Add SELinux policy support for Userspace Resource Manager (URM)#1097
Open
varunsinghal29 wants to merge 5 commits into
Open
Add SELinux policy support for Userspace Resource Manager (URM)#1097varunsinghal29 wants to merge 5 commits into
varunsinghal29 wants to merge 5 commits into
Conversation
Add SELinux policy definitions for the URM (Username Resource Manager)
service, which manages CPU, IRQ, and cgroup resources per username for
optimizing system performance.
Changes include:
- urm.fc: File context definitions mapping:
- /usr/bin/urm binary to urm_exec_t
- /run/restune_sock runtime socket to urm_runtime_t
- /etc/urm directory entry to urm_etc_t
- /etc/urm(/.*)? configuration files to urm_config_t
- urm.te: Type declarations for 4 types:
- urm_t: URM daemon process domain
- urm_exec_t: URM executable
- urm_config_t: URM configuration files under /etc/urm
- urm_runtime_t: URM runtime socket under /run
- urm_etc_t: URM top-level /etc/urm directory entry
Policy rules include:
- Syslog access for logging
- sysfs read/write for CPU frequency scaling and IRQ affinity
- PM QoS access via /dev/cpu_dma_latency
- Kernel sysctl read/write for scheduler resource clamping
- System state read from /proc for resource monitoring
- Kernel module request for netlink connector
- IRQ sysctl read/write for per-username IRQ affinity management
- Cgroup file and directory management for resource group isolation
- Netlink connector socket for kernel-userspace communication
- Unix stream socket for client-server communication
- Required capabilities: sys_admin, net_admin, dac_override,
dac_read_search
- urm.if: Three interface definitions:
- urm_read_config(): allows domains to read URM configuration
files under /etc/urm
- urm_rw_runtime_socket(): allows domains to read and write
URM runtime socket under /run
- urm_unix_stream_socket_connectto(): allows domains to connect
to URM via unix domain stream socket
Signed-off-by: varusing <varusing@qti.qualcomm.com>
sasikuma-qti
suggested changes
Mar 26, 2026
| @@ -0,0 +1,4 @@ | |||
| /usr/bin/urm -- gen_context(system_u:object_r:urm_exec_t,s0) | |||
| /run/restune_sock -s gen_context(system_u:object_r:urm_runtime_t,s0) | |||
| /etc/urm -- gen_context(system_u:object_r:urm_etc_t,s0) | |||
Contributor
There was a problem hiding this comment.
This is not required, let /etc/urm use urm_config_t label
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| ## <rolecap/> |
Contributor
There was a problem hiding this comment.
This line is not required.
| gen_require(` | ||
| type urm_t, urm_runtime_t; | ||
| ') | ||
| aloow $1 urm_runtime_t:sock_file write; |
Contributor
There was a problem hiding this comment.
This line is not required. The above interface urm_rw_runtime_socket can be used to get read, write permissions on urm_runtime_t sock_file.
| # under /run for client communication | ||
| # | ||
|
|
||
| allow urm_t urm_runtime_t:sock_file manage_sock_file_perms; |
Contributor
There was a problem hiding this comment.
This should go under above urm local policy section.
| allow urm_t self:netlink_connector_socket { create_socket_perms read }; | ||
| allow urm_t self:unix_stream_socket { create connectto }; | ||
| dontaudit urm_t self: capability net_admin; | ||
|
|
Contributor
There was a problem hiding this comment.
Above three lines also should go under urm local policy.
| dev_rw_pmqos(urm_t) | ||
|
|
||
| # Read kernel sysctls e.g. sched_util_clamp_min | ||
| kernel_read_kernel_sysctls(urm_t) |
Contributor
There was a problem hiding this comment.
use kernel_rw_kernel_sysctl here instead of kernel_read_kernel_sysctls, because I can see you need write permissions as well from below policy.
allow urm_t sysctl_kernel_t:file { read write open getattr };
| # for per-username CPU scheduling resource management | ||
| # | ||
|
|
||
| allow urm_t sysctl_kernel_t:file { read write open getattr }; |
Contributor
There was a problem hiding this comment.
Remove this line, because using kernel_rw_kernel_sysctl will not require this policy.
| # CPU frequency scaling settings | ||
| # | ||
|
|
||
| allow urm_t urm_config_t:file { read write open getattr }; |
Contributor
There was a problem hiding this comment.
This should go under above urm local policy section. Use rw_file_perms macro.
| # | ||
|
|
||
| allow urm_t urm_etc_t:dir { search write create execute }; | ||
| allow urm_t urm_etc_t:file { read write open getattr create }; |
Contributor
There was a problem hiding this comment.
The above two lines can be merged as single policy and it should go under urm local policy section. Use rw_files_pattern macro.
| # | ||
| type cgroup_t; | ||
| allow urm_t cgroup_t:dir { add_name create write search read open getattr }; | ||
| allow urm_t cgroup_t:file { create write read open getattr }; |
Contributor
There was a problem hiding this comment.
Remove above three lines and use fs_create_cgroup_files(urm_t)
varunsinghal29
changed the title
Add SELinux policy definitions for the URM (Username Resource Manager)
service, which manages CPU, IRQ, and cgroup resources per username for
optimizing system performance.
Changes include:
- urm.fc: File context definitions mapping:
- /usr/bin/urm binary to urm_exec_t
- /run/restune_sock runtime socket to urm_runtime_t
- /etc/urm(/.*)? configuration files to urm_config_t
- urm.te: Type declarations for 3 types:
- urm_t: URM daemon process domain
- urm_exec_t: URM executable
- urm_config_t: URM configuration files under /etc/urm
- urm_runtime_t: URM runtime socket under /run
Policy rules include:
- Syslog access for logging
- sysfs read/write for CPU frequency scaling and IRQ affinity
- PM QoS access via /dev/cpu_dma_latency
- Kernel sysctl read/write for scheduler resource clamping
- System state read from /proc for resource monitoring
- Kernel module request for netlink connector
- IRQ sysctl read/write for per-username IRQ affinity management
- Cgroup file and directory management for resource group isolation
- Netlink connector socket for kernel-userspace communication
- Unix stream socket for client-server communication
- Runtime socket transition under /run for client communication
- urm.if: Three interface definitions:
- urm_read_config(): allows domains to read URM configuration
files under /etc/urm
- urm_rw_runtime_socket(): allows domains to read and write
URM runtime socket under /run
- urm_unix_stream_socket_connectto(): allows domains to connect
to URM via unix domain stream socket
Signed-off-by: varusing <varusing@qti.qualcomm.com>
Author
|
we are still getting below avc denial error : `type=AVC msg=audit(19.543:258): avc: denied { dac_read_search } for pid=828 comm="urm" capability=2 scontext=system_u:system_r:urm_t:s0 tcontext=system_u:system_r:urm_t:s0 tclass=capability permissive=0 type=AVC msg=audit(19.543:258): avc: denied { dac_override } for pid=828 comm="urm" capability=1 scontext=system_u:system_r:urm_t:s0 tcontext=system_u:system_r:urm_t:s0 tclass=capability permissive=0` @sasikuma-qti can you please re-review latest changes and also suggest what we need to add to remove above avc denials. |
Add SELinux policy definitions for the URM (Username Resource Manager)
service, which manages CPU, IRQ, and cgroup resources per username for
optimizing system performance.
Changes include:
- urm.fc: File context definitions mapping:
- /usr/bin/urm binary to urm_exec_t
- /run/restune_sock runtime socket to urm_runtime_t
- /etc/urm(/.*)? configuration files to urm_config_t
- urm.te: Type declarations for 4 types:
- urm_t: URM daemon process domain
- urm_exec_t: URM executable
- urm_config_t: URM configuration files under /etc/urm
- urm_runtime_t: URM runtime socket under /run
Policy rules include:
- Runtime socket management under /run for client communication
- Netlink connector socket for kernel-userspace communication
- Unix stream socket for client-server communication
- Suppress spurious capability denials for net_admin,
dac_override and dac_read_search
- Config file read/write for per-username CPU frequency
scaling settings e.g. scaling_max_freq.txt
- Syslog access for logging
- sysfs read/write for CPU frequency scaling and IRQ affinity
- PM QoS access via /dev/cpu_dma_latency for power and
latency management per username
- Kernel sysctl read/write e.g. sched_util_clamp_min
- System state read from /proc for per-username resource
usage monitoring
- Kernel module request for netlink connector
- IRQ sysctl read/write for per-username IRQ affinity
management via /proc/irq/*/smp_affinity
- Cgroup file and directory management for per-username
resource group isolation
- All domain process state read from /proc/<pid> for
per-username process resource monitoring
- Runtime socket transition under /run for client communication
- urm.if: Three interface definitions:
- urm_read_config(): allows domains to read URM configuration
files under /etc/urm
- urm_rw_runtime_socket(): allows domains to read and write
URM runtime socket under /run
- urm_unix_stream_socket_connectto(): allows domains to connect
to URM via unix domain stream socket
Signed-off-by: varusing <varusing@qti.qualcomm.com>
sasikuma-qti
suggested changes
Apr 27, 2026
Add SELinux policy definitions for the URM (Username Resource Manager)
service, which manages CPU, IRQ, and cgroup resources per username for
optimizing system performance.
Changes include:
- urm.fc: File context definitions mapping:
- /usr/bin/urm binary to urm_exec_t
- /run/restune_sock runtime socket to urm_runtime_t
- /etc/urm(/.*)? configuration files to urm_config_t
- urm.te: Type declarations for 4 types:
- urm_t: URM daemon process domain
- urm_exec_t: URM executable
- urm_config_t: URM configuration files under /etc/urm
- urm_runtime_t: URM runtime socket under /run
Policy rules include:
- Runtime socket management under /run for client communication
- Netlink connector socket for kernel-userspace communication
- Unix stream socket for client-server communication
- Suppress spurious capability denials for net_admin,
dac_override and dac_read_search
- Config file read/write for per-username CPU frequency
scaling settings e.g. scaling_max_freq.txt
- Syslog access for logging
- sysfs read/write for CPU frequency scaling and IRQ affinity
- PM QoS access via /dev/cpu_dma_latency for power and
latency management per username
- Kernel sysctl read/write e.g. sched_util_clamp_min
- System state read from /proc for per-username resource
usage monitoring
- Kernel module request for netlink connector
- IRQ sysctl read/write for per-username IRQ affinity
management via /proc/irq/*/smp_affinity
- Cgroup file and directory management for per-username
resource group isolation
- All domain process state read from /proc/<pid> for
per-username process resource monitoring
- Runtime socket transition under /run for client communication
- urm.if: Three interface definitions:
- urm_read_config(): allows domains to read URM configuration
files under /etc/urm
- urm_rw_runtime_socket(): allows domains to read and write
URM runtime socket under /run
- urm_unix_stream_socket_connectto(): allows domains to connect
to URM via unix domain stream socket
Signed-off-by: varusing <varusing@qti.qualcomm.com>
Author
|
@sasikuma-qti changes done as per suggestion. Thanks |
sasikuma-qti
approved these changes
Apr 29, 2026
Contributor
pebenito
requested changes
Apr 29, 2026
Member
pebenito
left a comment
pebenito
left a comment
There was a problem hiding this comment.
- There is a lint issue.
- Please follow the StyleGuide as there are issues
- Can you provide a link to the project here as a comment, as I'm unsure what URM this refers to.
Add SELinux policy definitions for the URM (Username Resource Manager)
service, which manages CPU, IRQ, and cgroup resources per username for
optimizing system performance.
Changes include:
- urm.fc: File context definitions mapping:
- /usr/bin/urm binary to urm_exec_t
- /run/restune_sock runtime socket to urm_runtime_t
- /etc/urm(/.*)? configuration files to urm_config_t
- urm.te: Type declarations for 4 types:
- urm_t: URM daemon process domain
- urm_exec_t: URM executable
- urm_config_t: URM configuration files under /etc/urm
- urm_runtime_t: URM runtime socket under /run
Policy rules include:
- Runtime socket management under /run for client communication
- Netlink connector socket for kernel-userspace communication
- Unix stream socket for client-server communication
- Suppress spurious capability denials for net_admin,
dac_override and dac_read_search
- Config file read/write for per-username CPU frequency
scaling settings e.g. scaling_max_freq.txt
- Syslog access for logging
- sysfs read/write for CPU frequency scaling and IRQ affinity
- PM QoS access via /dev/cpu_dma_latency for power and
latency management per username
- Kernel sysctl read/write e.g. sched_util_clamp_min
- System state read from /proc for per-username resource
usage monitoring
- Kernel module request for netlink connector
- IRQ sysctl read/write for per-username IRQ affinity
management via /proc/irq/*/smp_affinity
- Cgroup file and directory management for per-username
resource group isolation
- All domain process state read from /proc/<pid> for
per-username process resource monitoring
- Runtime socket transition under /run for client communication
- urm.if: Two interface definitions:
- urm_read_config(): allows domains to read URM configuration
files under /etc/urm
- urm_stream_connectto(): allows domains to connect to URM
via unix domain stream socket
Signed-off-by: varusing <varusing@qti.qualcomm.com>
Author
|
URM project link : https://github.com/qualcomm/userspace-resource-manager please re-view this PR. Thanks |
Member
Is URM used outside of Qualcomm Linux? If not, I'm reluctant to accept it upstream, as I think it should be kept in your repo. I'd still be happy to continue this review, regardless. |
Author
|
@pebenito |
pebenito
requested changes
May 12, 2026
Member
pebenito
left a comment
pebenito
left a comment
There was a problem hiding this comment.
Please review the style guide, as the lines in the .fc file and local policy block (.te) are out of order
Comment on lines
+42
to
+49
| interface(`urm_stream_connectto',` | ||
| gen_require(` | ||
| type urm_t, urm_runtime_t; | ||
| ') | ||
|
|
||
| allow $1 urm_runtime_t:sock_file rw_sock_file_perms; | ||
| stream_connect_pattern($1, urm_runtime_t, urm_runtime_t, urm_t) | ||
| ') No newline at end of file |
Member
There was a problem hiding this comment.
Nit: Please drop the "to" at the end of the interface name: urm_stream_connect. Also make sure there is a new line at the end of the file.
Comment on lines
+1
to
+4
| ## <summary> | ||
| ## Policy for the URM (Username-Resource-Manager) service. | ||
| ## </summary> | ||
|
|
Member
There was a problem hiding this comment.
.te files don't support this xml snippet. Please remove.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add SELinux policy definitions for the URM (Username Resource Manager) service, which manages CPU, IRQ, and cgroup resources per username for optimizing system performance.
Changes include:
urm.fc: File context definitions mapping:
urm.te: Type declarations for 3 types:
Policy rules include:
urm.if: Three interface definitions:
files under /etc/urm
URM runtime socket under /run
to URM via unix domain stream socket