add cpucontrol

2005-09-20 18:15:35 +00:00 · 2005-09-20 18:15:35 +00:00 · 9210553ecb
parent 9dfe4e2b2b
commit 9210553ecb
7 changed files with 179 additions and 1 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -4,6 +4,7 @@
  can_portmap() to sysnetwork.
 - Fix base module compile issues.
 - Added policies:
+	cpucontrol
 	ktalk
 	portmap
 	postgresql
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@ -881,6 +881,24 @@ interface(`dev_dontaudit_rw_cardmgr',`
 	dontaudit $1 cardmgr_dev_t:chr_file { read write };
 ')

+########################################
+## <summary>
+##	Get the attributes of the CPU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_cpu',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	allow $1 device_t:dir search;
+	allow $1 cpu_device_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read the CPU identity.
--- a/refpolicy/policy/modules/services/cpucontrol.fc
+++ b/refpolicy/policy/modules/services/cpucontrol.fc
@ -0,0 +1,7 @@
+
+/etc/firmware/.*	--	context_template(system_u:object_r:cpucontrol_conf_t,s0)
+
+/sbin/microcode_ctl	--	context_template(system_u:object_r:cpucontrol_exec_t,s0)
+
+/usr/sbin/cpuspeed	--	context_template(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/powernowd	--	context_template(system_u:object_r:cpuspeed_exec_t,s0)
--- a/refpolicy/policy/modules/services/cpucontrol.if
+++ b/refpolicy/policy/modules/services/cpucontrol.if
@ -0,0 +1,15 @@
+## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
+
+########################################
+## <summary>
+##	CPUcontrol stub interface.  No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+##	N/A
+## </param>
+#
+interface(`cpucontrol_stub',`
+	gen_require(`
+		type cpucontrol_t;
+	')
+')
--- a/refpolicy/policy/modules/services/cpucontrol.te
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@ -0,0 +1,132 @@
+
+policy_module(cpucontrol,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpucontrol_t;
+type cpucontrol_exec_t;
+init_daemon_domain(cpucontrol_t,cpucontrol_exec_t)
+
+type cpucontrol_conf_t;
+files_type(cpucontrol_conf_t)
+
+type cpuspeed_t;
+type cpuspeed_exec_t;
+init_daemon_domain(cpuspeed_t,cpuspeed_exec_t)
+
+########################################
+#
+# CPU microcode loader local policy
+#
+
+allow cpucontrol_t self:capability sys_rawio;
+dontaudit cpucontrol_t self:capability sys_tty_config;
+allow cpucontrol_t self:process signal_perms;
+
+allow cpucontrol_t cpucontrol_conf_t:dir r_dir_perms;
+allow cpucontrol_t cpucontrol_conf_t:file r_file_perms;
+allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read };
+
+kernel_list_proc(cpucontrol_t)
+kernel_read_proc_symlinks(cpucontrol_t)
+kernel_read_kernel_sysctl(cpucontrol_t)
+
+dev_read_sysfs(cpucontrol_t)
+dev_rw_cpu_microcode(cpucontrol_t)
+
+fs_search_auto_mountpoints(cpucontrol_t)
+
+term_dontaudit_use_console(cpucontrol_t)
+
+domain_use_wide_inherit_fd(cpucontrol_t)
+
+files_list_usr(cpucontrol_t)
+
+init_use_fd(cpucontrol_t)
+init_use_script_pty(cpucontrol_t)
+
+libs_use_ld_so(cpucontrol_t)
+libs_use_shared_libs(cpucontrol_t)
+
+logging_send_syslog_msg(cpucontrol_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cpucontrol_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(cpucontrol_t)
+	term_dontaudit_use_generic_pty(cpucontrol_t)
+	files_dontaudit_read_root_file(cpucontrol_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(cpucontrol_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(cpucontrol_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(cpucontrol_t)
+')
+') dnl end TODO
+
+########################################
+#
+# CPU frequency scaling daemons
+#
+
+dontaudit cpuspeed_t self:capability sys_tty_config;
+allow cpuspeed_t self:process { signal_perms setsched };
+allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(cpuspeed_t)
+kernel_read_kernel_sysctl(cpuspeed_t)
+
+dev_rw_sysfs(cpuspeed_t)
+
+fs_search_auto_mountpoints(cpuspeed_t)
+
+term_dontaudit_use_console(cpuspeed_t)
+
+domain_use_wide_inherit_fd(cpuspeed_t)
+
+files_read_etc_files(cpuspeed_t)
+files_read_etc_runtime_files(cpuspeed_t)
+files_list_usr(cpuspeed_t)
+
+init_use_fd(cpuspeed_t)
+init_use_script_pty(cpuspeed_t)
+
+libs_use_ld_so(cpuspeed_t)
+libs_use_shared_libs(cpuspeed_t)
+
+logging_send_syslog_msg(cpuspeed_t)
+
+miscfiles_read_localization(cpuspeed_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cpuspeed_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(cpuspeed_t)
+	term_dontaudit_use_generic_pty(cpuspeed_t)
+	files_dontaudit_read_root_file(cpuspeed_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(cpuspeed_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(cpuspeed_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(cpuspeed_t)
+')
+') dnl end TODO
--- a/refpolicy/policy/modules/services/ntp.if
+++ b/refpolicy/policy/modules/services/ntp.if
@ -9,7 +9,7 @@
 ## </param>
 #
 interface(`ntp_stub',`
-	gen_require(`ntp.te',`
+	gen_require(`
 		type ntpd_t;
 	')
 ')
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@ -414,6 +414,11 @@ optional_policy(`bind.te',`

 ')

+optional_policy(`cpucontrol.te',`
+	cpucontrol_stub()
+	dev_getattr_cpu(initrc_t)
+')
+
 optional_policy(`gpm.te',`
 	gpm_setattr_gpmctl(initrc_t)
 ')