From 7b76207e378e85194470434fd47921710136a919 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 5 Mar 2009 15:36:41 +0000 Subject: [PATCH] trunk: devices patch from dan. --- policy/modules/kernel/devices.fc | 43 ++- policy/modules/kernel/devices.if | 448 ++++++++++++++++++++++++++++++- policy/modules/kernel/devices.te | 33 ++- 3 files changed, 515 insertions(+), 9 deletions(-) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index d55a50c6..5ec99e97 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -3,6 +3,8 @@ /dev/.* gen_context(system_u:object_r:device_t,s0) /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0) @@ -12,44 +14,65 @@ /dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) +/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) +/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) +/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) +/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) +/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) +/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) +/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) +/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) +/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -69,17 +92,18 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) -/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -91,14 +115,20 @@ ifdef(`distro_suse', ` /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) +/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) +/dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) +/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0) + /dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0) /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/input/.* -c gen_context(system_u:object_r:event_device_t,s0) +/dev/input/m.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -106,10 +136,15 @@ ifdef(`distro_suse', ` /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) +/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/pts(/.*)? <> /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index f0f70891..c3dbd7de 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -65,7 +65,7 @@ interface(`dev_relabel_all_dev_nodes',` relabelfrom_dirs_pattern($1, device_t, device_node) relabelfrom_files_pattern($1, device_t, device_node) - relabelfrom_lnk_files_pattern($1, device_t, device_node) + relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) relabelfrom_fifo_files_pattern($1, device_t, device_node) relabelfrom_sock_files_pattern($1, device_t, device_node) relabel_blk_files_pattern($1,device_t,{ device_t device_node }) @@ -182,6 +182,24 @@ interface(`dev_delete_generic_dirs',` delete_dirs_pattern($1, device_t, device_t) ') +######################################## +## +## Manage of directories in /dev. +## +## +## +## Domain allowed to relabel. +## +## +# +interface(`dev_manage_generic_dirs',` + gen_require(` + type device_t; + ') + + manage_dirs_pattern($1, device_t, device_t) +') + ######################################## ## ## Allow full relabeling (to and from) of directories in /dev. @@ -663,9 +681,10 @@ interface(`dev_getattr_all_blk_files',` interface(`dev_dontaudit_getattr_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') - dontaudit $1 device_node:blk_file getattr; + dontaudit $1 { device_t device_node }:blk_file getattr; ') ######################################## @@ -700,9 +719,10 @@ interface(`dev_getattr_all_chr_files',` interface(`dev_dontaudit_getattr_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') - dontaudit $1 device_node:chr_file getattr; + dontaudit $1 { device_t device_node }:chr_file getattr; ') ######################################## @@ -1059,6 +1079,98 @@ interface(`dev_rw_apm_bios',` rw_chr_files_pattern($1, device_t, apm_bios_t) ') +######################################## +## +## Get the attributes of the autofs device node. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_autofs_dev',` + gen_require(` + type device_t, autofs_device_t; + ') + + getattr_chr_files_pattern($1, device_t, autofs_device_t) +') + +######################################## +## +## Do not audit attempts to get the attributes of +## the autofs device node. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_getattr_autofs_dev',` + gen_require(` + type autofs_device_t; + ') + + dontaudit $1 autofs_device_t:chr_file getattr; +') + +######################################## +## +## Set the attributes of the autofs device node. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_autofs_dev',` + gen_require(` + type device_t, autofs_device_t; + ') + + setattr_chr_files_pattern($1, device_t, autofs_device_t) +') + +######################################## +## +## Do not audit attempts to set the attributes of +## the autofs device node. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_setattr_autofs_dev',` + gen_require(` + type autofs_device_t; + ') + + dontaudit $1 autofs_device_t:chr_file setattr; +') + +######################################## +## +## Read and write the autofs device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_autofs',` + gen_require(` + type device_t, autofs_device_t; + ') + + rw_chr_files_pattern($1, device_t, autofs_device_t) +') + ######################################## ## ## Read and write the PCMCIA card manager device. @@ -1157,6 +1269,25 @@ interface(`dev_getattr_cpu_dev',` getattr_chr_files_pattern($1, device_t, cpu_device_t) ') +######################################## +## +## Set the attributes of the CPU +## microcode and id interfaces. