From 77161ca8b7a809c6c9f8e6f4f38e86960a762ea3 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Fri, 5 Apr 2019 10:15:57 -0400
Subject: [PATCH 1/4] storage: Label /dev/mmcblk* character nodes.

An example is mmcblk0rpmb, which is for the replay protected memory block
subsystem.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/kernel/storage.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index c7e3ac0d3..926327bd8 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -30,6 +30,7 @@
 /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

From b1a312152c492ec8255ff844c4b46c66e5b44581 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Fri, 12 Apr 2019 10:37:10 -0400
Subject: [PATCH 2/4] devices: Label /dev/tpmrm[0-9].

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/kernel/devices.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5ec14acfd..f09e5a20c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -108,6 +108,7 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/tpmrm[0-9]*	-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/uio[0-9]+		-c	gen_context(system_u:object_r:userio_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)

From 3b0d0ea3305a30bd550ca685aed6eb23ac2b5cce Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Wed, 10 Apr 2019 14:01:39 -0400
Subject: [PATCH 3/4] devices: Add type for GPIO chips, /dev/gpiochip[0-9]

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/kernel/devices.fc | 1 +
 policy/modules/kernel/devices.te | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index f09e5a20c..01518500d 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -34,6 +34,7 @@
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gpiochip[0-9]	-c	gen_context(system_u:object_r:gpiochip_device_t,s0)
 /dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 027c5239f..302048e96 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -100,6 +100,12 @@ dev_node(event_device_t)
 type framebuf_device_t;
 dev_node(framebuf_device_t)
 
+#
+# Type for GPIO chip /dev/gpiochip*
+#
+type gpiochip_device_t;
+dev_node(gpiochip_device_t)
+
 #
 # Type for /dev/ipmi/0
 #

From 4bca3dade2b4b8d2abb5591e534ff25734ffbe72 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Fri, 5 Apr 2019 10:12:01 -0400
Subject: [PATCH 4/4] devices: Change netcontrol devices to pmqos.

Devices with the netcontrol_device_t type are actually PM QoS devices.
Rename the type and add labeling for /dev/memory_bandwidth.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/kernel/devices.fc     |  7 +--
 policy/modules/kernel/devices.if     | 81 +++++++++++++++++++++-------
 policy/modules/kernel/devices.te     | 13 ++---
 policy/modules/services/devicekit.te |  2 +-
 policy/modules/services/tuned.te     |  2 +-
 5 files changed, 76 insertions(+), 29 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 01518500d..3b9be43f9 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -64,6 +64,7 @@
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/mei		-c	gen_context(system_u:object_r:mei_device_t,s0)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/memory_bandwidth	-c	gen_context(system_u:object_r:pmqos_device_t,s0)
 /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -76,8 +77,8 @@
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
-/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
-/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_latency	-c	gen_context(system_u:object_r:pmqos_device_t,s0)
+/dev/network_throughput	-c	gen_context(system_u:object_r:pmqos_device_t,s0)
 /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -142,7 +143,7 @@ ifdef(`distro_suse', `
 /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
 
-/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:pmqos_device_t,s0)
 /dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
 
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 78a95ce81..f5e5fb31f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3098,7 +3098,7 @@ interface(`dev_rw_mtrr',`
 
 ########################################
 ## <summary>
-##	Get the attributes of the network control device
+##	Get the attributes of the network control device  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3107,16 +3107,13 @@ interface(`dev_rw_mtrr',`
 ## </param>
 #
 interface(`dev_getattr_netcontrol_dev',`
-	gen_require(`
-		type device_t, netcontrol_device_t;
-	')
-
-	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+	refpolicywarn(`$0() has been deprecated, use dev_getattr_pmqos_dev() instead.')
+	dev_getattr_pmqos_dev($1)
 ')
 
 ########################################
 ## <summary>
-##	Read the network control identity.
+##	Read the network control identity.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3125,16 +3122,13 @@ interface(`dev_getattr_netcontrol_dev',`
 ## </param>
 #
 interface(`dev_read_netcontrol',`
-	gen_require(`
-		type device_t, netcontrol_device_t;
-	')
-
-	read_chr_files_pattern($1, device_t, netcontrol_device_t)
+	refpolicywarn(`$0() has been deprecated, use dev_read_pmqos() instead.')
+	dev_read_pmqos($1)
 ')
 
 ########################################
 ## <summary>
-##	Read and write the the network control device.
+##	Read and write the the network control device.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3143,11 +3137,8 @@ interface(`dev_read_netcontrol',`
 ## </param>
 #
 interface(`dev_rw_netcontrol',`
-	gen_require(`
-		type device_t, netcontrol_device_t;
-	')
-
-	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+	refpolicywarn(`$0() has been deprecated, use dev_rw_pmqos() instead.')
+	dev_rw_pmqos($1)
 ')
 
 ########################################
@@ -3370,6 +3361,60 @@ interface(`dev_rw_printer',`
 	rw_chr_files_pattern($1, device_t, printer_device_t)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of PM QoS devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_pmqos_dev',`
+	gen_require(`
+		type device_t, pmqos_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, pmqos_device_t)
+')
+
+########################################
+## <summary>
+##	Read the PM QoS devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_pmqos',`
+	gen_require(`
+		type device_t, pmqos_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, pmqos_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the PM QoS devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_pmqos',`
+	gen_require(`
+		type device_t, pmqos_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, pmqos_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 302048e96..60d968c24 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -181,12 +181,6 @@ type mtrr_device_t;
 dev_node(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 
-#
-# network control devices
-#
-type netcontrol_device_t;
-dev_node(netcontrol_device_t)
-
 #
 # null_device_t is the type of /dev/null.
 #
@@ -207,6 +201,13 @@ dev_node(nvram_device_t)
 type power_device_t;
 dev_node(power_device_t)
 
+#
+# PM QoS Interface, /dev/cpu_dma_latency, network_latency,
+# network_throughput, and memory_bandwidth
+#
+type pmqos_device_t alias netcontrol_device_t;
+dev_node(pmqos_device_t)
+
 type printer_device_t;
 dev_node(printer_device_t)
 mls_file_write_within_range(printer_device_t)
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 3059ebcf3..7b0226e0d 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -261,7 +261,7 @@ dev_read_input(devicekit_power_t)
 dev_read_urand(devicekit_power_t)
 dev_rw_generic_usb_dev(devicekit_power_t)
 dev_rw_generic_chr_files(devicekit_power_t)
-dev_rw_netcontrol(devicekit_power_t)
+dev_rw_pmqos(devicekit_power_t)
 dev_rw_sysfs(devicekit_power_t)
 dev_read_rand(devicekit_power_t)
 dev_getattr_all_blk_files(devicekit_power_t)
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
index f853dff3b..349a757bc 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -65,7 +65,7 @@ dev_getattr_all_blk_files(tuned_t)
 dev_getattr_all_chr_files(tuned_t)
 dev_read_urand(tuned_t)
 dev_rw_sysfs(tuned_t)
-dev_rw_netcontrol(tuned_t)
+dev_rw_pmqos(tuned_t)
 
 files_read_usr_files(tuned_t)
 files_dontaudit_search_home(tuned_t)