From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 16 Aug 2016 00:21:32 +0200 Subject: [refpolicy] [PATCH v3] Add module_load permission to can_load_kernmodule In-Reply-To: <5ce89d31-5641-a464-cd73-43590848aa49@gmail.com> References: <1470604093.2822.5.camel@trentalancia.net> <1470752290.26741.0.camel@trentalancia.net> <1401960383.997208.1471208558275.JavaMail.open-xchange@popper06.register.it> <5ce89d31-5641-a464-cd73-43590848aa49@gmail.com> Message-ID: <1471299692.2901.0.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Dominick. On Sun, 14/08/2016 at 23.23 +0200, Dominick Grift wrote: > On 08/14/2016 11:02 PM, Guido Trentalancia wrote: > > The "module_load" permission has been recently added to the > > "system" > > class (kernel 4.7). > > > > The following patch updates the Reference Policy so that the new > > permission is allowed when a kernel module should be loaded. > > > > A couple of unneeded permissions (probably obsolete) are removed > > from the kernel module loading section. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/kernel/files.te??|???11 +++++++++++ > > ?policy/modules/kernel/kernel.te |????7 ++----- > > ?2 files changed, 13 insertions(+), 5 deletions(-) > > > > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te > > 2016-08-06 > > 21:26:43.284774157 +0200 > > +++ refpolicy-git-06082016/policy/modules/kernel/files.te 20 > > 16-08-14 > > 22:35:30.602463332 +0200 > > @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile) > > ? > > ?######################################## > > ?# > > +# Kernel module loading policy > > +# > > + > > +neverallow ~can_load_kernmodule modules_object_t:system > > module_load; > > + > > +if( ! secure_mode_insmod ) { > > + allow can_load_kernmodule modules_object_t:system > > module_load; > > +} > > + > > +######################################## > > +# > > ?# Unconfined access to this module > > ?# > > ? > > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te > > 2016-08-09 > > 16:09:48.811753763 +0200 > > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2 > > 016-08-14 > > 22:35:47.997714250 +0200 > > @@ -216,6 +216,8 @@ allow kernel_t self:fd use; > > ? > > ?allow kernel_t debugfs_t:dir search_dir_perms; > > ? > > +allow kernel_t modules_object_t:system ~module_load; > > I can't make sense of this rule It's a mistake and it has been removed in the latest forthcoming version of this patch. > > + > > ?allow kernel_t proc_t:dir list_dir_perms; > > ?allow kernel_t proc_t:file read_file_perms; > > ?allow kernel_t proc_t:lnk_file read_lnk_file_perms; > > @@ -428,11 +430,6 @@ optional_policy(` > > ? > > ?if( ! secure_mode_insmod ) { > > ? allow can_load_kernmodule self:capability sys_module; > > - > > - # load_module() calls stop_machine() which > > - # calls sched_setscheduler() > > - allow can_load_kernmodule self:capability sys_nice; > > - kernel_setsched(can_load_kernmodule) > > I would not remove the above. Might break compatibility I have checked backwards up to kernel version 2.6.37 and there is no trace of calls to sched_setsched(). Also, even if there was such a call, it was most probably something wrong ! Therefore, I oppose reverting that (sys_nice + kernel_setsched()). Regards, Guido