Support /sys/devices/system/cpu/online

In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need to grant most domains read access to this file. As we don't want them to have read access on sysfs_t by default, create a new type (cpu_online_t) and assign it to the file, and grant domains read access to the file. This does require systems to relabel the file upon every boot, something distributions do in their bootup scripts, as /sys devices don't keep their context. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-03-25 21:30:06 +01:00 · 2014-03-25 21:30:06 +01:00 · 22ef609197
parent 6e0000b725
commit 22ef609197
4 changed files with 36 additions and 0 deletions
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@ -199,6 +199,7 @@ ifdef(`distro_debian',`
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)

 /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)

 ifdef(`distro_redhat',`
 # originally from named.fc
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -4852,6 +4852,31 @@ interface(`dev_create_zero_dev',`
 	create_chr_files_pattern($1, device_t, zero_device_t)
 ')

+########################################
+## <summary>
+##	Read cpu online hardware state information
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read /sys/devices/system/cpu/online
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	allow $1 cpu_online_t:file read_file_perms;
+
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to devices.
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -59,6 +59,13 @@ dev_node(clock_device_t)
 type cpu_device_t;
 dev_node(cpu_device_t)

+#
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
 #
 # Type for /dev/crash
 #
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@ -96,6 +96,9 @@ kernel_dontaudit_link_key(domain)
 # create child processes in the domain
 allow domain self:process { fork sigchld };

+# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
+dev_read_cpu_online(domain)
+
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)