refpolicy-mcs: Add xenpriv_device_t

/dev/xen/privcmd is much more powerful than the other xen_device_t
interfaces, so label it separately.

OXT-1731

Signed-off-by: Jason Andryuk <[email protected]>

recipes-security/refpolicy/refpolicy-mcs-2.%/patches/xen-privcmd.patch

@@ -0,0 +1,99 @@
+--- a/policy/modules/system/xen.te
++++ b/policy/modules/system/xen.te
+@@ -339,6 +339,7 @@ dev_filetrans_xen(xend_t)
+ dev_filetrans_blktap(xend_t, "blktap-2")
+ dev_rw_sysfs(xend_t)
+ dev_rw_xen(xend_t)
++dev_rw_xenpriv(xend_t)
+ dev_read_rand(xend_t)
+ dev_search_xen(xend_t)
+ dev_manage_xen(xend_t)
+@@ -548,6 +549,7 @@ kernel_write_xen_state(xenconsoled_t)
+ kernel_read_xen_state(xenconsoled_t)
+
+ dev_rw_xen(xenconsoled_t)
++dev_rw_xenpriv(xenconsoled_t)
+ dev_filetrans_xen(xenconsoled_t)
+ dev_rw_sysfs(xenconsoled_t)
+
+@@ -621,6 +623,7 @@ corecmd_search_bin(xenstored_t)
+
+ dev_filetrans_xen(xenstored_t)
+ dev_rw_xen(xenstored_t)
++dev_rw_xenpriv(xenstored_t)
+ dev_read_sysfs(xenstored_t)
+ dev_create_generic_dirs(xenstored_t)
+ dev_manage_xen(xenstored_t)
+@@ -753,6 +756,7 @@ xen_stream_connect(xm_t)
+ xen_stream_connect_xenstore(xm_t)
+
+ dev_rw_xen(xm_t)
++dev_rw_xenpriv(xm_t)
+
+ tunable_policy(`xen_use_fusefs',`
+ 	fs_manage_fusefs_dirs(xm_t)
+--- a/policy/modules/kernel/devices.fc
++++ b/policy/modules/kernel/devices.fc
+@@ -186,10 +186,10 @@ ifdef(`distro_suse', `
+ /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/xen/gntdev		-c	gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/xen/gntalloc	-c	gen_context(system_u:object_r:xen_device_t,s0)
+-/dev/xen/privcmd	-c	gen_context(system_u:object_r:xen_device_t,s0)
++/dev/xen/privcmd	-c	gen_context(system_u:object_r:xenpriv_device_t,s0)
+ /dev/xen/xenbus		-c	gen_context(system_u:object_r:xenstore_dev_t,s0)
+ /dev/xen/xenbus_backend	-c	gen_context(system_u:object_r:xen_device_t,s0)
+-/dev/xen/hypercall	-c	gen_context(system_u:object_r:xen_device_t,s0)
++/dev/xen/hypercall	-c	gen_context(system_u:object_r:xenpriv_device_t,s0)
+
+
+ ifdef(`distro_debian',`
+--- a/policy/modules/kernel/devices.if
++++ b/policy/modules/kernel/devices.if
+@@ -5025,6 +5025,25 @@ interface(`dev_rw_xen',`
+
+ ########################################
+ ## <summary>
++##	Read and write Xen privcmd devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_xenpriv',`
++	gen_require(`
++		type device_t, xenpriv_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, xenpriv_device_t)
++	allow $1 xenpriv_device_t:chr_file { map };
++')
++
++########################################
++## <summary>
+ ##	Read and write Xenstore/xenbus devices.
+ ## </summary>
+ ## <param name="domain">
+--- a/policy/modules/kernel/devices.te
++++ b/policy/modules/kernel/devices.te
+@@ -309,6 +309,9 @@ dev_node(wireless_device_t)
+ type xen_device_t;
+ dev_node(xen_device_t)
+
++type xenpriv_device_t;
++dev_node(xenpriv_device_t)
++
+ type xenstore_dev_t;
+ dev_node(xenstore_dev_t)
+
+--- a/policy/modules/apps/qemu.te
++++ b/policy/modules/apps/qemu.te
+@@ -72,6 +72,7 @@ dbus_system_bus_client(qemu_t)
+ # leaked file descriptors
+ xen_dontaudit_rw_unix_stream_sockets(qemu_t)
+ dev_rw_xen(qemu_t)
++dev_rw_xenpriv(qemu_t)
+ dev_read_sysfs(qemu_t)
+ xen_stream_connect_xenstore(qemu_t)
+ allow qemu_t qemu_exec_t:file execute_no_trans;

recipes-security/refpolicy/refpolicy-mcs-2.%/policy/modules/services/glass.te

@@ -56,6 +56,7 @@ dev_rw_dri(glass_t)
 dev_read_sysfs(glass_t)
 dev_rw_input_dev(glass_t)
 dev_rw_xen(glass_t)
+dev_rw_xenpriv(glass_t)
 xen_rw_xenstore(glass_t)
 
 files_read_usr_files(glass_t)

recipes-security/refpolicy/refpolicy-mcs_2.%.bbappend

@@ -167,6 +167,7 @@ SRC_URI += " \
     file://patches/xl-sysadm-interfaces.patch \
     file://patches/policy.modules.admin.bootloader.diff \
     file://patches/xenstore-labeling.patch \
+    file://patches/xen-privcmd.patch \
 "
 
 DEPENDS_append += " \