Make raw memory access tunable

Modern systems shouldn't need direct access to raw memory
devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port)
anymore, so let's remove the access in most cases and make it tunable
in the rest.

Add dev_read_raw_memory_cond(), dev_write_raw_memory_cond() and
dev_wx_raw_memory_cond(), which are conditional to new boolean
allow_raw_memory_access.

Remove raw memory access for a few domains that should never have
needed it (colord_t, iscsid_t, mdamd_t, txtstat_t), should not need it
anymore (dmidecode_t, Debian devicekit_diskt_t, hald_t, hald_mac_t,
xserver_t) or the domains that should transition to different domain
for this (rpm_t, kudzu_t, dpkg_t).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

policy/global_tunables

@@ -32,6 +32,16 @@ gen_tunable(allow_execmod,false)
 ## </desc>
 gen_tunable(allow_execstack,false)
 
+## <desc>
+## <p>
+## Allow raw memory device (/dev/mem, /dev/kmem, /dev/mergemem,
+## dev/oldmem, /dev/port) access for confined executables.  This is
+## extremely dangerous as it can bypass the SELinux protections, and
+## should only be used by trusted domains.
+## </p>
+## </desc>
+gen_tunable(allow_raw_memory_access,false)
+
 ## <desc>
 ## <p>
 ## Enable polyinstantiated directory support.

policy/modules/admin/ddcprobe.te

@@ -31,8 +31,8 @@ corecmd_list_bin(ddcprobe_t)
 corecmd_exec_bin(ddcprobe_t)
 
 dev_read_urand(ddcprobe_t)
-dev_read_raw_memory(ddcprobe_t)
-dev_wx_raw_memory(ddcprobe_t)
+dev_read_raw_memory_cond(ddcprobe_t, allow_raw_memory_access)
+dev_wx_raw_memory_cond(ddcprobe_t, allow_raw_memory_access)
 
 files_read_etc_files(ddcprobe_t)
 files_read_etc_runtime_files(ddcprobe_t)

policy/modules/admin/dmidecode.te

@@ -20,7 +20,6 @@ role dmidecode_roles types dmidecode_t;
 
 allow dmidecode_t self:capability sys_rawio;
 
-dev_read_raw_memory(dmidecode_t)
 dev_read_sysfs(dmidecode_t)
 
 domain_use_interactive_fds(dmidecode_t)

policy/modules/admin/kudzu.te

@@ -56,8 +56,6 @@ corecmd_exec_all_executables(kudzu_t)
 dev_list_sysfs(kudzu_t)
 dev_read_usbfs(kudzu_t)
 dev_read_sysfs(kudzu_t)
-dev_rx_raw_memory(kudzu_t)
-dev_wx_raw_memory(kudzu_t)
 dev_rw_mouse(kudzu_t)
 dev_rwx_zero(kudzu_t)
 

policy/modules/admin/mcelog.te

@@ -84,7 +84,7 @@ files_pid_filetrans(mcelog_t, mcelog_runtime_t, { dir file sock_file })
 
 kernel_read_system_state(mcelog_t)
 
-dev_read_raw_memory(mcelog_t)
+dev_read_raw_memory_cond(mcelog_t, allow_raw_memory_access)
 dev_read_kmsg(mcelog_t)
 dev_rw_cpu_microcode(mcelog_t)
 dev_rw_sysfs(mcelog_t)

policy/modules/admin/rpm.te

@@ -139,7 +139,6 @@ corenet_tcp_connect_all_ports(rpm_t)
 dev_list_sysfs(rpm_t)
 dev_list_usbfs(rpm_t)
 dev_read_urand(rpm_t)
-dev_read_raw_memory(rpm_t)
 
 dev_manage_all_dev_nodes(rpm_t)
 dev_relabel_all_dev_nodes(rpm_t)

policy/modules/admin/sosreport.te

@@ -67,7 +67,7 @@ dev_getattr_all_blk_files(sosreport_t)
 dev_getattr_mtrr_dev(sosreport_t)
 dev_read_rand(sosreport_t)
 dev_read_urand(sosreport_t)
-dev_read_raw_memory(sosreport_t)
+dev_read_raw_memory_cond(sosreport_t, allow_raw_memory_access)
 dev_read_sysfs(sosreport_t)
 dev_rw_generic_usb_dev(sosreport_t)
 

policy/modules/admin/tboot.te

@@ -18,7 +18,5 @@ role txtstat_roles types txtstat_t;
 # Local policy
 #
 
-dev_read_raw_memory(txtstat_t)
-
 domain_use_interactive_fds(txtstat_t)
 userdom_use_user_terminals(txtstat_t)

policy/modules/admin/vbetool.te

@@ -29,8 +29,8 @@ role vbetool_roles types vbetool_t;
 allow vbetool_t self:capability { dac_override sys_admin sys_tty_config };
 allow vbetool_t self:process execmem;
 
