selinux-refpolicy/policy/modules/services/tpm2.te

policy_module(tpm2, 1.1.2)

########################################
#
# Declarations
#

type tpm2_abrmd_t;
type tpm2_abrmd_exec_t;
init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)

type tpm2_abrmd_unit_t;
init_unit_file(tpm2_abrmd_unit_t)

type tpm2_t;
type tpm2_exec_t;
application_domain(tpm2_t, tpm2_exec_t)

########################################
#
# tpm2-abrmd local policy
#

allow tpm2_abrmd_t self:process signal;
allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;
allow tpm2_abrmd_t self:fifo_file { read write };

dev_rw_tpm(tpm2_abrmd_t)

kernel_read_crypto_sysctls(tpm2_abrmd_t)
kernel_read_system_state(tpm2_abrmd_t)

optional_policy(`
	dbus_system_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
')


###########################################
# tpm2_* local policy
#

allow tpm2_t self:unix_stream_socket create_socket_perms;
allow tpm2_t self:capability dac_override;

dev_rw_tpm(tpm2_t)

files_read_etc_files(tpm2_t)

kernel_read_crypto_sysctls(tpm2_t)
kernel_read_system_state(tpm2_t)

miscfiles_read_generic_certs(tpm2_t)

selinux_getattr_fs(tpm2_t)
selinux_search_fs(tpm2_t)

tpm2_dbus_chat_abrmd(tpm2_t)
tpm2_rw_abrmd_pipes(tpm2_t)

optional_policy(`
	dbus_system_bus_client(tpm2_t)
')
various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2020-05-14 14:32:30 +00:00			`policy_module(tpm2, 1.1.2)`
Module for tpm2 Module for tpm2 v2 - updated to rename module and interface names, different dbus interface Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-08-05 19:13:02 +00:00
			`########################################`
			`#`
			`# Declarations`
			`#`

			`type tpm2_abrmd_t;`
			`type tpm2_abrmd_exec_t;`
			`init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)`

			`type tpm2_abrmd_unit_t;`
			`init_unit_file(tpm2_abrmd_unit_t)`

Setup domain for tpm2_* binaries The various /bin/tpm2_* binaries use dbus to communicate with tpm2-abrmd and also can directly access /dev/tpmrm0. This seems like a way to help limit access to the TPM by running the tpm_* binaries in their own domain. I setup this domain because I have a process that needs to use tpm2_hmac to encode something, but didn't want that domain to have direct access to the TPM. I did some basic testing to verify that the other tpm2_* binaries have basically the same access needs. But it wasn't through testing of all the tpm2_* binaries. Signed-off-by: Dave Sugar <dsugar@tresys.com> 2020-03-29 00:21:33 +00:00			`type tpm2_t;`
			`type tpm2_exec_t;`
			`application_domain(tpm2_t, tpm2_exec_t)`

Module for tpm2 Module for tpm2 v2 - updated to rename module and interface names, different dbus interface Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-08-05 19:13:02 +00:00			`########################################`
			`#`
Setup domain for tpm2_* binaries The various /bin/tpm2_* binaries use dbus to communicate with tpm2-abrmd and also can directly access /dev/tpmrm0. This seems like a way to help limit access to the TPM by running the tpm_* binaries in their own domain. I setup this domain because I have a process that needs to use tpm2_hmac to encode something, but didn't want that domain to have direct access to the TPM. I did some basic testing to verify that the other tpm2_* binaries have basically the same access needs. But it wasn't through testing of all the tpm2_* binaries. Signed-off-by: Dave Sugar <dsugar@tresys.com> 2020-03-29 00:21:33 +00:00			`# tpm2-abrmd local policy`
Module for tpm2 Module for tpm2 v2 - updated to rename module and interface names, different dbus interface Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-08-05 19:13:02 +00:00			`#`

			`allow tpm2_abrmd_t self:process signal;`
			`allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;`
Setup domain for tpm2_* binaries The various /bin/tpm2_* binaries use dbus to communicate with tpm2-abrmd and also can directly access /dev/tpmrm0. This seems like a way to help limit access to the TPM by running the tpm_* binaries in their own domain. I setup this domain because I have a process that needs to use tpm2_hmac to encode something, but didn't want that domain to have direct access to the TPM. I did some basic testing to verify that the other tpm2_* binaries have basically the same access needs. But it wasn't through testing of all the tpm2_* binaries. Signed-off-by: Dave Sugar <dsugar@tresys.com> 2020-03-29 00:21:33 +00:00			`allow tpm2_abrmd_t self:fifo_file { read write };`
Module for tpm2 Module for tpm2 v2 - updated to rename module and interface names, different dbus interface Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-08-05 19:13:02 +00:00
			`dev_rw_tpm(tpm2_abrmd_t)`

			`kernel_read_crypto_sysctls(tpm2_abrmd_t)`
			`kernel_read_system_state(tpm2_abrmd_t)`

			optional_policy(`
			`dbus_system_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)`
			`')`
Setup domain for tpm2_* binaries The various /bin/tpm2_* binaries use dbus to communicate with tpm2-abrmd and also can directly access /dev/tpmrm0. This seems like a way to help limit access to the TPM by running the tpm_* binaries in their own domain. I setup this domain because I have a process that needs to use tpm2_hmac to encode something, but didn't want that domain to have direct access to the TPM. I did some basic testing to verify that the other tpm2_* binaries have basically the same access needs. But it wasn't through testing of all the tpm2_* binaries. Signed-off-by: Dave Sugar <dsugar@tresys.com> 2020-03-29 00:21:33 +00:00

			`###########################################`
			`# tpm2_* local policy`
			`#`

			`allow tpm2_t self:unix_stream_socket create_socket_perms;`
			`allow tpm2_t self:capability dac_override;`

			`dev_rw_tpm(tpm2_t)`

			`files_read_etc_files(tpm2_t)`

			`kernel_read_crypto_sysctls(tpm2_t)`
			`kernel_read_system_state(tpm2_t)`

			`miscfiles_read_generic_certs(tpm2_t)`

			`selinux_getattr_fs(tpm2_t)`
			`selinux_search_fs(tpm2_t)`

			`tpm2_dbus_chat_abrmd(tpm2_t)`
			`tpm2_rw_abrmd_pipes(tpm2_t)`

			optional_policy(`
			`dbus_system_bus_client(tpm2_t)`
			`')`