From: dac.override@gmail.com (Dominick Grift) Date: Sun, 14 Aug 2016 23:23:01 +0200 Subject: [refpolicy] [PATCH v3] Add module_load permission to can_load_kernmodule In-Reply-To: <1401960383.997208.1471208558275.JavaMail.open-xchange@popper06.register.it> References: <1470604093.2822.5.camel@trentalancia.net> <1470752290.26741.0.camel@trentalancia.net> <1401960383.997208.1471208558275.JavaMail.open-xchange@popper06.register.it> Message-ID: <5ce89d31-5641-a464-cd73-43590848aa49@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/14/2016 11:02 PM, Guido Trentalancia wrote: > The "module_load" permission has been recently added to the "system" > class (kernel 4.7). > > The following patch updates the Reference Policy so that the new > permission is allowed when a kernel module should be loaded. > > A couple of unneeded permissions (probably obsolete) are removed > from the kernel module loading section. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/kernel/files.te | 11 +++++++++++ > policy/modules/kernel/kernel.te | 7 ++----- > 2 files changed, 13 insertions(+), 5 deletions(-) > > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te 2016-08-06 > 21:26:43.284774157 +0200 > +++ refpolicy-git-06082016/policy/modules/kernel/files.te 2016-08-14 > 22:35:30.602463332 +0200 > @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile) > > ######################################## > # > +# Kernel module loading policy > +# > + > +neverallow ~can_load_kernmodule modules_object_t:system module_load; > + > +if( ! secure_mode_insmod ) { > + allow can_load_kernmodule modules_object_t:system module_load; > +} > + > +######################################## > +# > # Unconfined access to this module > # > > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 > 16:09:48.811753763 +0200 > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-14 > 22:35:47.997714250 +0200 > @@ -216,6 +216,8 @@ allow kernel_t self:fd use; > > allow kernel_t debugfs_t:dir search_dir_perms; > > +allow kernel_t modules_object_t:system ~module_load; I can't make sense of this rule > + > allow kernel_t proc_t:dir list_dir_perms; > allow kernel_t proc_t:file read_file_perms; > allow kernel_t proc_t:lnk_file read_lnk_file_perms; > @@ -428,11 +430,6 @@ optional_policy(` > > if( ! secure_mode_insmod ) { > allow can_load_kernmodule self:capability sys_module; > - > - # load_module() calls stop_machine() which > - # calls sched_setscheduler() > - allow can_load_kernmodule self:capability sys_nice; > - kernel_setsched(can_load_kernmodule) I would not remove the above. Might break compatibility > } > > ######################################## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/1de00de3/attachment.bin