From eae4ecde22ad793459a077b1410016eb3ed6acee Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 25 Apr 2020 12:41:18 +0300
Subject: [PATCH] bootloader: add rEFInd and systemd-boot

Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage
bootloader files in UEFI (DOS) partition need also to manage UEFI boot
variables in efivarfs. Bootctl (systemd-boot tool) verifies the type
of EFI file system and needs to mmap() the files.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 policy/modules/admin/bootloader.fc  |  8 ++++++
 policy/modules/admin/bootloader.te  |  5 ++++
 policy/modules/kernel/filesystem.if | 39 +++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index f21a5e49e..58b2c7c3a 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -2,20 +2,28 @@
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
+/usr/bin/bootctl		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/bin/grub			--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/bin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/bin/grub2?-install		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/bin/grub2?-mkconfig	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/bin/grub2?-probe		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/bin/lilo.*			--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/bin/mkrlconf		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/bin/mvrefind		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/bin/refind-install		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/bin/ybin.*			--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
+/usr/sbin/bootctl		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-mkconfig	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/lilo.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/mkrlconf		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/mvrefind		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/refind-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/ybin.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
 /var/lib/os-prober(/.*)?	gen_context(system_u:object_r:bootloader_tmp_t,s0)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index e3fd3d4b7..63c36c1e8 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -86,10 +86,12 @@ dev_read_sysfs(bootloader_t)
 dev_rw_nvram(bootloader_t)
 
 fs_getattr_xattr_fs(bootloader_t)
+fs_getattr_dos_fs(bootloader_t)
 fs_getattr_tmpfs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
 #Needed for EFI
 fs_manage_dos_files(bootloader_t)
+fs_mmap_read_dos_files(bootloader_t)
 
 mls_file_read_all_levels(bootloader_t)
 mls_file_write_all_levels(bootloader_t)
@@ -120,6 +122,9 @@ files_manage_etc_runtime_files(bootloader_t)
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+fs_list_efivars(bootloader_t)
+fs_manage_efivarfs_files(bootloader_t)
+
 fs_list_hugetlbfs(bootloader_t)
 fs_mount_fusefs(bootloader_t)
 fs_mount_xattr_fs(bootloader_t)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7fefd48dd..f7d1f886b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1982,6 +1982,25 @@ interface(`fs_read_dos_files',`
 	read_files_pattern($1, dosfs_t, dosfs_t)
 ')
 
+########################################
+## <summary>
+##      Read and map files on a DOS filesystem.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_mmap_read_dos_files',`
+        gen_require(`
+                type dosfs_t;
+        ')
+
+	read_files_pattern($1, dosfs_t, dosfs_t)
+	allow $1 dosfs_t:file map;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files
@@ -2039,6 +2058,26 @@ interface(`fs_read_efivarfs_files',`
 	read_files_pattern($1, efivarfs_t, efivarfs_t)
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a efivarfs filesystem.
+##      - contains Linux Kernel configuration options for UEFI systems
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_efivarfs_files',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	manage_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
 ########################################
 ## <summary>
 ##	stat a FUSE filesystem