From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 10 Jul 2018 20:08:50 -0400
Subject: [refpolicy] [PATCH 4/5] Allow map xserver_misc_device_t for
	nvidia driver
In-Reply-To: <20180710150318.49873-4-jason@perfinion.com>
References: <20180710150318.49873-1-jason@perfinion.com>
	<20180710150318.49873-4-jason@perfinion.com>
Message-ID: <ef1fa1a4-938c-b146-1071-dcb8e17e4220@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/10/2018 11:03 AM, Jason Zaman wrote:
> ---
>   policy/modules/kernel/devices.if   | 18 ++++++++++++++++++
>   policy/modules/services/xserver.if |  1 +
>   policy/modules/services/xserver.te |  1 +
>   policy/modules/system/init.te      |  1 +
>   4 files changed, 21 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index be1a1d4b..6bbea59e 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -5079,6 +5079,24 @@ interface(`dev_rw_xserver_misc',`
>   	rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Map X server miscellaneous devices.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_map_xserver_misc',`
> +	gen_require(`
> +		type xserver_misc_device_t;
> +	')
> +
> +	allow $1 xserver_misc_device_t:chr_file map;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Read and write to the zero device (/dev/zero).
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index c1dbf0bf..1b25ff5c 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -82,6 +82,7 @@ interface(`xserver_restricted_role',`
>   	allow $2 xserver_tmp_t:file { getattr read };
>   
>   	dev_rw_xserver_misc($2)
> +	dev_map_xserver_misc($2)
>   	dev_rw_power_management($2)
>   	dev_read_input($2)
>   	dev_read_misc($2)
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 3b39bdd9..83e00c01 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -749,6 +749,7 @@ dev_read_raw_memory(xserver_t)
>   dev_wx_raw_memory(xserver_t)
>   # for other device nodes such as the NVidia binary-only driver
>   dev_rw_xserver_misc(xserver_t)
> +dev_map_xserver_misc(xserver_t)
>   # read events - the synaptics touchpad driver reads raw events
>   dev_rw_input_dev(xserver_t)
>   dev_rwx_zero(xserver_t)
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index a72b31d0..f9320285 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -635,6 +635,7 @@ dev_delete_generic_symlinks(initrc_t)
>   dev_getattr_all_blk_files(initrc_t)
>   dev_getattr_all_chr_files(initrc_t)
>   dev_rw_xserver_misc(initrc_t)
> +dev_map_xserver_misc(initrc_t)
>   
>   domain_kill_all_domains(initrc_t)
>   domain_signal_all_domains(initrc_t)

Merged.

-- 
Chris PeBenito