From: bigon@debian.org (Laurent Bigonville)
Date: Fri, 11 Dec 2015 13:48:33 +0100
Subject: [refpolicy] [PATCH] Add interfaces to read/write
	/proc/sys/vm/overcommit_memory
Message-ID: <1449838113-12570-1-git-send-email-bigon@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Laurent Bigonville <bigon@bigon.be>

Inspired from the Fedora policy
---
 policy/modules/kernel/kernel.if | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index f1130d1..9ef2fae 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3323,3 +3323,44 @@ interface(`kernel_unconfined',`
 	typeattribute $1 kern_unconfined;
 	kernel_load_module($1)
 ')
+
+########################################
+## <summary>
+##	Allow caller to read virtual memory overcommit sysctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_vm_overcommit_sysctl',`
+	gen_require(`
+		type sysctl_vm_overcommit_t;
+	')
+
+	kernel_search_vm_sysctl($1)
+	read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+##	Read and write virtual memory overcommit sysctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_vm_overcommit_sysctl',`
+	gen_require(`
+		type sysctl_vm_overcommit_t;
+	')
+
+	kernel_search_vm_sysctl($1)
+	rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
-- 
2.6.4