From 61738f11ec23f14a1b58522b4859a0f83a6571a6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 3 May 2010 09:01:46 -0400 Subject: [PATCH] Devicekit patch from Dan Walsh. --- policy/modules/services/devicekit.fc | 8 +- policy/modules/services/devicekit.if | 4 +- policy/modules/services/devicekit.te | 109 +++++++++++++++++++++------ 3 files changed, 96 insertions(+), 25 deletions(-) diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc index 73a06f7e5..418a5a043 100644 --- a/policy/modules/services/devicekit.fc +++ b/policy/modules/services/devicekit.fc @@ -1,8 +1,14 @@ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) +/usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) +/usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) +/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) -/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) +/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if index 5be015a7c..f706b994f 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -139,7 +139,7 @@ interface(`devicekit_read_pid_files',` ######################################## ## -## All of the rules required to administrate +## All of the rules required to administrate ## an devicekit environment ## ## @@ -162,7 +162,7 @@ interface(`devicekit_read_pid_files',` interface(`devicekit_admin',` gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; - type devicekit_var_run_t; + type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 5d673bc7e..0d5e1a943 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -1,4 +1,4 @@ -policy_module(devicekit, 1.0.0) +policy_module(devicekit, 1.0.1) ######################################## # @@ -37,6 +37,8 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir }) +kernel_read_system_state(devicekit_t) + dev_read_sysfs(devicekit_t) dev_read_urand(devicekit_t) @@ -60,8 +62,10 @@ optional_policy(` # DeviceKit disk local policy # -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) @@ -71,29 +75,60 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) +manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) +manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t) +files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { file dir }) + +kernel_getattr_message_if(devicekit_disk_t) +kernel_read_fs_sysctls(devicekit_disk_t) +kernel_read_network_state(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) +kernel_read_system_state(devicekit_disk_t) +kernel_request_load_module(devicekit_disk_t) kernel_setsched(devicekit_disk_t) corecmd_exec_bin(devicekit_disk_t) +corecmd_exec_shell(devicekit_disk_t) +corecmd_getattr_all_executables(devicekit_disk_t) dev_rw_sysfs(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) +dev_manage_generic_files(devicekit_disk_t) +dev_getattr_all_chr_files(devicekit_disk_t) +dev_getattr_mtrr_dev(devicekit_disk_t) +domain_getattr_all_pipes(devicekit_disk_t) +domain_getattr_all_sockets(devicekit_disk_t) +domain_getattr_all_stream_sockets(devicekit_disk_t) +domain_read_all_domains_state(devicekit_disk_t) + +files_dontaudit_read_all_symlinks(devicekit_disk_t) +files_getattr_all_sockets(devicekit_disk_t) +files_getattr_all_mountpoints(devicekit_disk_t) +files_getattr_all_files(devicekit_disk_t) +files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) files_read_usr_files(devicekit_disk_t) +fs_list_inotifyfs(devicekit_disk_t) +fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) fs_unmount_all_fs(devicekit_disk_t) -fs_manage_fusefs_dirs(devicekit_disk_t) +fs_search_all(devicekit_disk_t) + +mls_file_read_all_levels(devicekit_disk_t) +mls_file_write_to_clearance(devicekit_disk_t) storage_raw_read_fixed_disk(devicekit_disk_t) storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) +term_use_all_terms(devicekit_disk_t) + auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) @@ -101,24 +136,6 @@ miscfiles_read_localization(devicekit_disk_t) userdom_read_all_users_state(devicekit_disk_t) userdom_search_user_home_dirs(devicekit_disk_t) -optional_policy(` - fstools_domtrans(devicekit_disk_t) -') - -optional_policy(` - lvm_domtrans(devicekit_disk_t) -') - -optional_policy(` - policykit_domtrans_auth(devicekit_disk_t) - policykit_read_lib(devicekit_disk_t) - policykit_read_reload(devicekit_disk_t) -') - -optional_policy(` - mount_domtrans(devicekit_disk_t) -') - optional_policy(` dbus_system_bus_client(devicekit_disk_t) @@ -129,19 +146,48 @@ optional_policy(` ') ') +optional_policy(` + fstools_domtrans(devicekit_disk_t) +') + +optional_policy(` + lvm_domtrans(devicekit_disk_t) +') + +optional_policy(` + mount_domtrans(devicekit_disk_t) +') + +optional_policy(` + policykit_dbus_chat(devicekit_disk_t) + policykit_domtrans_auth(devicekit_disk_t) + policykit_read_lib(devicekit_disk_t) + policykit_read_reload(devicekit_disk_t) +') + +optional_policy(` + raid_domtrans_mdadm(devicekit_disk_t) +') + optional_policy(` udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') +optional_policy(` + virt_manage_images(devicekit_disk_t) +') + ######################################## # # DeviceKit-Power local policy # -allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:process getsched; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; +allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms; manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) @@ -151,6 +197,8 @@ kernel_read_network_state(devicekit_power_t) kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) +kernel_search_debugfs(devicekit_power_t) +kernel_write_proc_files(devicekit_power_t) corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) @@ -159,7 +207,9 @@ consoletype_exec(devicekit_power_t) domain_read_all_domains_state(devicekit_power_t) +dev_read_input(devicekit_power_t) dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_generic_chr_files(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) @@ -167,18 +217,27 @@ files_read_kernel_img(devicekit_power_t) files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) +fs_list_inotifyfs(devicekit_power_t) + term_use_all_terms(devicekit_power_t) auth_use_nsswitch(devicekit_power_t) miscfiles_read_localization(devicekit_power_t) +sysnet_read_config(devicekit_power_t) +sysnet_domtrans_ifconfig(devicekit_power_t) + userdom_read_all_users_state(devicekit_power_t) optional_policy(` bootloader_domtrans(devicekit_power_t) ') +optional_policy(` + cron_initrc_domtrans(devicekit_power_t) +') + optional_policy(` dbus_system_bus_client(devicekit_power_t) @@ -203,17 +262,23 @@ optional_policy(` optional_policy(` hal_domtrans_mac(devicekit_power_t) + hal_manage_log(devicekit_power_t) hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) hal_dbus_chat(devicekit_power_t) ') optional_policy(` + policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) policykit_read_reload(devicekit_power_t) ') +optional_policy(` + udev_read_db(devicekit_power_t) +') + optional_policy(` vbetool_domtrans(devicekit_power_t) ')