This patch set segregates the obvious audio-related privileges within
entropyd_t (in the audioentropyd module) through the use of a SELinux
boolean "entropyd_use_audio", enhances the entropyd_t with the privileges
needed by haveged, and adds the proper file contexts for haveged support.
Comments always appreciated. This obsoletes the previous patch set titled
"[PATCH/RFC v3] Haveget support in (audio)entropyd".
Changes since v2:
- Use optional_policy ( tunable_policy ( ... ) ) format. The other way
around isn't supported
Changes since v3:
- dev_* calls do not need to be made optional, they are part of base modules
Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).
The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/audioentropy.te | 25 ++++++++++++++++++-------
1 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 2b348c7..7ece78d 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -5,6 +5,13 @@ policy_module(audioentropy, 1.6.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow the use of the audio devices as the source for the entropy feeds
+## </p>
+## </desc>
+gen_tunable(entropyd_use_audio, false)
+
type entropyd_t;
type entropyd_exec_t;
init_daemon_domain(entropyd_t, entropyd_exec_t)
@@ -33,11 +40,6 @@ dev_read_urand(entropyd_t)
dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
-dev_read_sound(entropyd_t)
-# set sound card parameters such as
-# sample format, number of channels
-# and sample rate.
-dev_write_sound(entropyd_t)
files_read_etc_files(entropyd_t)
files_read_usr_files(entropyd_t)
@@ -54,9 +56,18 @@ miscfiles_read_localization(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
userdom_dontaudit_search_user_home_dirs(entropyd_t)
+tunable_policy(`entropyd_use_audio',`
+ dev_read_sound(entropyd_t)
+ # set sound card parameters such as sample format, number of channels
+ # and sample rate.
+ dev_write_sound(entropyd_t)
+')
+
optional_policy(`
- alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ tunable_policy(`entropyd_use_audio',`
+ alsa_read_lib(entropyd_t)
+ alsa_read_rw_config(entropyd_t)
+ ')
')
optional_policy(`
--
1.7.3.4
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/audioentropy.te | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 7ece78d..67f546d 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -27,11 +27,12 @@ files_pid_file(entropyd_var_run_t)
allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
+allow entropyd_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
-kernel_read_kernel_sysctls(entropyd_t)
+kernel_rw_kernel_sysctl(entropyd_t)
kernel_list_proc(entropyd_t)
kernel_read_proc_symlinks(entropyd_t)
--
1.7.3.4
Add file context rules for haveged within the audioentropyd module.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/audioentropy.fc | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
index 001235e..d2d8ce3 100644
--- a/policy/modules/services/audioentropy.fc
+++ b/policy/modules/services/audioentropy.fc
@@ -2,5 +2,7 @@
# /usr
#
/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0)
+/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0)
/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
+/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0)
--
1.7.3.4
On 07/20/11 14:58, Sven Vermeulen wrote:
> This patch set segregates the obvious audio-related privileges within
> entropyd_t (in the audioentropyd module) through the use of a SELinux
> boolean "entropyd_use_audio", enhances the entropyd_t with the privileges
> needed by haveged, and adds the proper file contexts for haveged support.
>
> Comments always appreciated. This obsoletes the previous patch set titled
> "[PATCH/RFC v3] Haveget support in (audio)entropyd".
>
> Changes since v2:
> - Use optional_policy ( tunable_policy ( ... ) ) format. The other way
> around isn't supported
>
> Changes since v3:
> - dev_* calls do not need to be made optional, they are part of base modules
Merged. I need to do one of these to things:
1. rename the module to entropyd. Causes an annoying upgrade problem
for distros. Otherwise this is trivial since it has no interface
compatibility to worry about.
2. set the default of entropyd_use_audio to true since this is the
audioentropy module.
How do you feel about #1? Dan, you too.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/22/2011 08:43 AM, Christopher J. PeBenito wrote:
> On 07/20/11 14:58, Sven Vermeulen wrote:
>> This patch set segregates the obvious audio-related privileges
>> within entropyd_t (in the audioentropyd module) through the use of
>> a SELinux boolean "entropyd_use_audio", enhances the entropyd_t
>> with the privileges needed by haveged, and adds the proper file
>> contexts for haveged support.
>>
>> Comments always appreciated. This obsoletes the previous patch set
>> titled "[PATCH/RFC v3] Haveget support in (audio)entropyd".
>>
>> Changes since v2: - Use optional_policy ( tunable_policy ( ... ) )
>> format. The other way around isn't supported
>>
>> Changes since v3: - dev_* calls do not need to be made optional,
>> they are part of base modules
>
> Merged. I need to do one of these to things:
>
> 1. rename the module to entropyd. Causes an annoying upgrade
> problem for distros. Otherwise this is trivial since it has no
> interface compatibility to worry about.
>
> 2. set the default of entropyd_use_audio to true since this is the
> audioentropy module.
>
> How do you feel about #1? Dan, you too.
>
Fine with me. We can remove the old and add the new to the dist for the
name.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4pgKYACgkQrlYvE4MpobNktgCgkR9v+t4nyqxr4bIjVM/6NkIg
bFoAoJ2vegVTU4d8PWAm8S3ElwcmmalX
=f/Oz
-----END PGP SIGNATURE-----
On Fri, Jul 22, 2011 at 08:43:27AM -0400, Christopher J. PeBenito wrote:
> Merged. I need to do one of these to things:
>
> 1. rename the module to entropyd. Causes an annoying upgrade problem
> for distros. Otherwise this is trivial since it has no interface
> compatibility to worry about.
>
> 2. set the default of entropyd_use_audio to true since this is the
> audioentropy module.
>
> How do you feel about #1? Dan, you too.
#1 is fine here. I'd rather see rememberable names than historic ones ;-)
Wkr,
Sven Vermeulen