The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/kernel.te | 4 ++++
1 file changed, 4 insertions(+)
--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-06 21:26:43.287774191 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-07 22:39:58.704800333 +0200
@@ -18,6 +18,7 @@ attribute can_receive_kernel_messages;
attribute can_dump_kernel;
neverallow ~can_load_kernmodule self:capability sys_module;
+neverallow ~can_load_kernmodule modules_object_t:system module_load;
# domains with unconfined access to kernel resources
attribute kern_unconfined;
@@ -216,6 +217,8 @@ allow kernel_t self:fd use;
allow kernel_t debugfs_t:dir search_dir_perms;
+allow kernel_t modules_object_t:system ~module_load;
+
allow kernel_t proc_t:dir list_dir_perms;
allow kernel_t proc_t:file read_file_perms;
allow kernel_t proc_t:lnk_file read_lnk_file_perms;
@@ -428,6 +431,7 @@ optional_policy(`
if( ! secure_mode_insmod ) {
allow can_load_kernmodule self:capability sys_module;
+ allow can_load_kernmodule modules_object_t:system module_load;
# load_module() calls stop_machine() which
# calls sched_setscheduler()
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
A couple of unneeded permissions are removed from the kernel
module loading section.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/kernel.te | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-06 21:26:43.287774191 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-09 15:55:46.652356995 +0200
@@ -18,6 +18,7 @@ attribute can_receive_kernel_messages;
attribute can_dump_kernel;
neverallow ~can_load_kernmodule self:capability sys_module;
+neverallow ~can_load_kernmodule modules_object_t:system module_load;
# domains with unconfined access to kernel resources
attribute kern_unconfined;
@@ -216,6 +217,8 @@ allow kernel_t self:fd use;
allow kernel_t debugfs_t:dir search_dir_perms;
+allow kernel_t modules_object_t:system ~module_load;
+
allow kernel_t proc_t:dir list_dir_perms;
allow kernel_t proc_t:file read_file_perms;
allow kernel_t proc_t:lnk_file read_lnk_file_perms;
@@ -428,11 +431,7 @@ optional_policy(`
if( ! secure_mode_insmod ) {
allow can_load_kernmodule self:capability sys_module;
-
- # load_module() calls stop_machine() which
- # calls sched_setscheduler()
- allow can_load_kernmodule self:capability sys_nice;
- kernel_setsched(can_load_kernmodule)
+ allow can_load_kernmodule modules_object_t:system module_load;
}
########################################
On 08/09/16 10:18, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> A couple of unneeded permissions are removed from the kernel
> module loading section.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/kernel.te | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-06 21:26:43.287774191 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-09 15:55:46.652356995 +0200
> @@ -18,6 +18,7 @@ attribute can_receive_kernel_messages;
> attribute can_dump_kernel;
>
> neverallow ~can_load_kernmodule self:capability sys_module;
> +neverallow ~can_load_kernmodule modules_object_t:system module_load;
Problematic, as modules_object_t is not owned by this module.
> # domains with unconfined access to kernel resources
> attribute kern_unconfined;
> @@ -216,6 +217,8 @@ allow kernel_t self:fd use;
>
> allow kernel_t debugfs_t:dir search_dir_perms;
>
> +allow kernel_t modules_object_t:system ~module_load;
> +
> allow kernel_t proc_t:dir list_dir_perms;
> allow kernel_t proc_t:file read_file_perms;
> allow kernel_t proc_t:lnk_file read_lnk_file_perms;
> @@ -428,11 +431,7 @@ optional_policy(`
>
> if( ! secure_mode_insmod ) {
> allow can_load_kernmodule self:capability sys_module;
> -
> - # load_module() calls stop_machine() which
> - # calls sched_setscheduler()
> - allow can_load_kernmodule self:capability sys_nice;
> - kernel_setsched(can_load_kernmodule)
> + allow can_load_kernmodule modules_object_t:system module_load;
> }
>
> ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
A couple of unneeded permissions (probably obsolete) are removed
from the kernel module loading section.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/files.te | 11 +++++++++++
policy/modules/kernel/kernel.te | 7 ++-----
2 files changed, 13 insertions(+), 5 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/kernel/files.te 2016-08-06
21:26:43.284774157 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/files.te 2016-08-14
22:35:30.602463332 +0200
@@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
########################################
#
+# Kernel module loading policy
+#
+
+neverallow ~can_load_kernmodule modules_object_t:system module_load;
+
+if( ! secure_mode_insmod ) {
+ allow can_load_kernmodule modules_object_t:system module_load;
+}
+
+########################################
+#
# Unconfined access to this module
#
--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09
16:09:48.811753763 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-14
22:35:47.997714250 +0200
@@ -216,6 +216,8 @@ allow kernel_t self:fd use;
allow kernel_t debugfs_t:dir search_dir_perms;
+allow kernel_t modules_object_t:system ~module_load;
+
allow kernel_t proc_t:dir list_dir_perms;
allow kernel_t proc_t:file read_file_perms;
allow kernel_t proc_t:lnk_file read_lnk_file_perms;
@@ -428,11 +430,6 @@ optional_policy(`
if( ! secure_mode_insmod ) {
allow can_load_kernmodule self:capability sys_module;
-
- # load_module() calls stop_machine() which
- # calls sched_setscheduler()
- allow can_load_kernmodule self:capability sys_nice;
- kernel_setsched(can_load_kernmodule)
}
########################################
On 08/14/2016 11:02 PM, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> A couple of unneeded permissions (probably obsolete) are removed
> from the kernel module loading section.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/files.te | 11 +++++++++++
> policy/modules/kernel/kernel.te | 7 ++-----
> 2 files changed, 13 insertions(+), 5 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te 2016-08-06
> 21:26:43.284774157 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/files.te 2016-08-14
> 22:35:30.602463332 +0200
> @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
>
> ########################################
> #
> +# Kernel module loading policy
> +#
> +
> +neverallow ~can_load_kernmodule modules_object_t:system module_load;
> +
> +if( ! secure_mode_insmod ) {
> + allow can_load_kernmodule modules_object_t:system module_load;
> +}
> +
> +########################################
> +#
> # Unconfined access to this module
> #
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09
> 16:09:48.811753763 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-14
> 22:35:47.997714250 +0200
> @@ -216,6 +216,8 @@ allow kernel_t self:fd use;
>
> allow kernel_t debugfs_t:dir search_dir_perms;
>
> +allow kernel_t modules_object_t:system ~module_load;
I can't make sense of this rule
> +
> allow kernel_t proc_t:dir list_dir_perms;
> allow kernel_t proc_t:file read_file_perms;
> allow kernel_t proc_t:lnk_file read_lnk_file_perms;
> @@ -428,11 +430,6 @@ optional_policy(`
>
> if( ! secure_mode_insmod ) {
> allow can_load_kernmodule self:capability sys_module;
> -
> - # load_module() calls stop_machine() which
> - # calls sched_setscheduler()
> - allow can_load_kernmodule self:capability sys_nice;
> - kernel_setsched(can_load_kernmodule)
I would not remove the above. Might break compatibility
> }
>
> ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/1de00de3/attachment.bin
Hello Dominick.
On Sun, 14/08/2016 at 23.23 +0200, Dominick Grift wrote:
> On 08/14/2016 11:02 PM, Guido Trentalancia wrote:
> > The "module_load" permission has been recently added to the
> > "system"
> > class (kernel 4.7).
> >
> > The following patch updates the Reference Policy so that the new
> > permission is allowed when a kernel module should be loaded.
> >
> > A couple of unneeded permissions (probably obsolete) are removed
> > from the kernel module loading section.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/kernel/files.te??|???11 +++++++++++
> > ?policy/modules/kernel/kernel.te |????7 ++-----
> > ?2 files changed, 13 insertions(+), 5 deletions(-)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te
> > 2016-08-06
> > 21:26:43.284774157 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/files.te 20
> > 16-08-14
> > 22:35:30.602463332 +0200
> > @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
> > ?
> > ?########################################
> > ?#
> > +# Kernel module loading policy
> > +#
> > +
> > +neverallow ~can_load_kernmodule modules_object_t:system
> > module_load;
> > +
> > +if( ! secure_mode_insmod ) {
> > + allow can_load_kernmodule modules_object_t:system
> > module_load;
> > +}
> > +
> > +########################################
> > +#
> > ?# Unconfined access to this module
> > ?#
> > ?
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te
> > 2016-08-09
> > 16:09:48.811753763 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2
> > 016-08-14
> > 22:35:47.997714250 +0200
> > @@ -216,6 +216,8 @@ allow kernel_t self:fd use;
> > ?
> > ?allow kernel_t debugfs_t:dir search_dir_perms;
> > ?
> > +allow kernel_t modules_object_t:system ~module_load;
>
> I can't make sense of this rule
It's a mistake and it has been removed in the latest forthcoming
version of this patch.
> > +
> > ?allow kernel_t proc_t:dir list_dir_perms;
> > ?allow kernel_t proc_t:file read_file_perms;
> > ?allow kernel_t proc_t:lnk_file read_lnk_file_perms;
> > @@ -428,11 +430,6 @@ optional_policy(`
> > ?
> > ?if( ! secure_mode_insmod ) {
> > ? allow can_load_kernmodule self:capability sys_module;
> > -
> > - # load_module() calls stop_machine() which
> > - # calls sched_setscheduler()
> > - allow can_load_kernmodule self:capability sys_nice;
> > - kernel_setsched(can_load_kernmodule)
>
> I would not remove the above. Might break compatibility
I have checked backwards up to kernel version 2.6.37 and there is no
trace of calls to sched_setsched().
Also, even if there was such a call, it was most probably something
wrong !
Therefore, I oppose reverting that (sys_nice + kernel_setsched()).
Regards,
Guido
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
A couple of unneeded permissions are removed from the kernel
module loading section.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/files.te | 11 +++++++++++
policy/modules/kernel/kernel.te | 5 -----
2 files changed, 11 insertions(+), 5 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/kernel/files.te 2016-08-06 21:26:43.284774157 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/files.te 2016-08-14 22:35:30.602463332 +0200
@@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
########################################
#
+# Kernel module loading policy
+#
+
+neverallow ~can_load_kernmodule modules_object_t:system module_load;
+
+if( ! secure_mode_insmod ) {
+ allow can_load_kernmodule modules_object_t:system module_load;
+}
+
+########################################
+#
# Unconfined access to this module
#
--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 16:09:48.811753763 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-16 00:09:58.411688357 +0200
@@ -428,11 +428,6 @@ optional_policy(`
if( ! secure_mode_insmod ) {
allow can_load_kernmodule self:capability sys_module;
-
- # load_module() calls stop_machine() which
- # calls sched_setscheduler()
- allow can_load_kernmodule self:capability sys_nice;
- kernel_setsched(can_load_kernmodule)
}
########################################
On 08/15/16 18:22, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> A couple of unneeded permissions are removed from the kernel
> module loading section.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/files.te | 11 +++++++++++
> policy/modules/kernel/kernel.te | 5 -----
> 2 files changed, 11 insertions(+), 5 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te 2016-08-06 21:26:43.284774157 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/files.te 2016-08-14 22:35:30.602463332 +0200
> @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
>
> ########################################
> #
> +# Kernel module loading policy
> +#
> +
> +neverallow ~can_load_kernmodule modules_object_t:system module_load;
> +
> +if( ! secure_mode_insmod ) {
> + allow can_load_kernmodule modules_object_t:system module_load;
> +}
Now we have the problem where can_load_kernmodule isn't owned by this
module. You'll have to create the first neverallow interface I think.
> +########################################
> +#
> # Unconfined access to this module
> #
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 16:09:48.811753763 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-16 00:09:58.411688357 +0200
> @@ -428,11 +428,6 @@ optional_policy(`
>
> if( ! secure_mode_insmod ) {
> allow can_load_kernmodule self:capability sys_module;
> -
> - # load_module() calls stop_machine() which
> - # calls sched_setscheduler()
> - allow can_load_kernmodule self:capability sys_nice;
> - kernel_setsched(can_load_kernmodule)
> }
>
> ########################################
I also agree with Dominick on this. These are relatively uninteresting
permissions compared to the sys_module, so until we have some
explanation, I'd prefer to keep it. I tried looked at Red Hat bugzilla,
as this came from Dan Walsh, but it's all the way back from 2011, so
it's not coming up easily for me.
--
Chris PeBenito
Hello Christopher,
thanks for your feedback on this patch !
On Mon, 15/08/2016 at 16.20 -0400, Chris PeBenito wrote:
> On 08/15/16 18:22, Guido Trentalancia wrote:
> > The "module_load" permission has been recently added to the
> > "system"
> > class (kernel 4.7).
> >
> > The following patch updates the Reference Policy so that the new
> > permission is allowed when a kernel module should be loaded.
