* [gentoo-commits] proj/hardened-refpolicy:master commit in: testing/, policy/modules/system/, policy/modules/services/, ...
@ 2025-07-15 7:54 Jason Zaman
0 siblings, 0 replies; only message in thread
From: Jason Zaman @ 2025-07-15 7:54 UTC (permalink / raw
To: gentoo-commits
commit: 7d1bb57cfd2ab2fd16afd5a8187ba8dc173af23f
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Jun 17 15:20:07 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d1bb57c
fwupd-fixed-more (#928)
* Policy for the firmware update daemon and the utility program that talks to it
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.if | 72 ++++++++++
policy/modules/kernel/kernel.if | 36 +++++
policy/modules/kernel/selinux.if | 19 +++
policy/modules/roles/sysadm.te | 4 +
policy/modules/services/dbus.if | 24 ++++
policy/modules/system/fwupd.fc | 9 ++
policy/modules/system/fwupd.if | 36 +++++
policy/modules/system/fwupd.te | 260 ++++++++++++++++++++++++++++++++++++
policy/modules/system/unconfined.te | 4 +
policy/modules/system/userdomain.if | 20 +++
testing/sechecker.ini | 1 +
11 files changed, 485 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7c20041d1..ddd103c88 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2459,6 +2459,24 @@ interface(`dev_rw_framebuffer',`
rw_chr_files_pattern($1, device_t, framebuf_device_t)
')
+########################################
+## <summary>
+## Allow read the gpiochip device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_gpiochip',`
+ gen_require(`
+ type device_t, gpiochip_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, gpiochip_device_t)
+')
+
########################################
## <summary>
## Allow read/write the hypervkvp device
@@ -2952,6 +2970,24 @@ interface(`dev_dontaudit_rw_mei',`
dontaudit $1 mei_device_t:chr_file rw_chr_file_perms;
')
+########################################
+## <summary>
+## Read and write the Intel mei control device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_mei',`
+ gen_require(`
+ type device_t, mei_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, mei_device_t)
+')
+
########################################
## <summary>
## dontaudit getattr raw memory devices (e.g. /dev/mem).
@@ -4829,6 +4865,42 @@ interface(`dev_relabel_sysfs_dirs',`
relabel_dirs_pattern($1, sysfs_t, sysfs_t)
')
+########################################
+## <summary>
+## Allow watching sysfs dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_watch_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir watch;
+')
+
+########################################
+## <summary>
+## Allow mapping sysfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_map_sysfs_files',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:file map;
+')
+
########################################
## <summary>
## Relabel from/to all sysfs types.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 2535e7bfb..5eafcc9f2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1003,6 +1003,24 @@ interface(`kernel_dontaudit_getattr_proc',`
dontaudit $1 proc_t:filesystem getattr;
')
+########################################
+## <summary>
+## Watch proc dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_watch_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir watch;
+')
+
########################################
## <summary>
## Mount on proc directories. (Deprecated)
@@ -2220,6 +2238,24 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
dontaudit $1 sysctl_kernel_t:dir search;
')
+########################################
+## <summary>
+## Allow watching sysctl kernel dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow watching.
