From 85476e94d88fdb9e5aa0c8c095666f9a941d4451 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 1 Aug 2006 14:43:10 +0000 Subject: [PATCH] fix up mtrr interfaces. missing the file class on a few interfaces, and read and write cannot be split. --- policy/modules/kernel/devices.if | 63 +++++++++++++++++++++---------- policy/modules/kernel/devices.te | 2 +- policy/modules/system/modutils.te | 4 +- 3 files changed, 46 insertions(+), 23 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 5449c4df..d7d4504f 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -1684,7 +1684,8 @@ interface(`dev_rw_mouse',` ######################################## ## -## Get the attributes of the mtrr device. +## Get the attributes of the memory type range +## registers (MTRR) device. ## ## ## @@ -1698,15 +1699,27 @@ interface(`dev_getattr_mtrr_dev',` ') allow $1 device_t:dir r_dir_perms; - - # proc entry is a file. added for nmbd_t allow $1 mtrr_device_t:{ file chr_file } getattr; ') ######################################## ## -## Read the mtrr device. +## Read the memory type range +## registers (MTRR). (Deprecated) ## +## +##

+## Read the memory type range +## registers (MTRR). This interface has +## been deprecated, dev_rw_mtrr() should be +## used instead. +##

+##

+## The MTRR device ioctls can be used for +## reading and writing; thus, read access to the +## device cannot be separated from write access. +##

+## ## ## ## Domain allowed access. @@ -1714,18 +1727,28 @@ interface(`dev_getattr_mtrr_dev',` ## # interface(`dev_read_mtrr',` - gen_require(` - type device_t, mtrr_device_t; - ') - - allow $1 device_t:dir r_dir_perms; - allow $1 mtrr_device_t:chr_file r_file_perms; + refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + dev_rw_mtrr($1) ') ######################################## ## -## Write the mtrr device. +## Write the memory type range +## registers (MTRR). (Deprecated) ## +## +##

+## Write the memory type range +## registers (MTRR). This interface has +## been deprecated, dev_rw_mtrr() should be +## used instead. +##

+##

+## The MTRR device ioctls can be used for +## reading and writing; thus, write access to the +## device cannot be separated from read access. +##

+## ## ## ## Domain allowed access. @@ -1733,17 +1756,13 @@ interface(`dev_read_mtrr',` ## # interface(`dev_write_mtrr',` - gen_require(` - type device_t, mtrr_device_t; - ') - - allow $1 device_t:dir r_dir_perms; - allow $1 mtrr_device_t:chr_file { getattr write ioctl }; + refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + dev_rw_mtrr($1) ') ######################################## ## -## Read and write the mtrr device. +## Read and write the memory type range registers (MTRR). ## ## ## @@ -1752,8 +1771,12 @@ interface(`dev_write_mtrr',` ## # interface(`dev_rw_mtrr',` - dev_read_mtrr($1) - dev_write_mtrr($1) + gen_require(` + type device_t, mtrr_device_t; + ') + + allow $1 device_t:dir r_dir_perms; + allow $1 mtrr_device_t:{ file chr_file } rw_file_perms; ') ######################################## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 6c06c8cd..9d209458 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.1.15) +policy_module(devices,1.1.16) ######################################## # diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 9ac0adf2..f50a4028 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils,1.1.2) +policy_module(modutils,1.1.3) gen_require(` bool secure_mode_insmod; @@ -70,7 +70,7 @@ files_write_kernel_modules(insmod_t) dev_search_sysfs(insmod_t) dev_search_usbfs(insmod_t) -dev_write_mtrr(insmod_t) +dev_rw_mtrr(insmod_t) dev_read_urand(insmod_t) dev_rw_agp(insmod_t) dev_read_sound(insmod_t)