From f6c6faa3be70b22e3d499c4ee25739a4c005db0c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 24 May 2024 15:13:08 +0200
Subject: [PATCH] Draft: Confine tpm2 generator

---
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if |  4 ++--
 policy/modules/system/systemd.te | 13 +++++++++++--
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 2880603320..524ed6d020 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -87,6 +87,7 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /usr/lib/systemd/system-generators/systemd-rc-local-generator	--	gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-ssh-generator	--	gen_context(system_u:object_r:systemd_ssh_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-sysv-generator	--	gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-tpm2-generator	--	gen_context(system_u:object_r:systemd_tpm2_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/zram-generator	--	gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/.+	--	gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0)
 /usr/lib/systemd/zram-generator.conf	--	gen_context(system_u:object_r:systemd_zram_generator_conf_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 5f2bb2a03a..55a13a0365 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -82,12 +82,12 @@ template(`systemd_generator_template',`
 	type $1_unit_file_t;
 	systemd_unit_file($1_unit_file_t)
 
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+
 	allow $1_t $1_unit_file_t:dir manage_dir_perms;
 	allow $1_t $1_unit_file_t:file manage_file_perms;
 	allow $1_t $1_unit_file_t:lnk_file manage_lnk_file_perms;
 	systemd_unit_file_filetrans($1_t, $1_unit_file_t, { dir file lnk_file })
-
-	permissive $1_t;
 ')
 
 ######################################
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7bc6c482f2..abe0012cc2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -208,6 +208,8 @@ systemd_generator_template(systemd_rc_local_generator)
 systemd_generator_template(systemd_ssh_generator)
 # sysv-generator
 systemd_generator_template(systemd_sysv_generator)
+# tpm2-generator
+systemd_generator_template(systemd_tpm2_generator)
 # zram-generator
 systemd_generator_template(systemd_zram_generator)
 type systemd_zram_generator_conf_t;
@@ -1300,7 +1302,7 @@ init_exec_script_files(systemd_rc_local_generator_t)
 ### ssh generator
 allow systemd_ssh_generator_t self:process setfscreate;
 allow systemd_ssh_generator_t self:vsock_socket create;
-allow systemd_ssh_generator_t vsock_device_t:chr_file { ioctl open read };
+allow systemd_ssh_generator_t vsock_device_t:chr_file { read_chr_file_perms };
 
 dev_read_sysfs(systemd_ssh_generator_t)
 
@@ -1312,8 +1314,12 @@ optional_policy(`
 ### sysv generator
 init_read_script_files(systemd_sysv_generator_t)
 
+### tpm2 generator
+dev_list_sysfs(systemd_tpm2_generator_t)
+
 ### zram generator
 allow systemd_zram_generator_t systemd_fstab_generator_unit_file_t:file write_file_perms;
+permissive systemd_zram_generator_t;
 
 # for systemd-detect-virt - needs to be confined
 corecmd_exec_bin(systemd_zram_generator_t)
@@ -1328,10 +1334,13 @@ optional_policy(`
 	modutils_domtrans_kmod(systemd_zram_generator_t)
 ')
 
+### a generic generator
+permissive systemd_generic_generator_t;
+
 
 #######################################
 #
-# systemd_network_generator service domain
+# systemd_network_generator domain
 #
 
 init_named_pid_filetrans(systemd_network_generator_t, net_conf_t, dir, "network")