1 |
commit: 63ab6a3846fefa9040bd9a3b21bdfa8c84b5dc31 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sat Jan 12 08:03:40 2019 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 10 04:11:25 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63ab6a38 |
7 |
|
8 |
devices: introduce dev_dontaudit_read_sysfs |
9 |
|
10 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
11 |
|
12 |
policy/modules/kernel/devices.if | 20 ++++++++++++++++++++ |
13 |
1 file changed, 20 insertions(+) |
14 |
|
15 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
16 |
index 0966a468..84b9d8fb 100644 |
17 |
--- a/policy/modules/kernel/devices.if |
18 |
+++ b/policy/modules/kernel/devices.if |
19 |
@@ -4043,6 +4043,26 @@ interface(`dev_dontaudit_getattr_sysfs',` |
20 |
dontaudit $1 sysfs_t:filesystem getattr; |
21 |
') |
22 |
|
23 |
+######################################## |
24 |
+## <summary> |
25 |
+## Dont audit attempts to read hardware state information |
26 |
+## </summary> |
27 |
+## <param name="domain"> |
28 |
+## <summary> |
29 |
+## Domain for which the attempts do not need to be audited |
30 |
+## </summary> |
31 |
+## </param> |
32 |
+# |
33 |
+interface(`dev_dontaudit_read_sysfs',` |
34 |
+ gen_require(` |
35 |
+ type sysfs_t; |
36 |
+ ') |
37 |
+ |
38 |
+ dontaudit $1 sysfs_t:file read_file_perms; |
39 |
+ dontaudit $1 sysfs_t:dir list_dir_perms; |
40 |
+ dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms; |
41 |
+') |
42 |
+ |
43 |
######################################## |
44 |
## <summary> |
45 |
## mounton sysfs directories. |