+## </summary>
+## </param>
+#
+interface(`kernel_watch_kernel_sysctl_dirs',`
+ gen_require(`
+ type sysctl_kernel_t;
+ ')
+
+ allow $1 sysctl_kernel_t:dir watch;
+')
+
#######################################
## <summary>
## Do not audit attempted reading of kernel sysctls
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 8f3dca6c1..ad07fc937 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -752,6 +752,25 @@ interface(`selinux_use_status_page',`
allow $1 security_t:file mmap_read_file_perms;
')
+########################################
+## <summary>
+## Allows the caller to watch SE Linux status dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`selinux_watch_status_page',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:dir watch;
+')
+
########################################
## <summary>
## Unconfined access to the SELinux kernel security server.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4cab19ea7..d5decb69b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -440,6 +440,10 @@ optional_policy(`
ftp_admin(sysadm_t, sysadm_r)
')
+optional_policy(`
+ fwupd_run(sysadm_t, sysadm_r)
+')
+
optional_policy(`
gatekeeper_admin(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 2ec41ef54..699c78b25 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -651,6 +651,30 @@ interface(`dbus_use_system_bus_pidfds',`
allow $1 system_dbusd_t:fd use;
')
+########################################
+## <summary>
+## Allow DBUS system bus to receive file handles
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to receive fds from
+## </summary>
+## </param>
+## <param name="file type">
+## <summary>
+## Type of file to receive
+## </summary>
+## </param>
+#
+interface(`dbus_system_bus_receive_file_handle',`
+ gen_require(`
+ type system_dbusd_t;
+ ')
+
+ allow system_dbusd_t $1:fd use;
+ allow system_dbusd_t $2:file rw_inherited_file_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to read and
diff --git a/policy/modules/system/fwupd.fc b/policy/modules/system/fwupd.fc
new file mode 100644
index 000000000..4931c4bae
--- /dev/null
+++ b/policy/modules/system/fwupd.fc
@@ -0,0 +1,9 @@
+/etc/fwupd(/.*)? gen_context(system_u:object_r:fwupd_conf_t,s0)
+
+/usr/bin/fwupdmgr -- gen_context(system_u:object_r:fwupdmgr_exec_t,s0)
+
+/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
+
+/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0)
+
+/var/cache/fwupd(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
diff --git a/policy/modules/system/fwupd.if b/policy/modules/system/fwupd.if
new file mode 100644
index 000000000..be3d0bd10
--- /dev/null
+++ b/policy/modules/system/fwupd.if
@@ -0,0 +1,36 @@
+## <summary>Policy for firmwate update daemon and utility.</summary>
+##
+## <desc>
+## You can either use a GUI software manager like GNOME Software to view and
+## apply updates, the command-line tool or the system D-Bus interface directly.
+## Firmware updates are supported for a variety of technologies.
+## See https://github.com/fwupd/fwupd for details
+## </desc>
+
+########################################
+## <summary>
+## Execute fwupd in the user role
+## the kmod domain, and use the caller's terminal.
+## Has a sigchld backchannel.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fwupd_run',`
+ gen_require(`
+ attribute_role fwupdmgr_roles;
+ type fwupdmgr_exec_t, fwupdmgr_t;
+ ')
+
+ domtrans_pattern($1, fwupdmgr_exec_t, fwupdmgr_t)
+ roleattribute $2 fwupdmgr_roles;
+')
diff --git a/policy/modules/system/fwupd.te b/policy/modules/system/fwupd.te
new file mode 100644
index 000000000..34ad6bc21
--- /dev/null
+++ b/policy/modules/system/fwupd.te
@@ -0,0 +1,260 @@
+policy_module(fwupd)
+
+gen_require(`
+ class dbus all_dbus_perms;
+')
+
+########################################
+#
+# Policy for firmwate update daemon and utility
+# Debian package fwupd
+#
+
+########################################
+#
+# Declarations
+#
+
+type fwupd_t;
+type fwupd_exec_t;