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_cpu_dev',` + gen_require(` + type device_t, cpu_device_t; + ') + + setattr_chr_files_pattern($1, device_t, cpu_device_t) +') + ######################################## ## ## Read the CPU identity. @@ -1281,7 +1412,7 @@ interface(`dev_dontaudit_rw_dri',` type dri_device_t; ') - dontaudit $1 dri_device_t:chr_file { getattr read write ioctl }; + dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; ') ######################################## @@ -1504,6 +1635,96 @@ interface(`dev_rw_framebuffer',` rw_chr_files_pattern($1, device_t, framebuf_device_t) ') +######################################## +## +## Read the kernel messages +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_kmsg',` + gen_require(` + type device_t, kmsg_device_t; + ') + + read_chr_files_pattern($1, device_t, kmsg_device_t) +') + +######################################## +## +## Get the attributes of the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_kvm_dev',` + gen_require(` + type device_t, kvm_device_t; + ') + + getattr_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## +## +## Set the attributes of the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_kvm_dev',` + gen_require(` + type device_t, kvm_device_t; + ') + + setattr_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## +## +## Read the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_kvm',` + gen_require(` + type device_t, kvm_device_t; + ') + + read_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## +## +## Read and write to kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_kvm',` + gen_require(` + type device_t, kvm_device_t; + ') + + rw_chr_files_pattern($1, device_t, kvm_device_t) +') + ######################################## ## ## Read the lvm comtrol device. @@ -1955,6 +2176,96 @@ interface(`dev_rw_mtrr',` rw_chr_files_pattern($1, device_t, mtrr_device_t) ') +######################################## +## +## Get the attributes of the network control device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_netcontrol_dev',` + gen_require(` + type device_t, netcontrol_device_t; + ') + + getattr_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## +## +## Read the network control identity. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_netcontrol',` + gen_require(` + type device_t, netcontrol_device_t; + ') + + read_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## +## +## Read and write the the network control device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_netcontrol',` + gen_require(` + type device_t, netcontrol_device_t; + ') + + rw_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## +## +## Get the attributes of the null device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_null_dev',` + gen_require(` + type device_t, null_device_t; + ') + + getattr_chr_files_pattern($1, device_t, null_device_t) +') + +######################################## +## +## Set the attributes of the null device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_null_dev',` + gen_require(` + type device_t, null_device_t; + ') + + setattr_chr_files_pattern($1, device_t, null_device_t) +') + ######################################## ## ## Read and write to the null device (/dev/null). @@ -2101,6 +2412,98 @@ interface(`dev_rw_printer',` rw_chr_files_pattern($1, device_t, printer_device_t) ') +######################################## +## +## Read printk devices (e.g., /dev/kmsg /dev/mcelog) +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_printk',` + gen_require(` + type device_t, printk_device_t; + ') + + read_chr_files_pattern($1, device_t, printk_device_t) +') + +######################################## +## +## Get the attributes of the QEMU +## microcode and id interfaces. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_qemu_dev',` + gen_require(` + type device_t, qemu_device_t; + ') + + getattr_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## +## +## Set the attributes of the QEMU +## microcode and id interfaces. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_qemu_dev',` + gen_require(` + type device_t, qemu_device_t; + ') + + setattr_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## +## +## Read the QEMU device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_qemu',` + gen_require(` + type device_t, qemu_device_t; + ') + + read_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## +## +## Read and write the the QEMU device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_qemu',` + gen_require(` + type device_t, qemu_device_t; + ') + + rw_chr_files_pattern($1, device_t, qemu_device_t) +') + ######################################## ## ## Read from random number generator @@ -2139,6 +2542,25 @@ interface(`dev_dontaudit_read_rand',` dontaudit $1 random_device_t:chr_file { getattr read }; ') +######################################## +## +## Do not audit attempts to append to random +## number generator devices (e.g., /dev/random) +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_dontaudit_append_rand',` + gen_require(` + type random_device_t; + ') + + dontaudit $1 random_device_t:chr_file append_chr_file_perms; +') + ######################################## ## ## Write to the random device (e.g., /dev/random). This adds @@ -2765,6 +3187,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') +######################################## +## +## Read generic the USB devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_generic_usb_dev',` + gen_require(` + type usb_device_t; + ') + + read_chr_files_pattern($1, device_t, usb_device_t) +') + ######################################## ## ## Read and write generic the USB devices. diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 0de9187a..893c4a8d 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices, 1.7.0) +policy_module(devices, 1.7.1) ######################################## # @@ -32,6 +32,12 @@ dev_node(agp_device_t) type apm_bios_t; dev_node(apm_bios_t) +# +# Type for /dev/autofs +# +type autofs_device_t; +dev_node(autofs_device_t) + type cardmgr_dev_t; dev_node(cardmgr_dev_t) files_tmp_file(cardmgr_dev_t) @@ -65,12 +71,25 @@ dev_node(event_device_t) type framebuf_device_t; dev_node(framebuf_device_t) +# +# Type for /dev/ipmi/0 +# +type ipmi_device_t; +dev_node(ipmi_device_t) + # # Type for /dev/kmsg # type kmsg_device_t; dev_node(kmsg_device_t) +# +# kvm_device_t is the type of +# /dev/kvm +# +type kvm_device_t; +dev_node(kvm_device_t) + # # Type for /dev/mapper/control # @@ -103,6 +122,12 @@ type mtrr_device_t; dev_node(mtrr_device_t) genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) +# +# network control devices +# +type netcontrol_device_t; +dev_node(netcontrol_device_t) + # # null_device_t is the type of /dev/null. # @@ -127,6 +152,12 @@ type printer_device_t; dev_node(printer_device_t) mls_file_write_within_range(printer_device_t) +# +# qemu control devices +# +type qemu_device_t; +dev_node(qemu_device_t) + # # random_device_t is the type of /dev/random #