Merge pull request #43 from pebenito/various-device-labels

policy/modules/kernel/devices.fc

@@ -34,6 +34,7 @@
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gpiochip[0-9]	-c	gen_context(system_u:object_r:gpiochip_device_t,s0)
 /dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -63,6 +64,7 @@
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/mei		-c	gen_context(system_u:object_r:mei_device_t,s0)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/memory_bandwidth	-c	gen_context(system_u:object_r:pmqos_device_t,s0)
 /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -75,8 +77,8 @@
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
-/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
-/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_latency	-c	gen_context(system_u:object_r:pmqos_device_t,s0)
+/dev/network_throughput	-c	gen_context(system_u:object_r:pmqos_device_t,s0)
 /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -108,6 +110,7 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/tpmrm[0-9]*	-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/uio[0-9]+		-c	gen_context(system_u:object_r:userio_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
@@ -140,7 +143,7 @@ ifdef(`distro_suse', `
 /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
 
-/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:pmqos_device_t,s0)
 /dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
 

policy/modules/kernel/devices.if

@@ -3116,7 +3116,7 @@ interface(`dev_rw_mtrr',`
 
 ########################################
 ## <summary>
-##	Get the attributes of the network control device
+##	Get the attributes of the network control device  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3125,16 +3125,13 @@ interface(`dev_rw_mtrr',`
 ## </param>
 #
 interface(`dev_getattr_netcontrol_dev',`
-	gen_require(`
-		type device_t, netcontrol_device_t;
-	')
-
-	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+	refpolicywarn(`$0() has been deprecated, use dev_getattr_pmqos_dev() instead.')
+	dev_getattr_pmqos_dev($1)
 ')
 
 ########################################
 ## <summary>
-##	Read the network control identity.
+##	Read the network control identity.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3143,16 +3140,13 @@ interface(`dev_getattr_netcontrol_dev',`
 ## </param>
 #
 interface(`dev_read_netcontrol',`
-	gen_require(`
-		type device_t, netcontrol_device_t;
-	')
-
-	read_chr_files_pattern($1, device_t, netcontrol_device_t)
+	refpolicywarn(`$0() has been deprecated, use dev_read_pmqos() instead.')
+	dev_read_pmqos($1)
 ')
 
 ########################################
 ## <summary>
-##	Read and write the the network control device.
+##	Read and write the the network control device.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3161,11 +3155,8 @@ interface(`dev_read_netcontrol',`
 ## </param>
 #
 interface(`dev_rw_netcontrol',`
-	gen_require(`
-		type device_t, netcontrol_device_t;
-	')
-
-	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+	refpolicywarn(`$0() has been deprecated, use dev_rw_pmqos() instead.')
+	dev_rw_pmqos($1)
 ')
 
 ########################################
@@ -3388,6 +3379,60 @@ interface(`dev_rw_printer',`
 	rw_chr_files_pattern($1, device_t, printer_device_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of PM QoS devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_pmqos_dev',`
+	gen_require(`
+		type device_t, pmqos_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, pmqos_device_t)
+')
+
+########################################
+## <summary>
+##	Read the PM QoS devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_pmqos',`
+	gen_require(`
+		type device_t, pmqos_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, pmqos_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the PM QoS devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_pmqos',`
+	gen_require(`
+		type device_t, pmqos_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, pmqos_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)

policy/modules/kernel/devices.te

@@ -100,6 +100,12 @@ dev_node(event_device_t)
 type framebuf_device_t;
 dev_node(framebuf_device_t)
 
+#
+# Type for GPIO chip /dev/gpiochip*
+#
+type gpiochip_device_t;
+dev_node(gpiochip_device_t)
+
 #
 # Type for /dev/ipmi/0
 #
@@ -175,12 +181,6 @@ type mtrr_device_t;
 dev_node(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 
-#
-# network control devices
-#
-type netcontrol_device_t;
-dev_node(netcontrol_device_t)
-
 #
 # null_device_t is the type of /dev/null.
 #
@@ -201,6 +201,13 @@ dev_node(nvram_device_t)
 type power_device_t;
 dev_node(power_device_t)
 
+#
+# PM QoS Interface, /dev/cpu_dma_latency, network_latency,
+# network_throughput, and memory_bandwidth
+#
+type pmqos_device_t alias netcontrol_device_t;
+dev_node(pmqos_device_t)
+
 type printer_device_t;
 dev_node(printer_device_t)
 mls_file_write_within_range(printer_device_t)

policy/modules/kernel/storage.fc

@@ -30,6 +30,7 @@
 /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

policy/modules/services/devicekit.te

@@ -261,7 +261,7 @@ dev_read_input(devicekit_power_t)
 dev_read_urand(devicekit_power_t)
 dev_rw_generic_usb_dev(devicekit_power_t)
 dev_rw_generic_chr_files(devicekit_power_t)
-dev_rw_netcontrol(devicekit_power_t)
+dev_rw_pmqos(devicekit_power_t)
 dev_rw_sysfs(devicekit_power_t)
 dev_read_rand(devicekit_power_t)
 dev_getattr_all_blk_files(devicekit_power_t)

policy/modules/services/tuned.te

@@ -65,7 +65,7 @@ dev_getattr_all_blk_files(tuned_t)
 dev_getattr_all_chr_files(tuned_t)
 dev_read_urand(tuned_t)
 dev_rw_sysfs(tuned_t)
-dev_rw_netcontrol(tuned_t)
+dev_rw_pmqos(tuned_t)
 
 files_read_usr_files(tuned_t)
 files_dontaudit_search_home(tuned_t)