diff options
Diffstat (limited to 'policy/modules/kernel/devices.te')
| -rw-r--r-- | policy/modules/kernel/devices.te | 314 |
1 files changed, 314 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te new file mode 100644 index 00000000..82be0882 --- /dev/null +++ b/policy/modules/kernel/devices.te @@ -0,0 +1,314 @@ +policy_module(devices, 1.13.0) + +######################################## +# +# Declarations +# + +attribute device_node; +attribute memory_raw_read; +attribute memory_raw_write; +attribute devices_unconfined_type; + +# +# device_t is the type of /dev. +# +type device_t; +fs_associate_tmpfs(device_t) +files_type(device_t) +files_mountpoint(device_t) +files_associate_tmp(device_t) +fs_type(device_t) +fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); + +# +# Type for /dev/agpgart +# +type agp_device_t; +dev_node(agp_device_t) + +# +# Type for /dev/apm_bios +# +type apm_bios_t; +dev_node(apm_bios_t) + +# +# Type for /dev/autofs +# +type autofs_device_t; +dev_node(autofs_device_t) + +type cardmgr_dev_t; +dev_node(cardmgr_dev_t) +files_tmp_file(cardmgr_dev_t) + +# +# clock_device_t is the type of +# /dev/rtc. +# +type clock_device_t; +dev_node(clock_device_t) + +# +# cpu control devices /dev/cpu/0/* +# +type cpu_device_t; +dev_node(cpu_device_t) + +# +# Type for /dev/crash +# +type crash_device_t; +dev_node(crash_device_t) + +# for the IBM zSeries z90crypt hardware ssl accelorator +type crypt_device_t; +dev_node(crypt_device_t) + +# +# dlm_misc_device_t is the type of /dev/misc/dlm.* +# +type dlm_control_device_t; +dev_node(dlm_control_device_t) + +type dri_device_t; +dev_node(dri_device_t) + +type event_device_t; +dev_node(event_device_t) + +# +# Type for framebuffer /dev/fb/* +# +type framebuf_device_t; +dev_node(framebuf_device_t) + +# +# Type for /dev/ipmi/0 +# +type ipmi_device_t; +dev_node(ipmi_device_t) + +# +# Type for /dev/kmsg +# +type kmsg_device_t; +dev_node(kmsg_device_t) + +# +# ksm_device_t is the type of /dev/ksm +# +type ksm_device_t; +dev_node(ksm_device_t) + +# +# kvm_device_t is the type of +# /dev/kvm +# +type kvm_device_t; +dev_node(kvm_device_t) + +# +# Type for /dev/lirc +# +type lirc_device_t; +dev_node(lirc_device_t) + +# +# Type for /dev/mapper/control +# +type lvm_control_t; +dev_node(lvm_control_t) + +# +# memory_device_t is the type of /dev/kmem, +# /dev/mem and /dev/port. +# +type memory_device_t; +dev_node(memory_device_t) + +neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read; +neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write }; + +type misc_device_t; +dev_node(misc_device_t) + +# +# A general type for modem devices. +# +type modem_device_t; +dev_node(modem_device_t) + +# +# A more general type for mouse devices. +# +type mouse_device_t; +dev_node(mouse_device_t) + +# +# Type for /dev/cpu/mtrr and /proc/mtrr +# +type mtrr_device_t; +dev_node(mtrr_device_t) +genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0) + +# +# network control devices +# +type netcontrol_device_t; +dev_node(netcontrol_device_t) + +# +# null_device_t is the type of /dev/null. +# +type null_device_t; +dev_node(null_device_t) +mls_trusted_object(null_device_t) +sid devnull gen_context(system_u:object_r:null_device_t,s0) + +# +# Type for /dev/nvram +# +type nvram_device_t; +dev_node(nvram_device_t) + +# +# Type for /dev/pmu +# +type power_device_t; +dev_node(power_device_t) + +type printer_device_t; +dev_node(printer_device_t) +mls_file_write_within_range(printer_device_t) + +# +# qemu control devices +# +type qemu_device_t; +dev_node(qemu_device_t) + +# +# random_device_t is the type of /dev/random +# +type random_device_t; +dev_node(random_device_t) + +type scanner_device_t; +dev_node(scanner_device_t) + +# +# Type for smartcards +# +type smartcard_device_t; +dev_node(smartcard_device_t) + +# +# Type for sound devices and mixers +# +type sound_device_t; +dev_node(sound_device_t) + +# +# sysfs_t is the type for the /sys pseudofs +# +type sysfs_t; +files_mountpoint(sysfs_t) +fs_type(sysfs_t) +genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) + +# +# Type for /dev/tpm +# +type tpm_device_t; +dev_node(tpm_device_t) + +# +# urandom_device_t is the type of /dev/urandom +# +type urandom_device_t; +dev_node(urandom_device_t) + +# +# usbfs_t is the type for the /proc/bus/usb pseudofs +# +type usbfs_t alias usbdevfs_t; +files_mountpoint(usbfs_t) +fs_noxattr_type(usbfs_t) +genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0) +genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) + +# +# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ +# +type usb_device_t; +dev_node(usb_device_t) + +# +# usb_device_t is the type for /dev/usbmon +# +type usbmon_device_t; +dev_node(usbmon_device_t) + +# +# userio_device_t is the type for /dev/uio[0-9]+ +# +type userio_device_t; +dev_node(userio_device_t) + +type v4l_device_t; +dev_node(v4l_device_t) + +# +# vhost_device_t is the type for /dev/vhost-net +# +type vhost_device_t; +dev_node(vhost_device_t) + +# Type for vmware devices. +type vmware_device_t; +dev_node(vmware_device_t) + +type watchdog_device_t; +dev_node(watchdog_device_t) + +# +# wireless control devices +# +type wireless_device_t; +dev_node(wireless_device_t) + +type xen_device_t; +dev_node(xen_device_t) + +type xserver_misc_device_t; +dev_node(xserver_misc_device_t) + +# +# zero_device_t is the type of /dev/zero. +# +type zero_device_t; +dev_node(zero_device_t) +mls_trusted_object(zero_device_t) + +######################################## +# +# Rules for all device nodes +# + +allow device_node device_t:filesystem associate; + +fs_associate(device_node) +fs_associate_tmpfs(device_node) + +files_associate_tmp(device_node) + +######################################## +# +# Unconfined access to this module +# + +allow devices_unconfined_type self:capability sys_rawio; +allow devices_unconfined_type device_node:{ blk_file chr_file } *; +allow devices_unconfined_type mtrr_device_t:file *; |