From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 13 Aug 2016 09:21:40 -0400 Subject: [refpolicy] [PATCH v2] Add module_load permission to can_load_kernmodule In-Reply-To: <1470752290.26741.0.camel@trentalancia.net> References: <1470604093.2822.5.camel@trentalancia.net> <1470752290.26741.0.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/09/16 10:18, Guido Trentalancia wrote: > The "module_load" permission has been recently added to the "system" > class (kernel 4.7). > > The following patch updates the Reference Policy so that the new > permission is allowed when a kernel module should be loaded. > > A couple of unneeded permissions are removed from the kernel > module loading section. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/kernel/kernel.te | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-06 21:26:43.287774191 +0200 > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-09 15:55:46.652356995 +0200 > @@ -18,6 +18,7 @@ attribute can_receive_kernel_messages; > attribute can_dump_kernel; > > neverallow ~can_load_kernmodule self:capability sys_module; > +neverallow ~can_load_kernmodule modules_object_t:system module_load; Problematic, as modules_object_t is not owned by this module. > # domains with unconfined access to kernel resources > attribute kern_unconfined; > @@ -216,6 +217,8 @@ allow kernel_t self:fd use; > > allow kernel_t debugfs_t:dir search_dir_perms; > > +allow kernel_t modules_object_t:system ~module_load; > + > allow kernel_t proc_t:dir list_dir_perms; > allow kernel_t proc_t:file read_file_perms; > allow kernel_t proc_t:lnk_file read_lnk_file_perms; > @@ -428,11 +431,7 @@ optional_policy(` > > if( ! secure_mode_insmod ) { > allow can_load_kernmodule self:capability sys_module; > - > - # load_module() calls stop_machine() which > - # calls sched_setscheduler() > - allow can_load_kernmodule self:capability sys_nice; > - kernel_setsched(can_load_kernmodule) > + allow can_load_kernmodule modules_object_t:system module_load; > } > > ######################################## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito