From 395220122fcd6b93956c758a2a5094487254a89e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 30 Jul 2020 18:21:16 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/395220122fcd6b93956c758a2a5094487254a89e
Conflict: NA
Subject: [PATCH] Add dev_lock_all_blk_files() interface

For use in the dev_lock_all_blk_files() interface, create the
lock_blk_files_pattern and lock_blk_file_perms object permissions set.
---
 policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
 policy/support/file_patterns.spt |  5 +++++
 policy/support/obj_perm_sets.spt |  1 +
 3 files changed, 26 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 932b9bd..2a69660 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1169,6 +1169,26 @@ interface(`dev_getattr_all_blk_files',`
 
 ########################################
 ## <summary>
+##	Lock on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_lock_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+		type device_t;
+	')
+
+	lock_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
 ##	Read on all block file device nodes.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 8aa8c36..7e3fccd 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -408,6 +408,11 @@ define(`setattr_blk_files_pattern',`
 	allow $1 $3:blk_file setattr_blk_file_perms;
 ')
 
+define(`lock_blk_files_pattern',`
+	allow $1 $2:dir search_dir_perms;
+	allow $1 $3:blk_file lock_blk_file_perms;
+')
+
 define(`read_blk_files_pattern',`
 	allow $1 $2:dir search_dir_perms;
 	allow $1 $3:blk_file read_blk_file_perms;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 399c448..524c586 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -233,6 +233,7 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
 #
 define(`getattr_blk_file_perms',`{ getattr }')
 define(`setattr_blk_file_perms',`{ setattr }')
+define(`lock_blk_file_perms',`{ getattr lock }')
 define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
 define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
 define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
-- 
1.8.3.1