> >
> > A couple of unneeded permissions are removed from the kernel
> > module loading section.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/kernel/files.te??|???11 +++++++++++
> > ?policy/modules/kernel/kernel.te |????5 -----
> > ?2 files changed, 11 insertions(+), 5 deletions(-)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te
> > 2016-08-06 21:26:43.284774157 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/files.te 20
> > 16-08-14 22:35:30.602463332 +0200
> > @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
> >
> > ?########################################
> > ?#
> > +# Kernel module loading policy
> > +#
> > +
> > +neverallow ~can_load_kernmodule modules_object_t:system
> > module_load;
> > +
> > +if( ! secure_mode_insmod ) {
> > + allow can_load_kernmodule modules_object_t:system
> > module_load;
> > +}
>
> Now we have the problem where can_load_kernmodule isn't owned by
> this?
> module.??You'll have to create the first neverallow interface I
> think.
I am sorry but I do not understand what you mean.
It compiles fine. What change do you propose exactly ?
> > +########################################
> > +#
> > ?# Unconfined access to this module
> > ?#
> >
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te
> > 2016-08-09 16:09:48.811753763 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2
> > 016-08-16 00:09:58.411688357 +0200
> > @@ -428,11 +428,6 @@ optional_policy(`
> >
> > ?if( ! secure_mode_insmod ) {
> > ? allow can_load_kernmodule self:capability sys_module;
> > -
> > - # load_module() calls stop_machine() which
> > - # calls sched_setscheduler()
> > - allow can_load_kernmodule self:capability sys_nice;
> > - kernel_setsched(can_load_kernmodule)
> > ?}
> >
> > ?########################################
>
> I also agree with Dominick on this.??These are relatively
> uninteresting?
> permissions compared to the sys_module, so until we have some?
> explanation, I'd prefer to keep it.??I tried looked at Red Hat
> bugzilla,?
> as this came from Dan Walsh, but it's all the way back from 2011, so?
> it's not coming up easily for me.
That's fine, I'll recreate the patch with the sys_nice permission back
in, although I still think it is much better to avoid granting that.
I will add a short note so that hopefully we'll be able to get an
explanation one day...
Best regards,
Guido
On 08/18/16 11:01, Guido Trentalancia wrote:
> Hello Christopher,
>
> thanks for your feedback on this patch !
>
> On Mon, 15/08/2016 at 16.20 -0400, Chris PeBenito wrote:
>> On 08/15/16 18:22, Guido Trentalancia wrote:
>>> The "module_load" permission has been recently added to the
>>> "system"
>>> class (kernel 4.7).
>>>
>>> The following patch updates the Reference Policy so that the new
>>> permission is allowed when a kernel module should be loaded.
>>>
>>> A couple of unneeded permissions are removed from the kernel
>>> module loading section.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/kernel/files.te | 11 +++++++++++
>>> policy/modules/kernel/kernel.te | 5 -----
>>> 2 files changed, 11 insertions(+), 5 deletions(-)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te
>>> 2016-08-06 21:26:43.284774157 +0200
>>> +++ refpolicy-git-06082016/policy/modules/kernel/files.te 20
>>> 16-08-14 22:35:30.602463332 +0200
>>> @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
>>>
>>> ########################################
>>> #
>>> +# Kernel module loading policy
>>> +#
>>> +
>>> +neverallow ~can_load_kernmodule modules_object_t:system
>>> module_load;
>>> +
>>> +if( ! secure_mode_insmod ) {
>>> + allow can_load_kernmodule modules_object_t:system
>>> module_load;
>>> +}
>>
>> Now we have the problem where can_load_kernmodule isn't owned by
>> this
>> module. You'll have to create the first neverallow interface I
>> think.
>
> I am sorry but I do not understand what you mean.
>
> It compiles fine. What change do you propose exactly ?
It compiles fine because the kernel and files modules are always in the
base.pp. However the refpolicy module encapsulation should be
preserved. The difficulty is can_load_kernmodule is owned by the kernel
module and modules_object_t is owned by the files module, so you can't
have a raw rule by itself, so you need an interface.
--
Chris PeBenito
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
To preserve the module encapsulation, a new interface is defined
in the kernel files module and that interface is then used in the
kernel module.
