From b51e8e0b42cd7e546c2f82946a4f3b84f7b2a467 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 19 Nov 2009 09:44:19 -0500 Subject: [PATCH] Add devices patch from Dan Walsh. --- policy/modules/kernel/devices.fc | 9 +- policy/modules/kernel/devices.if | 257 ++++++++++++++++++++++++++++++- policy/modules/kernel/devices.te | 34 +++- 3 files changed, 292 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 94b4bc4fe..a241ea1ae 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -47,8 +47,10 @@ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) +/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0) /dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) /dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) +/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) @@ -61,10 +63,12 @@ /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) +/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) @@ -82,6 +86,7 @@ /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/random -c gen_context(system_u:object_r:random_device_t,s0) /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0) /dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0) @@ -101,7 +106,8 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) -/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -168,6 +174,7 @@ ifdef(`distro_gentoo',` ifdef(`distro_redhat',` # originally from named.fc +/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index dec0e0289..2b7ad8302 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',` relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) relabelfrom_fifo_files_pattern($1, device_t, device_node) relabelfrom_sock_files_pattern($1, device_t, device_node) - relabel_blk_files_pattern($1, device_t,{ device_t device_node }) - relabel_chr_files_pattern($1, device_t,{ device_t device_node }) + relabel_blk_files_pattern($1, device_t, { device_t device_node }) + relabel_chr_files_pattern($1, device_t, { device_t device_node }) ') ######################################## @@ -1690,6 +1690,78 @@ interface(`dev_read_kmsg',` read_chr_files_pattern($1, device_t, kmsg_device_t) ') +######################################## +## +## Get the attributes of the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_ksm_dev',` + gen_require(` + type device_t, ksm_device_t; + ') + + getattr_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Set the attributes of the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_ksm_dev',` + gen_require(` + type device_t, ksm_device_t; + ') + + setattr_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Read the ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_ksm',` + gen_require(` + type device_t, ksm_device_t; + ') + + read_chr_files_pattern($1, device_t, ksm_device_t) +') + +######################################## +## +## Read and write to ksm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_ksm',` + gen_require(` + type device_t, ksm_device_t; + ') + + rw_chr_files_pattern($1, device_t, ksm_device_t) +') + ######################################## ## ## Get the attributes of the kvm devices. @@ -1762,6 +1834,61 @@ interface(`dev_rw_kvm',` rw_chr_files_pattern($1, device_t, kvm_device_t) ') +###################################### +## +## Read the lirc device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + read_chr_files_pattern($1, device_t, lirc_device_t) +') + +###################################### +## +## Read and write the lirc device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + rw_chr_files_pattern($1, device_t, lirc_device_t) +') + +###################################### +## +## Automatic type transition to the type +## for lirc device nodes when created in /dev. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_filetrans_lirc',` + gen_require(` + type device_t, lirc_device_t; + ') + + filetrans_pattern($1, device_t, lirc_device_t, chr_file) +') + ######################################## ## ## Read the lvm comtrol device. @@ -1798,6 +1925,24 @@ interface(`dev_rw_lvm_control',` rw_chr_files_pattern($1, device_t, lvm_control_t) ') +######################################## +## +## Do not audit attempts to read and write lvm control device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_dontaudit_rw_lvm_control',` + gen_require(` + type lvm_control_t; + ') + + dontaudit $1 lvm_control_t:chr_file rw_file_perms; +') + ######################################## ## ## Delete the lvm control device. @@ -2044,6 +2189,78 @@ interface(`dev_dontaudit_rw_misc',` dontaudit $1 misc_device_t:chr_file rw_file_perms; ') +######################################## +## +## Get the attributes of the modem devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_modem_dev',` + gen_require(` + type device_t, modem_device_t; + ') + + getattr_chr_files_pattern($1, device_t, modem_device_t) +') + +######################################## +## +## Set the attributes of the modem devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_modem_dev',` + gen_require(` + type device_t, modem_device_t; + ') + + setattr_chr_files_pattern($1, device_t, modem_device_t) +') + +######################################## +## +## Read the modem devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_modem',` + gen_require(` + type device_t, modem_device_t; + ') + + read_chr_files_pattern($1, device_t, modem_device_t) +') + +######################################## +## +## Read and write to modem devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_modem',` + gen_require(` + type device_t, modem_device_t; + ') + + rw_chr_files_pattern($1, device_t, modem_device_t) +') + ######################################## ## ## Get the attributes of the mouse devices. @@ -2303,6 +2520,24 @@ interface(`dev_setattr_null_dev',` setattr_chr_files_pattern($1, device_t, null_device_t) ') +######################################## +## +## Delete the null device (/dev/null). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_delete_null',` + gen_require(` + type device_t, null_device_t; + ') + + delete_chr_files_pattern($1, device_t, null_device_t) +') + ######################################## ## ## Read and write to the null device (/dev/null). @@ -3597,6 +3832,24 @@ interface(`dev_write_watchdog',` write_chr_files_pattern($1, device_t, watchdog_device_t) ') +######################################## +## +## Read and write the the wireless device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_wireless',` + gen_require(` + type device_t, wireless_device_t; + ') + + rw_chr_files_pattern($1, device_t, wireless_device_t) +') + ######################################## ## ## Read and write Xen devices. diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index e87179fcb..1b536ec28 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices, 1.9.0) +policy_module(devices, 1.9.1) ######################################## # @@ -83,6 +83,12 @@ dev_node(ipmi_device_t) type kmsg_device_t; dev_node(kmsg_device_t) +# +# ksm_device_t is the type of /dev/ksm +# +type ksm_device_t; +dev_node(ksm_device_t) + # # kvm_device_t is the type of # /dev/kvm @@ -90,6 +96,12 @@ dev_node(kmsg_device_t) type kvm_device_t; dev_node(kvm_device_t) +# +# Type for /dev/lirc +# +type lirc_device_t; +dev_node(lirc_device_t) + # # Type for /dev/mapper/control # @@ -109,6 +121,12 @@ neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_f type misc_device_t; dev_node(misc_device_t) +# +# A general type for modem devices. +# +type modem_device_t; +dev_node(modem_device_t) + # # A more general type for mouse devices. # @@ -123,7 +141,7 @@ dev_node(mtrr_device_t) genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) # -# network control devices +# network control devices # type netcontrol_device_t; dev_node(netcontrol_device_t) @@ -137,13 +155,13 @@ mls_trusted_object(null_device_t) sid devnull gen_context(system_u:object_r:null_device_t,s0) # -# Type for /dev/nvram +# Type for /dev/nvram # type nvram_device_t; dev_node(nvram_device_t) # -# Type for /dev/pmu +# Type for /dev/pmu # type power_device_t; dev_node(power_device_t) @@ -153,7 +171,7 @@ dev_node(printer_device_t) mls_file_write_within_range(printer_device_t) # -# qemu control devices +# qemu control devices # type qemu_device_t; dev_node(qemu_device_t) @@ -224,6 +242,12 @@ dev_node(vmware_device_t) type watchdog_device_t; dev_node(watchdog_device_t) +# +# wireless control devices +# +type wireless_device_t; +dev_node(wireless_device_t) + type xen_device_t; dev_node(xen_device_t)