboot.if new file mode 100644 index 0000000..8fce0f2 
> --- /dev/null +++ b/tboot.if @@ -0,0 +1,46 @@ +## <summary>Policy
> for tboot utilities.</summary>

Please provide a summary. We already know its policy for tboot utilities
.

Example:

"Performs a verified launch using Intel TXT"

> + +######################################## +## <summary> +##
> Execute txt-stat in the txtstat domain. +## </summary> +## <param
> name="domain"> +##	<summary> +##	Domain allowed to transition. +##
> </summary> +## </param> +# +interface(`tboot_domtrans_txtstat',` +
> gen_require(` +		type txtstat_t, txtstat_exec_t; +	') + +
> corecmd_search_bin($1) +	domtrans_pattern($1, txtstat_exec_t,
> txtstat_t) +') + +######################################## +##
> <summary> +##	Execute txt-stat in the txtstat domain, and +##	allow
> the specified role the txtstat domain. +## </summary> +## <param
> name="domain"> +##	<summary> +##	Domain allowed to transition. +##
> </summary> +## </param> +## <param name="role"> +##	<summary> +##
> Role allowed access. +##	</summary> +## </param> +## <rolecap/> +# 
> +interface(`tboot_run_txtstat',` +	gen_require(` +		type
> txtstat_t; +	') + +	tboot_domtrans_txtstat($1) +	role $2 types
> txtstat_t; +')

Let's instead use role attributes

> diff --git a/tboot.te b/tboot.te new file mode 100644 index
> 0000000..96ed061 --- /dev/null +++ b/tboot.te @@ -0,0 +1,20 @@ 
> +policy_module(tboot, 1.0.0) + 
> +######################################## +# +# Declarations +# + 
> +type txtstat_t; +type txtstat_exec_t; 
> +application_domain(txtstat_t, txtstat_exec_t) + 
> +######################################## +# +# Local policy +# + 
> +dev_read_raw_memory(txtstat_t) + 
> +domain_use_interactive_fds(txtstat_t) 
> +userdom_use_user_terminals(txtstat_t)
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW20sKAAoJECV0jlU3+Udp8NkMAIkk+SNdgBuSoB3WjwKzoTr4
DKDe+Gs33otLU9xC1e6Rf/Ve9k/UeAdtMdBAJpuqjeMP+hgDo7tIowGLWsjumke+
U+tetKP9D10U0w1ZaPcbI/ed4inIZyGDiLG67ESFW2w8HTs9YUFMU1WDdAxSnp6T
mOMF+KnmyHLP/bSM433nxBEH/XE7b/cR0zT6P9iIq/W4bV/US4oMlb6CfbgccY5l
a17ya3Kj+HCR+ogNBuAqfsZ1sbGsg9S44n20/JdG6t0O1z3HPJ0Dq+n0IIir6AyI
pZweJvkeYhXVK/24RSDtJWLWqz3Le7DHniqlvV56gJIsAFr7XaHxIG+VHVSidKIv
ECri+b5kT5iqVQPg6HX5NrbPRb+RLR/E2TutjeFeVBA0x/gjMi3YYj2kE13L4gSJ
hZ92vLmIIJu1eLwDD6j9utSWoWahotHtTRwqI4dDmaYl7SrGb4bEuEalZ4jlW/hx
IyN5hNvToGJo4Jpgl0U4+TSgAH6r9mY7ESqJrxCE7A==
=CXBf
-----END PGP SIGNATURE-----