From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1365116-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 50D29158088
	for <garchives@archives.gentoo.org>; Mon,  7 Feb 2022 02:15:03 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8DF532BC00D;
	Mon,  7 Feb 2022 02:15:01 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 3AA8A2BC007
	for <gentoo-commits@lists.gentoo.org>; Mon,  7 Feb 2022 02:15:01 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id D180B342CE2
	for <gentoo-commits@lists.gentoo.org>; Mon,  7 Feb 2022 02:14:59 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 2F64224E
	for <gentoo-commits@lists.gentoo.org>; Mon,  7 Feb 2022 02:14:58 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1644199661.9fe987d0d2703cbfec2a88e4a559bc83fdd15fcb.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/node_exporter.fc policy/modules/services/node_exporter.if policy/modules/services/node_exporter.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 9fe987d0d2703cbfec2a88e4a559bc83fdd15fcb
X-VCS-Branch: master
Date: Mon,  7 Feb 2022 02:14:58 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 490cdb06-8e44-47b1-b262-a2c6302d951f
X-Archives-Hash: 7a7c850aba81566d0b98ca69d24d51b5

commit:     9fe987d0d2703cbfec2a88e4a559bc83fdd15fcb
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri Jan 28 00:22:55 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:07:41 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9fe987d0

node_exporter: Added initial policy.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/node_exporter.fc |  6 +++
 policy/modules/services/node_exporter.if |  1 +
 policy/modules/services/node_exporter.te | 73 ++++++++++++++++++++++++++++++++
 3 files changed, 80 insertions(+)

diff --git a/policy/modules/services/node_exporter.fc b/policy/modules/services/node_exporter.fc
new file mode 100644
index 00000000..f2527d15
--- /dev/null
+++ b/policy/modules/services/node_exporter.fc
@@ -0,0 +1,6 @@
+/run/node_exporter\.pid	--	gen_context(system_u:object_r:node_exporter_runtime_t,s0)
+
+/usr/sbin/node_exporter	--	gen_context(system_u:object_r:node_exporter_exec_t,s0)
+
+/var/lib/node_exporter(/.*)?	gen_context(system_u:object_r:node_exporter_var_lib_t,s0)
+/var/log/node_exporter(/.*)?	gen_context(system_u:object_r:node_exporter_log_t,s0)

diff --git a/policy/modules/services/node_exporter.if b/policy/modules/services/node_exporter.if
new file mode 100644
index 00000000..0cceb87e
--- /dev/null
+++ b/policy/modules/services/node_exporter.if
@@ -0,0 +1 @@
+## <summary>Prometheus Node Exporter</summary>

diff --git a/policy/modules/services/node_exporter.te b/policy/modules/services/node_exporter.te
new file mode 100644
index 00000000..7b74a327
--- /dev/null
+++ b/policy/modules/services/node_exporter.te
@@ -0,0 +1,73 @@
+policy_module(node_exporter)
+
+########################################
+#
+# Declarations
+#
+
+type node_exporter_t;
+type node_exporter_exec_t;
+init_daemon_domain(node_exporter_t, node_exporter_exec_t)
+
+type node_exporter_runtime_t;
+files_runtime_file(node_exporter_runtime_t)
+
+type node_exporter_var_lib_t;
+files_type(node_exporter_var_lib_t)
+
+type node_exporter_log_t;
+logging_log_file(node_exporter_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow node_exporter_t self:fifo_file rw_fifo_file_perms;
+allow node_exporter_t self:process { getsched signal };
+allow node_exporter_t self:netlink_route_socket r_netlink_socket_perms;
+allow node_exporter_t self:tcp_socket create_stream_socket_perms;
+allow node_exporter_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(node_exporter_t, node_exporter_runtime_t, node_exporter_runtime_t)
+files_runtime_filetrans(node_exporter_t, node_exporter_runtime_t, file)
+
+manage_dirs_pattern(node_exporter_t, node_exporter_var_lib_t, node_exporter_var_lib_t)
+manage_files_pattern(node_exporter_t, node_exporter_var_lib_t, node_exporter_var_lib_t)
+files_var_lib_filetrans(node_exporter_t, node_exporter_var_lib_t, { dir file })
+
+append_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
+create_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
+setattr_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
+logging_log_filetrans(node_exporter_t, node_exporter_log_t, { dir file })
+
+# Also uses port 9100
+corenet_tcp_bind_hplip_port(node_exporter_t)
+corenet_tcp_bind_generic_node(node_exporter_t)
+
+dev_read_sysfs(node_exporter_t)
+
+fs_getattr_all_fs(node_exporter_t)
+
+init_read_state(node_exporter_t)
+
+kernel_read_fs_sysctls(node_exporter_t)
+kernel_read_kernel_sysctls(node_exporter_t)
+kernel_read_net_sysctls(node_exporter_t)
+kernel_read_network_state(node_exporter_t)
+kernel_read_software_raid_state(node_exporter_t)
+kernel_read_system_state(node_exporter_t)
+
+ifdef(`init_systemd',`
+	dbus_system_bus_client(node_exporter_t)
+
+	init_dbus_chat(node_exporter_t)
+	init_get_all_units_status(node_exporter_t)
+	init_get_system_status(node_exporter_t)
+')
+
+optional_policy(`
+	kernel_read_rpc_sysctls(node_exporter_t)
+
+	rpc_search_nfs_state_data(node_exporter_t)
+')