From 1a13a5410b60ccbd5630eb63649e765bae1e3fe1 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 19 Apr 2020 11:40:59 +0200
Subject: [PATCH] devices: label /dev/sysdig0

`sysdig` is a tool that enables introspecting the system, debugging it,
etc. It uses a driver that creates `/dev/sysdig0`. Define a specific
label in order to be able to allow using it.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 19 +++++++++++++++++++
 policy/modules/kernel/devices.te |  6 ++++++
 3 files changed, 26 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index e736b9566..0242cb5e5 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -113,6 +113,7 @@
 /dev/snapshot		-c	gen_context(system_u:object_r:acpi_bios_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/sysdig[0-9]	-c	gen_context(system_u:object_r:sysdig_device_t,s0)
 /dev/tee[0-9]		-c	gen_context(system_u:object_r:tee_device_t,s0)
 /dev/teepriv[0-9]	-c	gen_context(system_u:object_r:tee_priv_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 792ffa2ef..055d6c74f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4176,6 +4176,25 @@ interface(`dev_manage_smartcard',`
 	manage_chr_files_pattern($1, device_t, smartcard_device_t)
 ')
 
+########################################
+## <summary>
+##	Read, write and map the sysdig device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_sysdig',`
+	gen_require(`
+		type device_t, sysdig_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, sysdig_device_t)
+	allow $1 sysdig_device_t:chr_file map;
+')
+
 ########################################
 ## <summary>
 ##	Mount a filesystem on sysfs.
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8b3c20279..539c0c4a6 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -255,6 +255,12 @@ dev_node(smartcard_device_t)
 type sound_device_t;
 dev_node(sound_device_t)
 
+#
+# Type for sysdig device
+#
+type sysdig_device_t;
+dev_node(sysdig_device_t)
+
 #
 # sysfs_t is the type for the /sys pseudofs
 #