9127219358
There is more than 5000 parameter documentations. Only about 300 are differently done. Change them to be consistently indented. param with one space and content inside with one tab This was done with: sed -ri ' /^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{ s/^##[[:space:]]*/##\t/; s/^##[[:space:]]*(<[/]?summary)/##\t\1/; s/^##[[:space:]]*(<[/]?param)/## \1/; }' policy/modules/*/*.if Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
227 lines
4.2 KiB
Plaintext
227 lines
4.2 KiB
Plaintext
## <summary>Trusted Platform Module 2.0</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute tpm2_* processes
|
|
## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_exec',`
|
|
gen_require(`
|
|
type tpm2_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, tpm2_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute tpm2_* processes in the tpm2 domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_domtrans',`
|
|
gen_require(`
|
|
type tpm2_t, tpm2_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, tpm2_exec_t, tpm2_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute tpm2_* processes in the tpm2
|
|
## domain and allow the specified role
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_run',`
|
|
gen_require(`
|
|
type tpm2_t;
|
|
')
|
|
|
|
role $2 types tpm2_t;
|
|
|
|
tpm2_domtrans($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use tpm2 file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_use_fds',`
|
|
gen_require(`
|
|
type tpm2_t;
|
|
')
|
|
|
|
allow $1 tpm2_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to inherit file
|
|
## descriptors from tpm2.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_dontaudit_use_fds',`
|
|
gen_require(`
|
|
type tpm2_t;
|
|
')
|
|
|
|
dontaudit $1 tpm2_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## tpm2-abrmd over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_dbus_chat_abrmd',`
|
|
gen_require(`
|
|
type tpm2_abrmd_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 tpm2_abrmd_t:dbus send_msg;
|
|
allow tpm2_abrmd_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow tpm2 to read unnamed pipes from other process.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Allow the tpm to open and read pipes from other
|
|
## domain. This is seen when piping input to one
|
|
## of the tpm2_* processes. For example:
|
|
## sha512sum my_file | tpm2_hmac -k 0x81001000 -g sha256 /dev/stdin
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain of pipe to be read by tpm2_t.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_read_pipes',`
|
|
gen_require(`
|
|
type tpm2_t;
|
|
')
|
|
|
|
allow tpm2_t $1:fifo_file read_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to enable/disable tpm2-abrmd unit
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_enabledisable_abrmd',`
|
|
gen_require(`
|
|
type tpm2_abrmd_unit_t;
|
|
class service { enable disable };
|
|
')
|
|
|
|
allow $1 tpm2_abrmd_unit_t:service { enable disable };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to start/stop tpm2-abrmd unit
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_startstop_abrmd',`
|
|
gen_require(`
|
|
type tpm2_abrmd_unit_t;
|
|
class service { start stop };
|
|
')
|
|
|
|
allow $1 tpm2_abrmd_unit_t:service { start stop };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow specified domain to get status of tpm2-abrmd unit
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_status_abrmd',`
|
|
gen_require(`
|
|
type tpm2_abrmd_unit_t;
|
|
class service status;
|
|
')
|
|
|
|
allow $1 tpm2_abrmd_unit_t:service status;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## access tpm2-abrmd fifos
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`tpm2_rw_abrmd_pipes',`
|
|
gen_require(`
|
|
type tpm2_abrmd_t;
|
|
')
|
|
|
|
allow $1 tpm2_abrmd_t:fd use;
|
|
allow $1 tpm2_abrmd_t:fifo_file rw_fifo_file_perms;
|
|
')
|