From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-842511-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 89F301388C1
	for <garchives@archives.gentoo.org>; Mon, 26 Oct 2015 05:36:41 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 16428E0806;
	Mon, 26 Oct 2015 05:36:40 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 58845E0806
	for <gentoo-commits@lists.gentoo.org>; Mon, 26 Oct 2015 05:36:39 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 93AB73408FF
	for <gentoo-commits@lists.gentoo.org>; Mon, 26 Oct 2015 05:36:38 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 9EC821937
	for <gentoo-commits@lists.gentoo.org>; Mon, 26 Oct 2015 05:36:35 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1445831745.bac1f46765f49a73cdfb5a482f45f3a83487ee06.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/devices.if policy/modules/kernel/devices.te policy/modules/system/init.te
X-VCS-Directories: policy/modules/kernel/ policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: bac1f46765f49a73cdfb5a482f45f3a83487ee06
X-VCS-Branch: next
Date: Mon, 26 Oct 2015 05:36:35 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: e5aba079-fb84-43bb-bd99-1426fd68936b
X-Archives-Hash: 17d7ee8124b5c682a8b70463d7955864
Message-ID: <20151026053635.xuNdQIM8QtE8yrLvDvL4oKQr1X2zoa3fKd9hVRFauw4@z>

commit:     bac1f46765f49a73cdfb5a482f45f3a83487ee06
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 17:23:35 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:55:45 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bac1f467

Add sysfs_types attribute.

Collect all types used to label sysfs entries.

 policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
 policy/modules/kernel/devices.te |  5 +++--
 policy/modules/system/init.te    |  1 +
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a052db5..591b932 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4130,6 +4130,26 @@ interface(`dev_rw_sysfs',`
 
 ########################################
 ## <summary>
+##	Relabel from/to all sysfs types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+	gen_require(`
+		attribute sysfs_types;
+	')
+
+	allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
+	allow $1 sysfs_types:file relabel_file_perms;
+	allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write the TPM device.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e5bcfcd..9274a82 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -9,6 +9,7 @@ attribute device_node;
 attribute memory_raw_read;
 attribute memory_raw_write;
 attribute devices_unconfined_type;
+attribute sysfs_types;
 
 #
 # device_t is the type of /dev.
@@ -62,7 +63,7 @@ dev_node(cpu_device_t)
 #
 # /sys/devices/system/cpu/online device
 #
-type cpu_online_t;
+type cpu_online_t, sysfs_types;
 files_type(cpu_online_t)
 dev_associate_sysfs(cpu_online_t)
 
@@ -229,7 +230,7 @@ dev_node(sound_device_t)
 #
 # sysfs_t is the type for the /sys pseudofs
 #
-type sysfs_t;
+type sysfs_t, sysfs_types;
 files_mountpoint(sysfs_t)
 fs_xattr_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 79400f2..8c9cffa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -224,6 +224,7 @@ ifdef(`init_systemd',`
 	dev_create_generic_dirs(init_t)
 	dev_manage_input_dev(init_t)
 	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_sysfs(init_t)
 	dev_read_urand(init_t)
 	dev_write_kmsg(init_t)