-dev_wx_raw_memory(vbetool_t)
-dev_read_raw_memory(vbetool_t)
+dev_wx_raw_memory_cond(vbetool_t, allow_raw_memory_access)
+dev_read_raw_memory_cond(vbetool_t, allow_raw_memory_access)
 dev_rwx_zero(vbetool_t)
 dev_rw_sysfs(vbetool_t)
 dev_rw_xserver_misc(vbetool_t)

policy/modules/apps/vmware.te

@@ -221,8 +221,8 @@ kernel_read_kernel_sysctls(vmware_t)
 corecmd_exec_bin(vmware_t)
 corecmd_exec_shell(vmware_t)
 
-dev_read_raw_memory(vmware_t)
-dev_write_raw_memory(vmware_t)
+dev_read_raw_memory_cond(vmware_t, allow_raw_memory_access)
+dev_write_raw_memory_cond(vmware_t, allow_raw_memory_access)
 dev_read_mouse(vmware_t)
 dev_write_sound(vmware_t)
 dev_read_realtime_clock(vmware_t)

policy/modules/kernel/devices.if

@@ -2737,6 +2737,9 @@ interface(`dev_dontaudit_getattr_memory_dev',`
 ########################################
 ## <summary>
 ##	Read raw memory devices (e.g. /dev/mem).
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections, and should only be used by trusted
+##	domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2756,10 +2759,44 @@ interface(`dev_read_raw_memory',`
 	typeattribute $1 memory_raw_read;
 ')
 
+########################################
+## <summary>
+##	Read raw memory devices (e.g. /dev/mem) if a tunable is set.
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections, and should only be used by trusted
+##	domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tunable">
+##	<summary>
+##	Tunable to depend on
+##	</summary>
+## </param>
+#
+interface(`dev_read_raw_memory_cond',`
+	gen_require(`
+		type device_t, memory_device_t;
+		attribute memory_raw_read;
+	')
+
+	typeattribute $1 memory_raw_read;
+	tunable_policy($2, `
+		read_chr_files_pattern($1, device_t, memory_device_t)
+		allow $1 self:capability sys_rawio;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read raw memory devices
 ##	(e.g. /dev/mem).
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections, and should only be used by trusted
+##	domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2778,6 +2815,9 @@ interface(`dev_dontaudit_read_raw_memory',`
 ########################################
 ## <summary>
 ##	Write raw memory devices (e.g. /dev/mem).
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections, and should only be used by trusted
+##	domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2797,9 +2837,43 @@ interface(`dev_write_raw_memory',`
 	typeattribute $1 memory_raw_write;
 ')
 
+########################################
+## <summary>
+##	Write raw memory devices (e.g. /dev/mem) if a tunable is set.
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections, and should only be used by trusted
+##	domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tunable">
+##	<summary>
+##	Tunable to depend on
+##	</summary>
+## </param>
+#
+interface(`dev_write_raw_memory_cond',`
+	gen_require(`
+		type device_t, memory_device_t;
+		attribute memory_raw_write;
+	')
+
+	typeattribute $1 memory_raw_write;
+	tunable_policy($2, `
+		write_chr_files_pattern($1, device_t, memory_device_t)
+		allow $1 self:capability sys_rawio;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Read and execute raw memory devices (e.g. /dev/mem).
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections, and should only be used by trusted
+##	domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2819,6 +2893,9 @@ interface(`dev_rx_raw_memory',`
 ########################################
 ## <summary>
 ##	Write and execute raw memory devices (e.g. /dev/mem).
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections, and should only be used by trusted
+##	domains.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2835,6 +2912,37 @@ interface(`dev_wx_raw_memory',`
 	allow $1 memory_device_t:chr_file { map execute };
 ')
 
+########################################
+## <summary>
+##	Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set.
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections, and should only be used by trusted
+##	domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="tunable">
+##	<summary>
+##	Tunable to depend on
+##	</summary>
+## </param>
+#
+interface(`dev_wx_raw_memory_cond',`
+	gen_require(`
+		type memory_device_t;
+		attribute memory_raw_write;
+	')
+
+	typeattribute $1 memory_raw_write;
+	dev_write_raw_memory_cond($1, $2)
+	tunable_policy($2, `
+		allow $1 memory_device_t:chr_file { map execute };
+	')
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of miscellaneous devices.

