aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKenton Groombridge <me@concord.sh>2021-04-13 16:48:54 -0400
committerJason Zaman <perfinion@gentoo.org>2021-09-05 07:16:58 -0700
commit95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be (patch)
tree1da15225d0518635886666e1e646fdf12f99bf81 /policy/modules
parentfilesystem, init: allow systemd to create pstore dirs (diff)
downloadhardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.tar.gz
hardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.tar.bz2
hardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.zip
bootloader, devices: dontaudit grub writing on legacy efi variables
Newer versions of grub modify EFI variables on efivarfs. This commit adds a dontaudit on the legacy /sys/fs/efi/vars files. Signed-off-by: Kenton Groombridge <me@concord.sh> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules')
-rw-r--r--policy/modules/admin/bootloader.te2
-rw-r--r--policy/modules/kernel/devices.if18
2 files changed, 20 insertions, 0 deletions
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 8bbaed336..c149fd989 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -83,6 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t)
dev_read_rand(bootloader_t)
dev_read_urand(bootloader_t)
dev_read_sysfs(bootloader_t)
+# newer versions of grub use efivarfs to modify EFI variables; dontaudit legacy /sys/fs/efi/vars access
+dev_dontaudit_write_sysfs_files(bootloader_t)
# needed on some hardware
dev_rw_nvram(bootloader_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 19d29c95f..ac72cde12 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4475,6 +4475,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
+## Do not audit attempts to write to a sysfs file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_files',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:file write;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete sysfs
## directories.
## </summary>