Merge pull request #643 from etbe/master

policy for eg25-manager to manage Quectel EG25 modem

policy/modules/kernel/devices.fc

@@ -18,6 +18,7 @@
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
 /dev/cachefiles		-c	gen_context(system_u:object_r:cachefiles_device_t,s0)
+/dev/cdc-wdm[0-9]       -c      gen_context(system_u:object_r:modem_device_t,s0)
 /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/crash		-c	gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
 /dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)

policy/modules/kernel/devices.if

@@ -5677,6 +5677,24 @@ interface(`dev_read_cpu_online',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Read and write to the gpiochip device, /dev/gpiochip[0-9]
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_gpiochip',`
+	gen_require(`
+		type device_t, gpiochip_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, gpiochip_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to devices.

policy/modules/services/eg25manager.fc

@@ -0,0 +1 @@
+/usr/bin/eg25-manager	--	gen_context(system_u:object_r:eg25manager_exec_t,s0)

policy/modules/services/eg25manager.if

@@ -0,0 +1,13 @@
+## <summary>Manager daemon for the Quectel EG25 modem</summary>
+##
+## <desc>
+## eg25-manager (Debian package eg25-manager) is a daemon aimed at configuring
+## and monitoring the Quectel EG25 modem on a running system. It is used on the
+## PinePhone (Pro) and performs the
+## following functions:
+##   * power on/off
+##   * startup configuration using AT commands
+##   * AGPS data upload
+##   * status monitoring (and restart if it becomes unavailable)
+## Homepage: https://gitlab.com/mobian1/eg25-manager
+## </desc>

policy/modules/services/eg25manager.te

@@ -0,0 +1,68 @@
+policy_module(eg25manager)
+
+########################################
+#
+# eg25-manager (Debian package eg25-manager) is a daemon aimed at configuring
+# and monitoring the Quectel EG25 modem on a running system. It is used on the
+# PinePhone (Pro) and performs the
+# following functions:
+#   * power on/off
+#   * startup configuration using AT commands
+#   * AGPS data upload
+#   * status monitoring (and restart if it becomes unavailable)
+# Homepage: https://gitlab.com/mobian1/eg25-manager
+
+########################################
+#
+# Declarations
+#
+
+type eg25manager_t;
+type eg25manager_exec_t;
+init_daemon_domain(eg25manager_t, eg25manager_exec_t)
+
+type eg25manager_tmp_t;
+files_tmp_file(eg25manager_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow eg25manager_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow eg25manager_t self:process { signal getsched setsched };
+allow eg25manager_t self:tcp_socket { connect create getattr getopt read setopt write };
+allow eg25manager_t self:udp_socket { connect create getattr read setopt write };
+allow eg25manager_t self:unix_dgram_socket { create write };
+
+files_tmp_filetrans(eg25manager_t, eg25manager_tmp_t, { file })
+allow eg25manager_t eg25manager_tmp_t:file manage_file_perms;
+
+kernel_read_system_state(eg25manager_t)
+
+# for devicetree
+dev_read_sysfs(eg25manager_t)
+
+dev_read_urand(eg25manager_t)
+dev_rw_gpiochip(eg25manager_t)
+
+corenet_tcp_connect_http_port(eg25manager_t)
+
+dbus_system_bus_client(eg25manager_t)
+
+files_read_etc_files(eg25manager_t)
+files_read_etc_symlinks(eg25manager_t)
+files_read_usr_files(eg25manager_t)
+
+logging_send_syslog_msg(eg25manager_t)
+
+miscfiles_read_generic_certs(eg25manager_t)
+
+modemmanager_dbus_chat(eg25manager_t)
+
+sysnet_read_config(eg25manager_t)
+
+systemd_dbus_chat_logind(eg25manager_t)
+systemd_read_resolved_runtime(eg25manager_t)
+systemd_use_logind_fds(eg25manager_t)
+systemd_write_inherited_logind_inhibit_pipes(eg25manager_t)