From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-684626-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 208B4138A1F
	for <garchives@archives.gentoo.org>; Tue,  8 Apr 2014 16:02:07 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D5926E0CE6;
	Tue,  8 Apr 2014 16:02:04 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id AF726E0CE1
	for <gentoo-commits@lists.gentoo.org>; Tue,  8 Apr 2014 16:02:03 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id AFC9E33FFCA
	for <gentoo-commits@lists.gentoo.org>; Tue,  8 Apr 2014 16:02:02 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id A80EC188CD
	for <gentoo-commits@lists.gentoo.org>; Tue,  8 Apr 2014 16:02:00 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1396970715.891859b30d8ed3a32c815c1fa2648cbe4109d899.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/devices.fc policy/modules/kernel/devices.if policy/modules/kernel/devices.te policy/modules/kernel/domain.te
X-VCS-Directories: policy/modules/kernel/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 891859b30d8ed3a32c815c1fa2648cbe4109d899
X-VCS-Branch: master
Date: Tue,  8 Apr 2014 16:02:00 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: b8c7030b-618a-446f-89c5-951c445fa9ac
X-Archives-Hash: b314a6ef1003b12814835f7095048462

commit:     891859b30d8ed3a32c815c1fa2648cbe4109d899
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar 25 20:30:06 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr  8 15:25:15 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=891859b3

Support /sys/devices/system/cpu/online

In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so
we need to grant most domains read access to this file. As we don't want
them to have read access on sysfs_t by default, create a new type
(cpu_online_t) and assign it to the file, and grant domains read access
to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep
their context.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 31 ++++++++++++++++---------------
 policy/modules/kernel/devices.te |  7 +++++++
 policy/modules/kernel/domain.te  |  3 ++-
 4 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5bf5ef2..053cfa7 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@ ifdef(`distro_debian',`
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 
 /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
 
 ifdef(`distro_redhat',`
 # originally from named.fc

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 41eb2ca..56dd021 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4929,48 +4929,49 @@ interface(`dev_create_zero_dev',`
 
 ########################################
 ## <summary>
-##	Unconfined access to devices.
+##	Read cpu online hardware state information
 ## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read /sys/devices/system/cpu/online
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dev_unconfined',`
+interface(`dev_read_cpu_online',`
 	gen_require(`
-		attribute devices_unconfined_type;
+		type cpu_online_t;
 	')
 
-	typeattribute $1 devices_unconfined_type;
+	dev_search_sysfs($1)
+	read_files_pattern($1, cpu_online_t, cpu_online_t)
 ')
 
-# We cannot use ifdef distro_gentoo for interfaces
 
 ########################################
 ## <summary>
-##	Read cpu online hardware state information.
+##	Unconfined access to devices.
 ## </summary>
-## <desc>
-##	<p>
-##	Allow the specified domain to read /sys/devices/system/cpu/online file.
-##	</p>
-## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`dev_read_cpu_online',`
+interface(`dev_unconfined',`
 	gen_require(`
-		type cpu_online_t;
+		attribute devices_unconfined_type;
 	')
 
-	dev_search_sysfs($1)
-	read_files_pattern($1, cpu_online_t, cpu_online_t)
+	typeattribute $1 devices_unconfined_type;
 ')
 
+# We cannot use ifdef distro_gentoo for interfaces
+
 ########################################
 ## <summary>
 ##	Relabel cpu online hardware state information.

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 14c178e..948b064 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -60,6 +60,13 @@ type cpu_device_t;
 dev_node(cpu_device_t)
 
 #
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
+#
 # Type for /dev/crash
 #
 type crash_device_t;

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index ea5cdee..4af7dbd 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,4 +1,4 @@
-policy_module(domain, 1.11.0)
+policy_module(domain, 1.11.1)
 
 ########################################
 #
@@ -98,6 +98,7 @@ allow domain self:process { fork sigchld };
 
 # glibc get_nprocs requires read access to /sys/devices/system/cpu/online
 dev_read_cpu_online(domain)
+
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)