[PATCH] Module for tpm2-abrmd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
 policy/modules/services/tpm2_abrmd.fc |  3 ++
 policy/modules/services/tpm2_abrmd.if | 58 +++++++++++++++++++++++++++
 policy/modules/services/tpm2_abrmd.te | 29 ++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 policy/modules/services/tpm2_abrmd.fc
 create mode 100644 policy/modules/services/tpm2_abrmd.if
 create mode 100644 policy/modules/services/tpm2_abrmd.te

diff --git a/policy/modules/services/tpm2_abrmd.fc b/policy/modules/services/tpm2_abrmd.fc
new file mode 100644
index 00000000..4ccf2f25
--- /dev/null
+++ b/policy/modules/services/tpm2_abrmd.fc
@@ -0,0 +1,3 @@
+/usr/sbin/tpm2-abrmd								--	gen_context(system_u:object_r:tpm2_abrmd_exec_t,s0)
+
+/usr/lib/systemd/system/[^/]*tpm2-abrmd\.service	--	gen_context(system_u:object_r:tpm2_abrmd_unit_t,s0)
diff --git a/policy/modules/services/tpm2_abrmd.if b/policy/modules/services/tpm2_abrmd.if
new file mode 100644
index 00000000..dabb4a65
--- /dev/null
+++ b/policy/modules/services/tpm2_abrmd.if
@@ -0,0 +1,58 @@
+## <summary>TPM2 Access Broker and Resource Management daemon.</summary>
+
+########################################
+## <summary>
+##	Allow specified domain to enable/disable tpm2-abrmd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_abrmd_enabledisable',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service { enable disable };
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start/stop tpm2-abrmd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_abrmd_startstop',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of tpm2-abrmd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tpm2_abrmd_status',`
+	gen_require(`
+		type tpm2_abrmd_unit_t;
+		class service status;
+	')
+
+	allow $1 tpm2_abrmd_unit_t:service status;
+')
diff --git a/policy/modules/services/tpm2_abrmd.te b/policy/modules/services/tpm2_abrmd.te
new file mode 100644
index 00000000..8a8ba5f0
--- /dev/null
+++ b/policy/modules/services/tpm2_abrmd.te
@@ -0,0 +1,29 @@
+policy_module(tpm2_abrmd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type tpm2_abrmd_t;
+type tpm2_abrmd_exec_t;
+init_daemon_domain(tpm2_abrmd_t, tpm2_abrmd_exec_t)
+
+type tpm2_abrmd_unit_t;
+init_unit_file(tpm2_abrmd_unit_t)
+
+########################################
+#
+# Local policy
+#
+
+allow tpm2_abrmd_t self:process signal;
+allow tpm2_abrmd_t self:unix_stream_socket create_socket_perms;
+
+dev_rw_tpm(tpm2_abrmd_t)
+
+kernel_read_crypto_sysctls(tpm2_abrmd_t)
+kernel_read_system_state(tpm2_abrmd_t)
+
+dbus_system_bus_client(tpm2_abrmd_t)
+dbus_connect_system_bus(tpm2_abrmd_t)
-- 
2.21.0





[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux