From fee021349d5e957a8cac6ee1c9859ddb60f341f7 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 3 Oct 2024 19:19:11 +0200
Subject: [PATCH] Confine power-profiles-daemon

---
 dist/targeted/modules.conf              |  7 +++++
 policy/modules/contrib/powerprofiles.fc |  3 +++
 policy/modules/contrib/powerprofiles.if |  1 +
 policy/modules/contrib/powerprofiles.te | 36 +++++++++++++++++++++++++
 4 files changed, 47 insertions(+)
 create mode 100644 policy/modules/contrib/powerprofiles.fc
 create mode 100644 policy/modules/contrib/powerprofiles.if
 create mode 100644 policy/modules/contrib/powerprofiles.te

diff --git a/dist/targeted/modules.conf b/dist/targeted/modules.conf
index 257d2bf412..4467e17e02 100644
--- a/dist/targeted/modules.conf
+++ b/dist/targeted/modules.conf
@@ -3063,3 +3063,10 @@ systemd-homed = module
 # Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
 #
 iiosensorproxy = module
+
+# Layer: system
+# Module: powerprofiles
+#
+# Policy for power-profiles-daemon - power profiles handling over D-Bus
+#
+powerprofiles = module
diff --git a/policy/modules/contrib/powerprofiles.fc b/policy/modules/contrib/powerprofiles.fc
new file mode 100644
index 0000000000..1e040ac008
--- /dev/null
+++ b/policy/modules/contrib/powerprofiles.fc
@@ -0,0 +1,3 @@
+/usr/libexec/power-profiles-daemon	--	gen_context(system_u:object_r:powerprofiles_exec_t,s0)
+
+/var/lib/power-profiles-daemon(/.*)?		gen_context(system_u:object_r:powerprofiles_var_lib_t,s0)
diff --git a/policy/modules/contrib/powerprofiles.if b/policy/modules/contrib/powerprofiles.if
new file mode 100644
index 0000000000..ad0be419a2
--- /dev/null
+++ b/policy/modules/contrib/powerprofiles.if
@@ -0,0 +1 @@
+<summary>Power profiles handling over D-Bus</summary>
diff --git a/policy/modules/contrib/powerprofiles.te b/policy/modules/contrib/powerprofiles.te
new file mode 100644
index 0000000000..d5a965c2fe
--- /dev/null
+++ b/policy/modules/contrib/powerprofiles.te
@@ -0,0 +1,36 @@
+policy_module(powerprofiles, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type powerprofiles_t;
+type powerprofiles_exec_t;
+init_daemon_domain(powerprofiles_t, powerprofiles_exec_t)
+init_nnp_daemon_domain(powerprofiles_t)
+
+type powerprofiles_var_lib_t;
+files_type(powerprofiles_var_lib_t);
+
+permissive powerprofiles_t;
+
+allow powerprofiles_t powerprofiles_var_lib_t:dir search_dir_perms;
+allow powerprofiles_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_proc_files(powerprofiles_t)
+
+dev_list_sysfs(powerprofiles_t)
+
+optional_policy(`
+	dbus_connect_system_bus(powerprofiles_t)
+	dbus_system_bus_client(powerprofiles_t)
+
+	optional_policy(`
+		policykit_dbus_chat(powerprofiles_t)
+	')
+')
+
+optional_policy(`
+	udev_search_pids(powerprofiles_t)
+')