SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: "Sugar, David" <dsugar@tresys.com>,
	"selinux-refpolicy@vger.kernel.org" 
	<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] Module for tpm2-abrmd
Date: Mon, 29 Jul 2019 20:49:20 -0400
Message-ID: <4438bc8f-0322-bd10-eab7-5556ecf49278@ieee.org> (raw)
In-Reply-To: <20190725144316.10409-1-dsugar@tresys.com>

On 7/25/19 10:43 AM, Sugar, David wrote:
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/tpm2_abrmd.fc |  3 ++
>   policy/modules/services/tpm2_abrmd.if | 58 +++++++++++++++++++++++++++
>   policy/modules/services/tpm2_abrmd.te | 29 ++++++++++++++
>   3 files changed, 90 insertions(+)
>   create mode 100644 policy/modules/services/tpm2_abrmd.fc
>   create mode 100644 policy/modules/services/tpm2_abrmd.if
>   create mode 100644 policy/modules/services/tpm2_abrmd.te

I think my only question is about the module name.  Why not tpm2?  I'm 
not well versed on the Linux TPM stack, but isn't there other components 
that potentially could need policy, like tss or totp?



> diff --git a/policy/modules/services/tpm2_abrmd.fc b/policy/modules/services/tpm2_abrmd.fc
> new file mode 100644
> index 00000000..4ccf2f25
> --- /dev/null
> +++ b/policy/modules/services/tpm2_abrmd.fc
> @@ -0,0 +1,3 @@
> +/usr/sbin/tpm2-abrmd								--	gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0)
> +
> +/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service	--	gen_context(system_u:object_r:tpm2_abrmd_unit_t,s0)
> diff --git a/policy/modules/services/tpm2_abrmd.if b/policy/modules/services/tpm2_abrmd.if
> new file mode 100644
> index 00000000..dabb4a65
> --- /dev/null
> +++ b/policy/modules/services/tpm2_abrmd.if
> @@ -0,0 +1,58 @@
> +## <summary>TPM2 Access Broker and Resource Management daemon.</summary>
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to enable/disable tpm2-abrmd unit
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tpm2_abrmd_enabledisable',`
> +	gen_require(`
> +		type tpm2_abrmd_unit_t;
> +		class service { enable disable };
> +	')
> +
> +	allow $1 tpm2_abrmd_unit_t:service { enable disable };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to start/stop tpm2-abrmd unit
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tpm2_abrmd_startstop',`
> +	gen_require(`
> +		type tpm2_abrmd_unit_t;
> +		class service { start stop };
> +	')
> +
> +	allow $1 tpm2_abrmd_unit_t:service { start stop };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow specified domain to get status of tpm2-abrmd unit
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`tpm2_abrmd_status',`
> +	gen_require(`
> +		type tpm2_abrmd_unit_t;
> +		class service status;
> +	')
> +
> +	allow $1 tpm2_abrmd_unit_t:service status;
> +')
> diff --git a/policy/modules/services/tpm2_abrmd.te b/policy/modules/services/tpm2_abrmd.te
> new file mode 100644
> index 00000000..8a8ba5f0
> --- /dev/null
> +++ b/policy/modules/services/tpm2_abrmd.te
> @@ -0,0 +1,29 @@
> +policy_module(tpm2_abrmd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type tpm2_abrmd_t;
> +type tpm2_abrmd_exec_t;
> +init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
> +
> +type tpm2_abrmd_unit_t;
> +init_unit_file(tpm2_abrmd_unit_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow tpm2_abrmd_t self:process signal;
> +allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;
> +
> +dev_rw_tpm(tpm2_abrmd_t)
> +
> +kernel_read_crypto_sysctls(tpm2_abrmd_t)
> +kernel_read_system_state(tpm2_abrmd_t)
> +
> +dbus_system_bus_client(tpm2_abrmd_t)
> +dbus_connect_system_bus(tpm2_abrmd_t)
> 


-- 
Chris PeBenito

  reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-25 14:43 Sugar, David
2019-07-30  0:49 ` Chris PeBenito [this message]
2019-07-30  1:48   ` Sugar, David
2019-08-01  0:01     ` Chris PeBenito

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4438bc8f-0322-bd10-eab7-5556ecf49278@ieee.org \
    --to=pebenito@ieee.org \
    --cc=dsugar@tresys.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git