+init_daemon_domain(fwupd_t, fwupd_exec_t)
+
+attribute_role fwupdmgr_roles;
+type fwupdmgr_t;
+type fwupdmgr_exec_t;
+application_domain(fwupdmgr_t, fwupdmgr_exec_t)
+role fwupdmgr_roles types fwupdmgr_t;
+
+type fwupd_cache_t;
+files_type(fwupd_cache_t)
+
+type fwupd_conf_t;
+files_type(fwupd_conf_t)
+
+type fwupd_runtime_t;
+files_runtime_file(fwupd_runtime_t)
+
+type fwupd_var_lib_t;
+files_type(fwupd_var_lib_t)
+
+type fwupdmgr_tmpfs_t;
+files_tmpfs_file(fwupdmgr_tmpfs_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit fwupd_t self:capability net_admin;
+# sys_admin is for "FuPluginUefiCapsule skipping device that failed coldplug: failed to read fw_class"
+# linux_immutable is for setting /sys/firmware/efi/efivars/* as mutable
+allow fwupd_t self:capability { dac_override dac_read_search linux_immutable sys_admin };
+allow fwupd_t self:fifo_file rw_fifo_file_perms;
+allow fwupd_t self:process getsched;
+allow fwupd_t self:udp_socket { create connect getattr };
+allow fwupd_t self:tcp_socket { create connect };
+allow fwupd_t self:netlink_route_socket { create bind getattr nlmsg_read read write };
+
+allow fwupd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow fwupd_t fwupd_conf_t:dir { watch list_dir_perms };
+allow fwupd_t fwupd_conf_t:file { map read_file_perms };
+
+allow fwupd_t fwupd_var_lib_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_var_lib_t:file mmap_manage_file_perms;
+
+allow fwupd_t fwupd_cache_t:dir { watch manage_dir_perms };
+allow fwupd_t fwupd_cache_t:file mmap_manage_file_perms;
+
+auth_use_pam_motd_dynamic(fwupd_t)
+
+allow fwupd_t fwupd_runtime_t:file manage_file_perms;
+allow fwupd_t fwupdmgr_tmpfs_t:file rw_inherited_file_perms;
+
+kernel_read_kernel_sysctls(fwupd_t)
+# for /proc/filesystems etc
+kernel_read_system_state(fwupd_t)
+kernel_read_vm_overcommit_sysctl(fwupd_t)
+kernel_watch_kernel_sysctl_dirs(fwupd_t)
+kernel_watch_proc_dirs(fwupd_t)
+
+dev_getattr_sysfs(fwupd_t)
+dev_map_sysfs_files(fwupd_t)
+dev_read_gpiochip(fwupd_t)
+dev_read_urand(fwupd_t)
+dev_read_sysfs(fwupd_t)
+dev_rw_acpi_bios(fwupd_t)
+dev_rw_cpu_microcode(fwupd_t)
+dev_rw_dri(fwupd_t)
+dev_rw_generic_usb_dev(fwupd_t)
+dev_rw_mei(fwupd_t)
+dev_rw_tpm(fwupd_t)
+dev_rw_xserver_misc(fwupd_t)
+dev_rx_raw_memory(fwupd_t)
+dev_watch_sysfs_dirs(fwupd_t)
+
+corecmd_exec_bin(fwupd_t)
+corecmd_list_bin(fwupd_t)
+corecmd_watch_bin_dirs(fwupd_t)
+
+corenet_tcp_connect_generic_port(fwupd_t)
+
+files_map_usr_files(fwupd_t)
+files_read_etc_files(fwupd_t)
+files_read_etc_runtime_files(fwupd_t)
+files_read_etc_symlinks(fwupd_t)
+files_read_usr_files(fwupd_t)
+files_search_locks(fwupd_t)
+files_search_var_lib(fwupd_t)
+files_search_boot(fwupd_t)
+files_watch_etc_dirs(fwupd_t)
+files_watch_usr_dirs(fwupd_t)
+
+fs_manage_efivarfs_files(fwupd_t)
+fs_getattr_dos_fs(fwupd_t)
+fs_getattr_efivarfs(fwupd_t)
+
+fs_manage_dos_dirs(fwupd_t)
+fs_manage_dos_files(fwupd_t)
+fs_mmap_read_dos_files(fwupd_t)
+
+init_get_generic_units_status(fwupd_t)
+init_get_system_status(fwupd_t)
+
+# for cgroup file of init_t process
+init_read_state(fwupd_t)
+
+miscfiles_read_generic_certs(fwupd_t)
+miscfiles_read_localization(fwupd_t)
+
+mount_read_runtime_files(fwupd_t)
+
+selinux_get_enforce_mode(fwupd_t)
+selinux_get_fs_mount(fwupd_t)
+seutil_search_default_contexts(fwupd_t)
+selinux_watch_status_page(fwupd_t)
+
+storage_raw_read_fixed_disk(fwupd_t)
+storage_raw_write_fixed_disk(fwupd_t)
+
+sysnet_read_config(fwupd_t)
+
+udev_read_runtime_files(fwupd_t)
+
+optional_policy(`
+ bluetooth_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+ dbus_read_lib_files(fwupd_t)
+ dbus_system_bus_client(fwupd_t)
+ dbus_connect_system_bus(fwupd_t)
+ dbus_use_system_bus_fds(fwupd_t)
+')
+
+optional_policy(`
+ devicekit_dbus_chat_disk(fwupd_t)
+ devicekit_dbus_chat_power(fwupd_t)
+')
+
+optional_policy(`
+ gpg_exec(fwupd_t)
+')
+
+optional_policy(`
