From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 15 Aug 2016 16:20:47 -0400 Subject: [refpolicy] [PATCH v4] Add module_load permission to can_load_kernmodule In-Reply-To: <1471299772.3112.0.camel@trentalancia.net> References: <1470604093.2822.5.camel@trentalancia.net> <1470752290.26741.0.camel@trentalancia.net> <1401960383.997208.1471208558275.JavaMail.open-xchange@popper06.register.it> <1471299772.3112.0.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/15/16 18:22, Guido Trentalancia wrote: > The "module_load" permission has been recently added to the "system" > class (kernel 4.7). > > The following patch updates the Reference Policy so that the new > permission is allowed when a kernel module should be loaded. > > A couple of unneeded permissions are removed from the kernel > module loading section. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/kernel/files.te | 11 +++++++++++ > policy/modules/kernel/kernel.te | 5 ----- > 2 files changed, 11 insertions(+), 5 deletions(-) > > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te 2016-08-06 21:26:43.284774157 +0200 > +++ refpolicy-git-06082016/policy/modules/kernel/files.te 2016-08-14 22:35:30.602463332 +0200 > @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile) > > ######################################## > # > +# Kernel module loading policy > +# > + > +neverallow ~can_load_kernmodule modules_object_t:system module_load; > + > +if( ! secure_mode_insmod ) { > + allow can_load_kernmodule modules_object_t:system module_load; > +} Now we have the problem where can_load_kernmodule isn't owned by this module. You'll have to create the first neverallow interface I think. > +######################################## > +# > # Unconfined access to this module > # > > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 16:09:48.811753763 +0200 > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-16 00:09:58.411688357 +0200 > @@ -428,11 +428,6 @@ optional_policy(` > > if( ! secure_mode_insmod ) { > allow can_load_kernmodule self:capability sys_module; > - > - # load_module() calls stop_machine() which > - # calls sched_setscheduler() > - allow can_load_kernmodule self:capability sys_nice; > - kernel_setsched(can_load_kernmodule) > } > > ######################################## I also agree with Dominick on this. These are relatively uninteresting permissions compared to the sys_module, so until we have some explanation, I'd prefer to keep it. I tried looked at Red Hat bugzilla, as this came from Dan Walsh, but it's all the way back from 2011, so it's not coming up easily for me. -- Chris PeBenito