fix up mtrr interfaces. missing the file class on a few interfaces, and read and write cannot be split.

2006-08-01 14:43:10 +00:00 · 2006-08-01 14:43:10 +00:00 · 85476e94d8
commit 85476e94d8
parent 4b3b46d7ef
3 changed files with 46 additions and 23 deletions
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -1684,7 +1684,8 @@ interface(`dev_rw_mouse',`

 ########################################
 ## <summary>
-##	Get the attributes of the mtrr device.
+##	Get the attributes of the memory type range
+##	registers (MTRR) device.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -1698,15 +1699,27 @@ interface(`dev_getattr_mtrr_dev',`
 	')

 	allow $1 device_t:dir r_dir_perms;
-
-	# proc entry is a file.  added for nmbd_t
 	allow $1 mtrr_device_t:{ file chr_file } getattr;
 ')

 ########################################
 ## <summary>
-##	Read the mtrr device.
+##	Read the memory type range
+##	registers (MTRR).  (Deprecated)
 ## </summary>
+## <desc>
+##	<p>
+##	Read the memory type range
+##	registers (MTRR).  This interface has
+##	been deprecated, dev_rw_mtrr() should be
+##	used instead.
+##	</p>
+##	<p>
+##	The MTRR device ioctls can be used for
+##	reading and writing; thus, read access to the
+##	device cannot be separated from write access.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@ -1714,18 +1727,28 @@ interface(`dev_getattr_mtrr_dev',`
 ## </param>
 #
 interface(`dev_read_mtrr',`
-	gen_require(`
-		type device_t, mtrr_device_t;
-	')
-
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 mtrr_device_t:chr_file r_file_perms;
+	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+	dev_rw_mtrr($1)
 ')

 ########################################
 ## <summary>
-##	Write the mtrr device.
+##	Write the memory type range
+##	registers (MTRR).  (Deprecated)
 ## </summary>
+## <desc>
+##	<p>
+##	Write the memory type range
+##	registers (MTRR).  This interface has
+##	been deprecated, dev_rw_mtrr() should be
+##	used instead.
+##	</p>
+##	<p>
+##	The MTRR device ioctls can be used for
+##	reading and writing; thus, write access to the
+##	device cannot be separated from read access.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@ -1733,17 +1756,13 @@ interface(`dev_read_mtrr',`
 ## </param>
 #
 interface(`dev_write_mtrr',`
-	gen_require(`
-		type device_t, mtrr_device_t;
-	')
-
-	allow $1 device_t:dir r_dir_perms;
-	allow $1 mtrr_device_t:chr_file { getattr write ioctl };
+	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+	dev_rw_mtrr($1)
 ')

 ########################################
 ## <summary>
-##	Read and write the mtrr device.
+##	Read and write the memory type range registers (MTRR).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -1752,8 +1771,12 @@ interface(`dev_write_mtrr',`
 ## </param>
 #
 interface(`dev_rw_mtrr',`
-	dev_read_mtrr($1)
-	dev_write_mtrr($1)
+	gen_require(`
+		type device_t, mtrr_device_t;
+	')
+
+	allow $1 device_t:dir r_dir_perms;
+	allow $1 mtrr_device_t:{ file chr_file } rw_file_perms;
 ')

 ########################################
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@

-policy_module(devices,1.1.15)
+policy_module(devices,1.1.16)

 ########################################
 #
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@ -1,5 +1,5 @@

-policy_module(modutils,1.1.2)
+policy_module(modutils,1.1.3)

 gen_require(`
 	bool secure_mode_insmod;
@ -70,7 +70,7 @@ files_write_kernel_modules(insmod_t)

 dev_search_sysfs(insmod_t)
 dev_search_usbfs(insmod_t)
-dev_write_mtrr(insmod_t)
+dev_rw_mtrr(insmod_t)
 dev_read_urand(insmod_t)
 dev_rw_agp(insmod_t)
 dev_read_sound(insmod_t)