From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 14 Aug 2016 23:02:38 +0200 (CEST) Subject: [refpolicy] [PATCH v3] Add module_load permission to can_load_kernmodule In-Reply-To: References: <1470604093.2822.5.camel@trentalancia.net> <1470752290.26741.0.camel@trentalancia.net> Message-ID: <1401960383.997208.1471208558275.JavaMail.open-xchange@popper06.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The "module_load" permission has been recently added to the "system" class (kernel 4.7). The following patch updates the Reference Policy so that the new permission is allowed when a kernel module should be loaded. A couple of unneeded permissions (probably obsolete) are removed from the kernel module loading section. Signed-off-by: Guido Trentalancia --- policy/modules/kernel/files.te | 11 +++++++++++ policy/modules/kernel/kernel.te | 7 ++----- 2 files changed, 13 insertions(+), 5 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te 2016-08-06 21:26:43.284774157 +0200 +++ refpolicy-git-06082016/policy/modules/kernel/files.te 2016-08-14 22:35:30.602463332 +0200 @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile) ######################################## # +# Kernel module loading policy +# + +neverallow ~can_load_kernmodule modules_object_t:system module_load; + +if( ! secure_mode_insmod ) { + allow can_load_kernmodule modules_object_t:system module_load; +} + +######################################## +# # Unconfined access to this module # --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 16:09:48.811753763 +0200 +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-14 22:35:47.997714250 +0200 @@ -216,6 +216,8 @@ allow kernel_t self:fd use; allow kernel_t debugfs_t:dir search_dir_perms; +allow kernel_t modules_object_t:system ~module_load; + allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms; @@ -428,11 +430,6 @@ optional_policy(` if( ! secure_mode_insmod ) { allow can_load_kernmodule self:capability sys_module; - - # load_module() calls stop_machine() which - # calls sched_setscheduler() - allow can_load_kernmodule self:capability sys_nice; - kernel_setsched(can_load_kernmodule) } ########################################