+ init_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+ low_mem_mon_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+ modemmanager_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+ networkmanager_read_runtime_files(fwupd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(fwupd_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(fwupd_t)
+ systemd_use_logind_fds(fwupd_t)
+ systemd_write_inherited_logind_inhibit_pipes(fwupd_t)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow fwupdmgr_t self:process signal;
+allow fwupdmgr_t self:fifo_file rw_fifo_file_perms;
+
+fs_tmpfs_filetrans(fwupdmgr_t, fwupdmgr_tmpfs_t, { file })
+allow fwupdmgr_t fwupdmgr_tmpfs_t:file manage_file_perms;
+
+allow fwupdmgr_t fwupd_t:dbus send_msg;
+allow fwupd_t fwupdmgr_t:dbus send_msg;
+allow fwupd_t fwupdmgr_t:fd use;
+
+kernel_read_system_state(fwupdmgr_t)
+kernel_read_vm_overcommit_sysctl(fwupdmgr_t)
+
+corecmd_exec_bin(fwupdmgr_t)
+domain_use_interactive_fds(fwupdmgr_t)
+
+sysnet_dns_name_resolve(fwupdmgr_t)
+sysnet_read_config(fwupdmgr_t)
+corenet_tcp_connect_generic_port(fwupdmgr_t)
+corenet_tcp_connect_http_port(fwupdmgr_t)
+
+files_read_etc_files(fwupdmgr_t)
+files_read_etc_symlinks(fwupdmgr_t)
+files_read_usr_files(fwupdmgr_t)
+files_map_usr_files(fwupdmgr_t)
+
+miscfiles_read_generic_certs(fwupdmgr_t)
+miscfiles_read_localization(fwupdmgr_t)
+
+userdom_use_user_ptys(fwupdmgr_t)
+userdom_use_user_ttys(fwupdmgr_t)
+userdom_search_user_home_dirs(fwupdmgr_t)
+
+# for dconf
+userdom_map_user_tmp_files(fwupdmgr_t)
+userdom_rw_user_tmp_files(fwupdmgr_t)
+userdom_manage_user_runtime_dirs(fwupdmgr_t)
+userdom_mmap_manage_user_runtime_files(fwupdmgr_t)
+xdg_search_config_dirs(fwupdmgr_t)
+
+optional_policy(`
+ dbus_list_system_bus_runtime(fwupdmgr_t)
+ dbus_write_session_runtime_socket(fwupdmgr_t)
+ dbus_system_bus_client(fwupdmgr_t)
+ dbus_system_bus_receive_file_handle(fwupdmgr_t, fwupdmgr_tmpfs_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(fwupdmgr_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(fwupdmgr_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(fwupdmgr_t)
+ systemd_read_logind_state(fwupdmgr_t)
+ systemd_use_logind_fds(fwupdmgr_t)
+ systemd_write_inherited_logind_inhibit_pipes(fwupdmgr_t)
+')
+
+optional_policy(`
+ unconfined_dbus_send(fwupdmgr_t)
+ unconfined_stream_connect(fwupdmgr_t)
+')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 759c83776..b9c8173ae 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -118,6 +118,10 @@ optional_policy(`
ftp_run_ftpdctl(unconfined_t, unconfined_r)
')
+optional_policy(`
+ fwupd_run(unconfined_t, unconfined_r)
+')
+
optional_policy(`
hadoop_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cdcc3f36e..6956b9b4e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3762,6 +3762,26 @@ interface(`userdom_watch_user_runtime_dirs',`
userdom_search_user_runtime_root($1)
')
+########################################
+## <summary>
+## Manage user runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mmap_manage_user_runtime_files',`
+ gen_require(`
+ type user_runtime_t;
+ ')
+
+ allow $1 user_runtime_t:dir rw_dir_perms;
+ allow $1 user_runtime_t:file mmap_manage_file_perms;
+ userdom_search_user_runtime_root($1)
+')
+
########################################
## <summary>
## Mount a filesystem on user runtime dir
diff --git a/testing/sechecker.ini b/testing/sechecker.ini
index f5f85ce3e..d6e9e1574 100644
--- a/testing/sechecker.ini
+++ b/testing/sechecker.ini
@@ -199,6 +199,7 @@ exempt_source = abrt_t # Conditional access (allow_raw_memory_acces
dmidecode_t
fsadm_t
fsdaemon_t
+ fwupd_t # needs raw access to storage for storage firmware updates
hddtemp_t
hwclock_t
init_t
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-07-15 7:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-15 7:54 [gentoo-commits] proj/hardened-refpolicy:master commit in: testing/, policy/modules/system/, policy/modules/services/, Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox