policy/modules/kernel/devices.te

   1 policy_module(devices, 1.11.3)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 attribute device_node;
   9 attribute memory_raw_read;
  10 attribute memory_raw_write;
  11 attribute devices_unconfined_type;
  12
  13 #
  14 # device_t is the type of /dev.
  15 #
  16 type device_t;
  17 fs_associate_tmpfs(device_t)
  18 files_type(device_t)
  19 files_mountpoint(device_t)
  20 files_associate_tmp(device_t)
  21 fs_type(device_t)
  22 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
  23
  24 #
  25 # Type for /dev/agpgart
  26 #
  27 type agp_device_t;
  28 dev_node(agp_device_t)
  29
  30 #
  31 # Type for /dev/apm_bios
  32 #
  33 type apm_bios_t;
  34 dev_node(apm_bios_t)
  35
  36 #
  37 # Type for /dev/autofs
  38 #
  39 type autofs_device_t;
  40 dev_node(autofs_device_t)
  41
  42 type cardmgr_dev_t;
  43 dev_node(cardmgr_dev_t)
  44 files_tmp_file(cardmgr_dev_t)
  45
  46 #
  47 # clock_device_t is the type of
  48 # /dev/rtc.
  49 #
  50 type clock_device_t;
  51 dev_node(clock_device_t)
  52
  53 #
  54 # cpu control devices /dev/cpu/0/*
  55 #
  56 type cpu_device_t;
  57 dev_node(cpu_device_t)
  58
  59 #
  60 # Type for /dev/crash
  61 #
  62 type crash_device_t;
  63 dev_node(crash_device_t)
  64
  65 # for the IBM zSeries z90crypt hardware ssl accelorator
  66 type crypt_device_t;
  67 dev_node(crypt_device_t)
  68
  69 #
  70 # dlm_misc_device_t is the type of /dev/misc/dlm.*
  71 #
  72 type dlm_control_device_t;
  73 dev_node(dlm_control_device_t)
  74
  75 type dri_device_t;
  76 dev_node(dri_device_t)
  77
  78 type event_device_t;
  79 dev_node(event_device_t)
  80
  81 #
  82 # Type for framebuffer /dev/fb/*
  83 #
  84 type framebuf_device_t;
  85 dev_node(framebuf_device_t)
  86
  87 #
  88 # Type for /dev/ipmi/0
  89 #
  90 type ipmi_device_t;
  91 dev_node(ipmi_device_t)
  92
  93 #
  94 # Type for /dev/kmsg
  95 #
  96 type kmsg_device_t;
  97 dev_node(kmsg_device_t)
  98
  99 #
 100 # ksm_device_t is the type of /dev/ksm
 101 #
 102 type ksm_device_t;
 103 dev_node(ksm_device_t)
 104
 105 #
 106 # kvm_device_t is the type of
 107 # /dev/kvm
 108 #
 109 type kvm_device_t;
 110 dev_node(kvm_device_t)
 111 mls_trusted_object(kvm_device_t)
 112
 113 #
 114 # Type for /dev/lirc
 115 #
 116 type lirc_device_t;
 117 dev_node(lirc_device_t)
 118
 119 #
 120 # Type for /dev/mapper/control
 121 #
 122 type loop_control_device_t;
 123 dev_node(loop_control_device_t)
 124
 125 #
 126 # Type for /dev/mapper/control
 127 #
 128 type lvm_control_t;
 129 dev_node(lvm_control_t)
 130
 131 #
 132 # memory_device_t is the type of /dev/kmem,
 133 # /dev/mem and /dev/port.
 134 #
 135 type memory_device_t;
 136 dev_node(memory_device_t)
 137
 138 neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
 139 neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };
 140
 141 type misc_device_t;
 142 dev_node(misc_device_t)
 143
 144 #
 145 # A general type for modem devices.
 146 #
 147 type modem_device_t;
 148 dev_node(modem_device_t)
 149
 150 #
 151 # A more general type for mouse devices.
 152 #
 153 type mouse_device_t;
 154 dev_node(mouse_device_t)
 155
 156 #
 157 # Type for /dev/cpu/mtrr and /proc/mtrr
 158 #
 159 type mtrr_device_t;
 160 dev_node(mtrr_device_t)
 161 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 162
 163 #
 164 # network control devices
 165 #
 166 type netcontrol_device_t;
 167 dev_node(netcontrol_device_t)
 168
 169 #
 170 # null_device_t is the type of /dev/null.
 171 #
 172 type null_device_t;
 173 dev_node(null_device_t)
 174 mls_trusted_object(null_device_t)
 175 sid devnull gen_context(system_u:object_r:null_device_t,s0)
 176
 177 #
 178 # Type for /dev/nvram
 179 #
 180 type nvram_device_t;
 181 dev_node(nvram_device_t)
 182
 183 #
 184 # Type for /dev/pmu
 185 #
 186 type power_device_t;
 187 dev_node(power_device_t)
 188
 189 type printer_device_t;
 190 dev_node(printer_device_t)
 191 mls_file_write_within_range(printer_device_t)
 192
 193 #
 194 # qemu control devices
 195 #
 196 type qemu_device_t;
 197 dev_node(qemu_device_t)
 198
 199 #
 200 # random_device_t is the type of /dev/random
 201 #
 202 type random_device_t;
 203 dev_node(random_device_t)
 204
 205 type scanner_device_t;
 206 dev_node(scanner_device_t)
 207
 208 #
 209 # Type for smartcards
 210 #
 211 type smartcard_device_t;
 212 dev_node(smartcard_device_t)
 213
 214 #
 215 # Type for sound devices and mixers
 216 #
 217 type sound_device_t;
 218 dev_node(sound_device_t)
 219
 220 #
 221 # sysfs_t is the type for the /sys pseudofs
 222 #
 223 type sysfs_t;
 224 files_mountpoint(sysfs_t)
 225 fs_type(sysfs_t)
 226 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 227
 228 type cpu_online_t;
 229 allow cpu_online_t sysfs_t:filesystem associate;
 230 genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
 231
 232 #
 233 # Type for /dev/tpm
 234 #
 235 type tpm_device_t;
 236 dev_node(tpm_device_t)
 237
 238 #
 239 # urandom_device_t is the type of /dev/urandom
 240 #
 241 type urandom_device_t;
 242 dev_node(urandom_device_t)
 243
 244 #
 245 # usbfs_t is the type for the /proc/bus/usb pseudofs
 246 #
 247 type usbfs_t alias usbdevfs_t;
 248 files_mountpoint(usbfs_t)
 249 fs_noxattr_type(usbfs_t)
 250 genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
 251 genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 252
 253 #
 254 # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
 255 #
 256 type usb_device_t;
 257 dev_node(usb_device_t)
 258
 259 #
 260 # usb_device_t is the type for /dev/usbmon
 261 #
 262 type usbmon_device_t;
 263 dev_node(usbmon_device_t)
 264
 265 #
 266 # userio_device_t is the type for /dev/uio[0-9]+
 267 #
 268 type userio_device_t;
 269 dev_node(userio_device_t)
 270
 271 type v4l_device_t;
 272 dev_node(v4l_device_t)
 273
 274 #
 275 # vhost_device_t is the type for /dev/vhost-net
 276 #
 277 type vhost_device_t;
 278 dev_node(vhost_device_t)
 279 mls_trusted_object(vhost_device_t)
 280
 281 # Type for vmware devices.
 282 type vmware_device_t;
 283 dev_node(vmware_device_t)
 284
 285 type watchdog_device_t;
 286 dev_node(watchdog_device_t)
 287
 288 #
 289 # wireless control devices
 290 #
 291 type wireless_device_t;
 292 dev_node(wireless_device_t)
 293
 294 type xen_device_t;
 295 dev_node(xen_device_t)
 296
 297 type xserver_misc_device_t;
 298 dev_node(xserver_misc_device_t)
 299
 300 #
 301 # zero_device_t is the type of /dev/zero.
 302 #
 303 type zero_device_t;
 304 dev_node(zero_device_t)
 305 mls_trusted_object(zero_device_t)
 306
 307 ########################################
 308 #
 309 # Rules for all device nodes
 310 #
 311
 312 allow device_node device_t:filesystem associate;
 313
 314 fs_associate(device_node)
 315 fs_associate_tmpfs(device_node)
 316
 317 files_associate_tmp(device_node)
 318
 319 ########################################
 320 #
 321 # Unconfined access to this module
 322 #
 323
 324 allow devices_unconfined_type self:capability sys_rawio;
 325 allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
 326 allow devices_unconfined_type mtrr_device_t:file *;