[selinux-policy: 672/3172] add cpucontrol

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:03:01 UTC 2010 

commit 9210553ecbede92bc735196fed42b5aadf39645f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Sep 20 18:15:35 2005 +0000

    add cpucontrol

 refpolicy/Changelog                             |    1 +
 refpolicy/policy/modules/kernel/devices.if      |   18 +++
 refpolicy/policy/modules/services/cpucontrol.fc |    7 ++
 refpolicy/policy/modules/services/cpucontrol.if |   15 +++
 refpolicy/policy/modules/services/cpucontrol.te |  132 +++++++++++++++++++++++
 refpolicy/policy/modules/services/ntp.if        |    2 +-
 refpolicy/policy/modules/system/init.te         |    5 +
 7 files changed, 179 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index dc33217..673e294 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
   can_portmap() to sysnetwork.
 - Fix base module compile issues.
 - Added policies:
+	cpucontrol
 	ktalk
 	portmap
 	postgresql
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 4953fae..f420bf8 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -883,6 +883,24 @@ interface(`dev_dontaudit_rw_cardmgr',`
 
 ########################################
 ## <summary>
+##	Get the attributes of the CPU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_getattr_cpu',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	allow $1 device_t:dir search;
+	allow $1 cpu_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
 ##	Read the CPU identity.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cpucontrol.fc b/refpolicy/policy/modules/services/cpucontrol.fc
new file mode 100644
index 0000000..7b726ba
--- /dev/null
+++ b/refpolicy/policy/modules/services/cpucontrol.fc
@@ -0,0 +1,7 @@
+
+/etc/firmware/.*	--	context_template(system_u:object_r:cpucontrol_conf_t,s0)
+
+/sbin/microcode_ctl	--	context_template(system_u:object_r:cpucontrol_exec_t,s0)
+
+/usr/sbin/cpuspeed	--	context_template(system_u:object_r:cpuspeed_exec_t,s0)
+/usr/sbin/powernowd	--	context_template(system_u:object_r:cpuspeed_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/cpucontrol.if b/refpolicy/policy/modules/services/cpucontrol.if
new file mode 100644
index 0000000..e07e04f
--- /dev/null
+++ b/refpolicy/policy/modules/services/cpucontrol.if
@@ -0,0 +1,15 @@
+## <summary>Services for loading CPU microcode and CPU frequency scaling.</summary>
+
+########################################
+## <summary>
+##	CPUcontrol stub interface.  No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+##	N/A
+## </param>
+#
+interface(`cpucontrol_stub',`
+	gen_require(`
+		type cpucontrol_t;
+	')
+')
diff --git a/refpolicy/policy/modules/services/cpucontrol.te b/refpolicy/policy/modules/services/cpucontrol.te
new file mode 100644
index 0000000..ddb5869
--- /dev/null
+++ b/refpolicy/policy/modules/services/cpucontrol.te
@@ -0,0 +1,132 @@
+
+policy_module(cpucontrol,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cpucontrol_t;
+type cpucontrol_exec_t;
+init_daemon_domain(cpucontrol_t,cpucontrol_exec_t)
+
+type cpucontrol_conf_t;
+files_type(cpucontrol_conf_t)
+
+type cpuspeed_t;
+type cpuspeed_exec_t;
+init_daemon_domain(cpuspeed_t,cpuspeed_exec_t)
+
+########################################
+#
+# CPU microcode loader local policy
+#
+
+allow cpucontrol_t self:capability sys_rawio;
+dontaudit cpucontrol_t self:capability sys_tty_config;
+allow cpucontrol_t self:process signal_perms;
+
+allow cpucontrol_t cpucontrol_conf_t:dir r_dir_perms;
+allow cpucontrol_t cpucontrol_conf_t:file r_file_perms;
+allow cpucontrol_t cpucontrol_conf_t:lnk_file { getattr read };
+
+kernel_list_proc(cpucontrol_t)
+kernel_read_proc_symlinks(cpucontrol_t)
+kernel_read_kernel_sysctl(cpucontrol_t)
+
+dev_read_sysfs(cpucontrol_t)
+dev_rw_cpu_microcode(cpucontrol_t)
+
+fs_search_auto_mountpoints(cpucontrol_t)
+
+term_dontaudit_use_console(cpucontrol_t)
+
+domain_use_wide_inherit_fd(cpucontrol_t)
+
+files_list_usr(cpucontrol_t)
+
+init_use_fd(cpucontrol_t)
+init_use_script_pty(cpucontrol_t)
+
+libs_use_ld_so(cpucontrol_t)
+libs_use_shared_libs(cpucontrol_t)
+
+logging_send_syslog_msg(cpucontrol_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cpucontrol_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(cpucontrol_t)
+	term_dontaudit_use_generic_pty(cpucontrol_t)
+	files_dontaudit_read_root_file(cpucontrol_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(cpucontrol_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(cpucontrol_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(cpucontrol_t)
+')
+') dnl end TODO
+
+########################################
+#
+# CPU frequency scaling daemons
+#
+
+dontaudit cpuspeed_t self:capability sys_tty_config;
+allow cpuspeed_t self:process { signal_perms setsched };
+allow cpuspeed_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_system_state(cpuspeed_t)
+kernel_read_kernel_sysctl(cpuspeed_t)
+
+dev_rw_sysfs(cpuspeed_t)
+
+fs_search_auto_mountpoints(cpuspeed_t)
+
+term_dontaudit_use_console(cpuspeed_t)
+
+domain_use_wide_inherit_fd(cpuspeed_t)
+
+files_read_etc_files(cpuspeed_t)
+files_read_etc_runtime_files(cpuspeed_t)
+files_list_usr(cpuspeed_t)
+
+init_use_fd(cpuspeed_t)
+init_use_script_pty(cpuspeed_t)
+
+libs_use_ld_so(cpuspeed_t)
+libs_use_shared_libs(cpuspeed_t)
+
+logging_send_syslog_msg(cpuspeed_t)
+
+miscfiles_read_localization(cpuspeed_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cpuspeed_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(cpuspeed_t)
+	term_dontaudit_use_generic_pty(cpuspeed_t)
+	files_dontaudit_read_root_file(cpuspeed_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(cpuspeed_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(cpuspeed_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(cpuspeed_t)
+')
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/ntp.if b/refpolicy/policy/modules/services/ntp.if
index 8527e7e..a77fef5 100644
--- a/refpolicy/policy/modules/services/ntp.if
+++ b/refpolicy/policy/modules/services/ntp.if
@@ -9,7 +9,7 @@
 ## </param>
 #
 interface(`ntp_stub',`
-	gen_require(`ntp.te',`
+	gen_require(`
 		type ntpd_t;
 	')
 ')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index edf52af..2a3682d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -414,6 +414,11 @@ optional_policy(`bind.te',`
 
 ')
 
+optional_policy(`cpucontrol.te',`
+	cpucontrol_stub()
+	dev_getattr_cpu(initrc_t)
+')
+
 optional_policy(`gpm.te',`
 	gpm_setattr_gpmctl(initrc_t)
 ')

More information about the scm-commits mailing list