policy/modules/services/abrt.te

@@ -165,7 +165,7 @@ dev_getattr_all_blk_files(abrt_t)
 dev_read_rand(abrt_t)
 dev_read_urand(abrt_t)
 dev_rw_sysfs(abrt_t)
-dev_dontaudit_read_raw_memory(abrt_t)
+dev_read_raw_memory_cond(abrt_t, allow_raw_memory_access)
 
 domain_getattr_all_domains(abrt_t)
 domain_read_all_domains_state(abrt_t)

policy/modules/services/colord.te

@@ -67,8 +67,6 @@ corenet_tcp_connect_ipp_port(colord_t)
 corecmd_exec_bin(colord_t)
 corecmd_exec_shell(colord_t)
 
-dev_read_raw_memory(colord_t)
-dev_write_raw_memory(colord_t)
 dev_read_video_dev(colord_t)
 dev_write_video_dev(colord_t)
 dev_rw_printer(colord_t)

policy/modules/services/devicekit.te

@@ -155,11 +155,6 @@ miscfiles_read_localization(devicekit_disk_t)
 userdom_read_all_users_state(devicekit_disk_t)
 userdom_search_user_home_dirs(devicekit_disk_t)
 
-ifdef(`distro_debian',`
-	# /dev/mem is accessed by libparted to get EFI data
-	dev_read_raw_memory(devicekit_disk_t)
-')
-
 optional_policy(`
 	dbus_system_bus_client(devicekit_disk_t)
 

policy/modules/services/hal.te

@@ -133,7 +133,6 @@ dev_rw_generic_usb_dev(hald_t)
 dev_setattr_generic_usb_dev(hald_t)
 dev_setattr_usbfs_files(hald_t)
 dev_rw_power_management(hald_t)
-dev_read_raw_memory(hald_t)
 dev_rw_sysfs(hald_t)
 dev_read_video_dev(hald_t)
 
@@ -401,8 +400,6 @@ append_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
 
 kernel_read_system_state(hald_mac_t)
 
-dev_read_raw_memory(hald_mac_t)
-dev_write_raw_memory(hald_mac_t)
 dev_read_sysfs(hald_mac_t)
 
 auth_use_nsswitch(hald_mac_t)

policy/modules/services/xserver.te

@@ -719,9 +719,6 @@ dev_manage_dri_dev(xserver_t)
 dev_filetrans_dri(xserver_t)
 dev_create_generic_dirs(xserver_t)
 dev_setattr_generic_dirs(xserver_t)
-# raw memory access is needed if not using the frame buffer
-dev_read_raw_memory(xserver_t)
-dev_wx_raw_memory(xserver_t)
 # for other device nodes such as the NVidia binary-only driver
 dev_rw_xserver_misc(xserver_t)
 dev_map_xserver_misc(xserver_t)

policy/modules/system/init.te

@@ -894,8 +894,6 @@ ifdef(`distro_redhat',`
 	# during device initialization:
 	dev_create_generic_dirs(initrc_t)
 	dev_rwx_zero(initrc_t)
-	dev_rx_raw_memory(initrc_t)
-	dev_wx_raw_memory(initrc_t)
 	storage_raw_read_fixed_disk(initrc_t)
 	storage_raw_write_fixed_disk(initrc_t)
 

policy/modules/system/iscsi.te

@@ -84,10 +84,8 @@ corenet_tcp_connect_iscsi_port(iscsid_t)
 corenet_sendrecv_isns_client_packets(iscsid_t)
 corenet_tcp_connect_isns_port(iscsid_t)
 
-dev_read_raw_memory(iscsid_t)
 dev_rw_sysfs(iscsid_t)
 dev_rw_userio_dev(iscsid_t)
-dev_write_raw_memory(iscsid_t)
 
 domain_use_interactive_fds(iscsid_t)
 domain_dontaudit_read_all_domains_state(iscsid_t)

policy/modules/system/logging.te

@@ -339,7 +339,7 @@ kernel_change_ring_buffer_level(klogd_t)
 
 files_read_kernel_symbol_table(klogd_t)
 
-dev_read_raw_memory(klogd_t)
+dev_read_raw_memory_cond(klogd_t, allow_raw_memory_access)
 dev_read_sysfs(klogd_t)
 
 fs_getattr_all_fs(klogd_t)

policy/modules/system/raid.te

@@ -53,7 +53,6 @@ dev_rw_sysfs(mdadm_t)
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
-dev_read_raw_memory(mdadm_t)
 
 domain_use_interactive_fds(mdadm_t)