From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 8 Mar 2016 08:53:29 -0500
Subject: [refpolicy] [PATCH v3] New policy for tboot utilities
In-Reply-To: <1457364782-17908-1-git-send-email-aranea@aixah.de>
References: <1457364782-17908-1-git-send-email-aranea@aixah.de>
Message-ID: <56DED959.1080703@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 3/7/2016 10:33 AM, Luis Ressel wrote:
> tboot is an OSS project for using the features of Intel TXT. Some of its
> included utilities (might) need special permissions. For now, there's
> only a policy for txt-stat (it needs access to /dev/mem).
Merged.
> ---
> tboot.fc | 1 +
> tboot.if | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> tboot.te | 24 ++++++++++++++++++++++++
> 3 files changed, 71 insertions(+)
> create mode 100644 tboot.fc
> create mode 100644 tboot.if
> create mode 100644 tboot.te
>
> diff --git a/tboot.fc b/tboot.fc
> new file mode 100644
> index 0000000..437e1d5
> --- /dev/null
> +++ b/tboot.fc
> @@ -0,0 +1 @@
> +/usr/sbin/txt-stat -- gen_context(system_u:object_r:txtstat_exec_t,s0)
> diff --git a/tboot.if b/tboot.if
> new file mode 100644
> index 0000000..0ffe6d8
> --- /dev/null
> +++ b/tboot.if
> @@ -0,0 +1,46 @@
> +## Utilities for the tboot TXT module.
> +
> +########################################
> +##
> +## Execute txt-stat in the txtstat domain.
> +##
> +##
> +##
> +## Domain allowed to transition.
> +##
> +##
> +#
> +interface(`tboot_domtrans_txtstat',`
> + gen_require(`
> + type txtstat_t, txtstat_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, txtstat_exec_t, txtstat_t)
> +')
> +
> +########################################
> +##
> +## Execute txt-stat in the txtstat domain, and
> +## allow the specified role the txtstat domain.
> +##
> +##
> +##
> +## Domain allowed to transition.
> +##
> +##
> +##
> +##
> +## The role to be allowed the txtstat domain.
> +##
> +##
> +#
> +interface(`tboot_run_txtstat',`
> + gen_require(`
> + type txtstat_t;
> + attribute_role txtstat_roles;
> + ')
> +
> + tboot_domtrans_txtstat($1)
> + roleattribute $2 txtstat_roles;
> +')
> diff --git a/tboot.te b/tboot.te
> new file mode 100644
> index 0000000..4961a36
> --- /dev/null
> +++ b/tboot.te
> @@ -0,0 +1,24 @@
> +policy_module(tboot, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +attribute_role txtstat_roles;
> +roleattribute system_r txtstat_roles;
> +
> +type txtstat_t;
> +type txtstat_exec_t;
> +application_domain(txtstat_t, txtstat_exec_t)
> +role txtstat_roles types txtstat_t;
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +dev_read_raw_memory(txtstat_t)
> +
> +domain_use_interactive_fds(txtstat_t)
> +userdom_use_user_terminals(txtstat_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com