A short note is added about unneeded permissions that set the
kernel scheduling parameters (might lead to service disruption).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/kernel/kernel.te | 4 ++++
2 files changed, 23 insertions(+)
--- refpolicy-git-06082016-orig/policy/modules/kernel/files.if 2016-08-06 21:26:43.284774157 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/files.if 2016-08-19 15:05:34.503054733 +0200
@@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
########################################
## <summary>
+## Load kernel module files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_load_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ files_read_kernel_modules($1)
+ allow $1 modules_object_t:system module_load;
+')
+
+########################################
+## <summary>
## List world-readable directories.
## </summary>
## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 16:09:48.811753763 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-19 15:07:21.169666858 +0200
@@ -429,8 +429,12 @@ optional_policy(`
if( ! secure_mode_insmod ) {
allow can_load_kernmodule self:capability sys_module;
+ files_load_kernel_modules(can_load_kernmodule)
+
# load_module() calls stop_machine() which
# calls sched_setscheduler()
+ # gt: there seems to be no trace of the above, at
+ # least in kernel versions greater than 2.6.37...
allow can_load_kernmodule self:capability sys_nice;
kernel_setsched(can_load_kernmodule)
}
On 08/19/16 09:27, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> To preserve the module encapsulation, a new interface is defined
> in the kernel files module and that interface is then used in the
> kernel module.
>
> A short note is added about unneeded permissions that set the
> kernel scheduling parameters (might lead to service disruption).
The policy change is fine, but I want to think about the name of the
interface. The name doesn't seem right, but I can't immediately come up
with a better one.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/files.if | 19 +++++++++++++++++++
> policy/modules/kernel/kernel.te | 4 ++++
> 2 files changed, 23 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.if 2016-08-06 21:26:43.284774157 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/files.if 2016-08-19 15:05:34.503054733 +0200
> @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
>
> ########################################
> ## <summary>
> +## Load kernel module files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_load_kernel_modules',`
> + gen_require(`
> + type modules_object_t;
> + ')
> +
> + files_read_kernel_modules($1)
> + allow $1 modules_object_t:system module_load;
> +')
> +
> +########################################
> +## <summary>
> ## List world-readable directories.
> ## </summary>
> ## <param name="domain">
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 16:09:48.811753763 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-19 15:07:21.169666858 +0200
> @@ -429,8 +429,12 @@ optional_policy(`
> if( ! secure_mode_insmod ) {
> allow can_load_kernmodule self:capability sys_module;
>
> + files_load_kernel_modules(can_load_kernmodule)
> +
> # load_module() calls stop_machine() which
> # calls sched_setscheduler()
> + # gt: there seems to be no trace of the above, at
> + # least in kernel versions greater than 2.6.37...
> allow can_load_kernmodule self:capability sys_nice;
> kernel_setsched(can_load_kernmodule)
> }
>
--
Chris PeBenito
Hello Christopher.
On Wed, 17/08/2016 at 16.05 -0400, Chris PeBenito wrote:
> On 08/19/16 09:27, Guido Trentalancia wrote:
> > The "module_load" permission has been recently added to the
> > "system"
> > class (kernel 4.7).
> >
> > The following patch updates the Reference Policy so that the new
> > permission is allowed when a kernel module should be loaded.
> >
> > To preserve the module encapsulation, a new interface is defined
> > in the kernel files module and that interface is then used in the
> > kernel module.
> >
> > A short note is added about unneeded permissions that set the
> > kernel scheduling parameters (might lead to service disruption).
>
> The policy change is fine, but I want to think about the name of the?
> interface.??The name doesn't seem right, but I can't immediately come
> up?
> with a better one.
An alternative name could be:
files_kernel_module_load()
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/kernel/files.if??|???19 +++++++++++++++++++
> > ?policy/modules/kernel/kernel.te |????4 ++++
> > ?2 files changed, 23 insertions(+)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.if
> > 2016-08-06 21:26:43.284774157 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/files.if 20
> > 16-08-19 15:05:34.503054733 +0200
> > @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
> >
> > ?########################################
> > ?## <summary>
> > +## Load kernel module files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`files_load_kernel_modules',`
> > + gen_require(`
> > + type modules_object_t;
> > + ')
> > +
> > + files_read_kernel_modules($1)
> > + allow $1 modules_object_t:system module_load;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## List world-readable directories.
> > ?## </summary>
> > ?## <param name="domain">
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te
> > 2016-08-09 16:09:48.811753763 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2
> > 016-08-19 15:07:21.169666858 +0200
> > @@ -429,8 +429,12 @@ optional_policy(`
> > ?if( ! secure_mode_insmod ) {
> > ? allow can_load_kernmodule self:capability sys_module;
> >
> > + files_load_kernel_modules(can_load_kernmodule)
> > +
> > ? # load_module() calls stop_machine() which
> > ? # calls sched_setscheduler()
> > + # gt: there seems to be no trace of the above, at
> > + # least in kernel versions greater than 2.6.37...
> > ? allow can_load_kernmodule self:capability sys_nice;
> > ? kernel_setsched(can_load_kernmodule)
> > ?}
> >?
Best regards,
Guido
On 08/19/16 09:27, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> To preserve the module encapsulation, a new interface is defined
> in the kernel files module and that interface is then used in the
> kernel module.
>
> A short note is added about unneeded permissions that set the
> kernel scheduling parameters (might lead to service disruption).
I couldn't come up with a better interface name, so I've merged this patch.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/files.if | 19 +++++++++++++++++++
> policy/modules/kernel/kernel.te | 4 ++++
> 2 files changed, 23 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.if 2016-08-06 21:26:43.284774157 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/files.if 2016-08-19 15:05:34.503054733 +0200
> @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
>
> ########################################
> ## <summary>
> +## Load kernel module files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_load_kernel_modules',`
> + gen_require(`
> + type modules_object_t;
> + ')
> +
> + files_read_kernel_modules($1)
> + allow $1 modules_object_t:system module_load;
> +')
> +
> +########################################
> +## <summary>
> ## List world-readable directories.
> ## </summary>
> ## <param name="domain">
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 16:09:48.811753763 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-19 15:07:21.169666858 +0200
> @@ -429,8 +429,12 @@ optional_policy(`
> if( ! secure_mode_insmod ) {
> allow can_load_kernmodule self:capability sys_module;
>
> + files_load_kernel_modules(can_load_kernmodule)
> +
> # load_module() calls stop_machine() which
> # calls sched_setscheduler()
> + # gt: there seems to be no trace of the above, at
> + # least in kernel versions greater than 2.6.37...
> allow can_load_kernmodule self:capability sys_nice;
> kernel_setsched(can_load_kernmodule)
> }
>
--
Chris PeBenito
Hello Christopher.
You've done the right thing.
Thanks for sorting this out.
I am finally seeing the light with the gnome and dbus modules! It comes at the cost of confining the whole desktop, but so far so good...
I have removed the variable types $1_dbusd_t: it doesn't work, end of the story, it's poor design in my opinion because it leads to an unmanageable situation (conflicting type rules).
Regards,
Guido
On the 30th August 2016 02:30:33 CEST, Chris PeBenito <[email protected]> wrote:
>On 08/19/16 09:27, Guido Trentalancia wrote:
>> The "module_load" permission has been recently added to the "system"
>> class (kernel 4.7).
>>
>> The following patch updates the Reference Policy so that the new
>> permission is allowed when a kernel module should be loaded.
>>
>> To preserve the module encapsulation, a new interface is defined
>> in the kernel files module and that interface is then used in the
>> kernel module.
>>
>> A short note is added about unneeded permissions that set the
>> kernel scheduling parameters (might lead to service disruption).
>
>I couldn't come up with a better interface name, so I've merged this
>patch.
>
>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/kernel/files.if | 19 +++++++++++++++++++
>> policy/modules/kernel/kernel.te | 4 ++++
>> 2 files changed, 23 insertions(+)
>>
>> ---
>refpolicy-git-06082016-orig/policy/modules/kernel/files.if 2016-08-06
>21:26:43.284774157 +0200
>> +++ refpolicy-git-06082016/policy/modules/kernel/files.if 2016-08-19
>15:05:34.503054733 +0200
>> @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
>>
>> ########################################
>> ## <summary>
>> +## Load kernel module files.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`files_load_kernel_modules',`
>> + gen_require(`
>> + type modules_object_t;
>> + ')
>> +
>> + files_read_kernel_modules($1)
>> + allow $1 modules_object_t:system module_load;
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## List world-readable directories.
>> ## </summary>
>> ## <param name="domain">
>> ---
>refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09
>16:09:48.811753763 +0200
>> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-19
>15:07:21.169666858 +0200
>> @@ -429,8 +429,12 @@ optional_policy(`
>> if( ! secure_mode_insmod ) {
>> allow can_load_kernmodule self:capability sys_module;
>>
>> + files_load_kernel_modules(can_load_kernmodule)
>> +
>> # load_module() calls stop_machine() which
>> # calls sched_setscheduler()
>> + # gt: there seems to be no trace of the above, at
>> + # least in kernel versions greater than 2.6.37...
>> allow can_load_kernmodule self:capability sys_nice;
>> kernel_setsched(can_load_kernmodule)
>> }
>>