From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 09 Aug 2016 16:18:10 +0200 Subject: [refpolicy] [PATCH v2] Add module_load permission to can_load_kernmodule In-Reply-To: <1470604093.2822.5.camel@trentalancia.net> References: <1470604093.2822.5.camel@trentalancia.net> Message-ID: <1470752290.26741.0.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The "module_load" permission has been recently added to the "system" class (kernel 4.7). The following patch updates the Reference Policy so that the new permission is allowed when a kernel module should be loaded. A couple of unneeded permissions are removed from the kernel module loading section. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/kernel.te | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-06 21:26:43.287774191 +0200 +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-09 15:55:46.652356995 +0200 @@ -18,6 +18,7 @@ attribute can_receive_kernel_messages; attribute can_dump_kernel; neverallow ~can_load_kernmodule self:capability sys_module; +neverallow ~can_load_kernmodule modules_object_t:system module_load; # domains with unconfined access to kernel resources attribute kern_unconfined; @@ -216,6 +217,8 @@ allow kernel_t self:fd use; allow kernel_t debugfs_t:dir search_dir_perms; +allow kernel_t modules_object_t:system ~module_load; + allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms; @@ -428,11 +431,7 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; - - # load_module() calls stop_machine() which - # calls sched_setscheduler() - allow can_load_kernmodule self:capability sys_nice; - kernel_setsched(can_load_kernmodule) + allow can_load_kernmodule modules_object_t:system module_load; } ########################################