From: dac.override@gmail.com (Dominick Grift)
Date: Mon, 8 Aug 2016 19:18:11 +0200
Subject: [refpolicy] [PATCH] Ifconfig should be able to read firmware
 files and load kernel modules
In-Reply-To: <1470676296.2540.1.camel@trentalancia.net>
References: <1470676296.2540.1.camel@trentalancia.net>
Message-ID: <83b01d15-48f4-0d32-27de-9881c49e402b@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/08/2016 07:11 PM, Guido Trentalancia wrote:
> Ifconfig should be able to read firmware files (i.e. some network cards need
> to load their firmware) and it should also be able to load kernel modules.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/sysnetwork.te |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> --- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06 21:26:43.309774442 +0200
> +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-08 18:29:45.342636241 +0200
> @@ -261,7 +261,7 @@ optional_policy(`
>  # Ifconfig local policy
>  #
>  
> -allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
> +allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_module sys_tty_config };

neverallow ~can_load_kernmodule self:capability sys_module;

>  allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
>  allow ifconfig_t self:fd use;
>  allow ifconfig_t self:fifo_file rw_fifo_file_perms;
> @@ -305,6 +305,8 @@ domain_use_interactive_fds(ifconfig_t)
>  files_read_etc_files(ifconfig_t)
>  files_read_etc_runtime_files(ifconfig_t)
>  
> +files_read_firmware_files(ifconfig_t)
> +
>  fs_getattr_xattr_fs(ifconfig_t)
>  fs_search_auto_mountpoints(ifconfig_t)
>  
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160808/74e0bdd8/attachment.bin