From 4e12649d4ea597531a5c0538f48c05a4ea539c6f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 02 2010 15:24:24 +0000 Subject: Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs() --- diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index fe31e1f..a3796f8 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -29,14 +29,39 @@ ######################################## ## -## Make the passed in type a type appropriate for -## use on device nodes (usually files in /dev). +## Make the specified type usable for device +## nodes in a filesystem. ## -## +## +##

+## Make the specified type usable for device nodes +## in a filesystem. Types used for device nodes that +## do not use this interface, or an interface that +## calls this one, will have unexpected behaviors +## while the system is running. +##

+##

+## Example: +##

+##

+## type mydev_t; +## dev_node(mydev_t) +## allow mydomain_t mydev_t:chr_file read_chr_file_perms; +##

+##

+## Related interfaces: +##

+## +## +## ## -## The object type that will be used on device nodes. +## Type to be used for device nodes. ## ## +## # interface(`dev_node',` gen_require(` @@ -2797,13 +2822,28 @@ interface(`dev_rw_qemu',` ######################################## ## ## Read from random number generator -## devices (e.g., /dev/random) +## devices (e.g., /dev/random). ## +## +##

+## Allow the specified domain to read from random number +## generator devices (e.g., /dev/random). Typically this is +## used in situations when a cryptographically secure random +## number is needed. +##

+##

+## Related interface: +##

+##
    +##
  • dev_read_urand()
    • +##
+## ## ## ## Domain allowed access. ## ## +## # interface(`dev_read_rand',` gen_require(` @@ -3345,13 +3385,22 @@ interface(`dev_write_sysfs_dirs',` ######################################## ## -## Allow caller to read hardware state information. +## Read hardware state information. ## +## +##

+## Allow the specified domain to read the contents of +## the sysfs filesystem. This filesystem contains +## information, parameters, and other settings on the +## hardware installed on the system. +##

+## ## ## -## The process type reading hardware state information. +## Domain allowed access. ## ## +## # interface(`dev_read_sysfs',` gen_require(` @@ -3387,13 +3436,36 @@ interface(`dev_rw_sysfs',` ######################################## ## -## Read from pseudo random devices (e.g., /dev/urandom) +## Read from pseudo random number generator devices (e.g., /dev/urandom). ## +## +##

+## Allow the specified domain to read from pseudo random number +## generator devices (e.g., /dev/urandom). Typically this is +## used in situations when a cryptographically secure random +## number is not necessarily needed. One example is the Stack +## Smashing Protector (SSP, formerly known as ProPolice) support +## that may be compiled into programs. +##

+##

+## Related interface: +##

+##
    +##
  • dev_read_rand()
    • +##
+##

+## Related tunable: +##

+##
    +##
  • global_ssp
    • +##
+## ## ## ## Domain allowed access. ## ## +## # interface(`dev_read_urand',` gen_require(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index cf82911..83d26a5 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -30,7 +30,9 @@ ## in a filesystem. Types used for files that ## do not use this interface, or an interface that ## calls this one, will have unexpected behaviors -## while the system is running. +## while the system is running. If the type is used +## for device nodes (character or block files), then +## the dev_node() interface is more appropriate. ##

##

## Related interfaces: