From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-569177-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 99778198005
	for <garchives@archives.gentoo.org>; Sun, 10 Mar 2013 15:29:27 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6C50BE0028;
	Sun, 10 Mar 2013 15:29:26 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id EC39CE0028
	for <gentoo-commits@lists.gentoo.org>; Sun, 10 Mar 2013 15:29:25 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id C8FE933C394
	for <gentoo-commits@lists.gentoo.org>; Sun, 10 Mar 2013 15:29:24 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 2B2A5E4079
	for <gentoo-commits@lists.gentoo.org>; Sun, 10 Mar 2013 15:29:22 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1362929180.bb602fb22cf1956526947e64375765b21d4dd145.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/devices.fc policy/modules/kernel/devices.if policy/modules/kernel/devices.te policy/modules/kernel/domain.te
X-VCS-Directories: policy/modules/kernel/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: bb602fb22cf1956526947e64375765b21d4dd145
X-VCS-Branch: master
Date: Sun, 10 Mar 2013 15:29:22 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: a1e8b2d8-64ff-4542-9fd5-de062715addb
X-Archives-Hash: b0a4bcf0a7ba2d934bca8298dbbee7a8

commit:     bb602fb22cf1956526947e64375765b21d4dd145
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 10 15:26:20 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Mar 10 15:26:20 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bb602fb2

Fix bug #456914 - Support cpu_online_t for cpu/online sysfs info

In glibc, get_nprocs() reads /sys/devices/system/cpu/online. As potentially
every domain can call this method, we don't want to provide read access on
sysfs_t (or proc_t as fallbacks for /proc/stat and /proc/cpuinfo) for each
domain.

Instead, create a cpu_online_t type for just this purpose, and allow all domains
read access on this type.

---
 policy/modules/kernel/devices.fc |    4 +++
 policy/modules/kernel/devices.if |   45 ++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te |    7 ++++++
 policy/modules/kernel/domain.te  |    2 +
 4 files changed, 58 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index b31c054..5bf5ef2 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -207,3 +207,7 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
 ')
+
+ifdef(`distro_gentoo',`
+/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
+')

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 8d2504b..58ab7e9 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4926,3 +4926,48 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+# We cannot use ifdef distro_gentoo for interfaces
+
+########################################
+## <summary>
+##	Read cpu online hardware state information.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read /sys/devices/system/cpu/online file.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	dev_search_sysfs($1)
+	read_files_pattern($1, cpu_online_t, cpu_online_t)
+')
+
+########################################
+## <summary>
+##	Relabel cpu online hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	dev_search_sysfs($1)
+	allow $1 cpu_online_t:file relabel_file_perms;
+')

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 6529bd9..47c108b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -321,3 +321,10 @@ files_associate_tmp(device_node)
 allow devices_unconfined_type self:capability sys_rawio;
 allow devices_unconfined_type device_node:{ blk_file chr_file } *;
 allow devices_unconfined_type mtrr_device_t:file *;
+
+ifdef(`distro_gentoo',`
+	# Support access to /sys/devices/system/cpu/online
+	type cpu_online_t;
+	files_type(cpu_online_t)
+	dev_associate_sysfs(cpu_online_t)
+')

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..ea5cdee 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
 # create child processes in the domain
 allow domain self:process { fork sigchld };
 
+# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
+dev_read_cpu_online(domain)
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)