From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 17 Aug 2016 15:37:41 -0400 Subject: [refpolicy] [PATCH v4] Add module_load permission to can_load_kernmodule In-Reply-To: <1471532477.14586.4.camel@trentalancia.net> References: <1470604093.2822.5.camel@trentalancia.net> <1470752290.26741.0.camel@trentalancia.net> <1401960383.997208.1471208558275.JavaMail.open-xchange@popper06.register.it> <1471299772.3112.0.camel@trentalancia.net> <1471532477.14586.4.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/18/16 11:01, Guido Trentalancia wrote: > Hello Christopher, > > thanks for your feedback on this patch ! > > On Mon, 15/08/2016 at 16.20 -0400, Chris PeBenito wrote: >> On 08/15/16 18:22, Guido Trentalancia wrote: >>> The "module_load" permission has been recently added to the >>> "system" >>> class (kernel 4.7). >>> >>> The following patch updates the Reference Policy so that the new >>> permission is allowed when a kernel module should be loaded. >>> >>> A couple of unneeded permissions are removed from the kernel >>> module loading section. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/kernel/files.te | 11 +++++++++++ >>> policy/modules/kernel/kernel.te | 5 ----- >>> 2 files changed, 11 insertions(+), 5 deletions(-) >>> >>> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te >>> 2016-08-06 21:26:43.284774157 +0200 >>> +++ refpolicy-git-06082016/policy/modules/kernel/files.te 20 >>> 16-08-14 22:35:30.602463332 +0200 >>> @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile) >>> >>> ######################################## >>> # >>> +# Kernel module loading policy >>> +# >>> + >>> +neverallow ~can_load_kernmodule modules_object_t:system >>> module_load; >>> + >>> +if( ! secure_mode_insmod ) { >>> + allow can_load_kernmodule modules_object_t:system >>> module_load; >>> +} >> >> Now we have the problem where can_load_kernmodule isn't owned by >> this >> module. You'll have to create the first neverallow interface I >> think. > > I am sorry but I do not understand what you mean. > > It compiles fine. What change do you propose exactly ? It compiles fine because the kernel and files modules are always in the base.pp. However the refpolicy module encapsulation should be preserved. The difficulty is can_load_kernmodule is owned by the kernel module and modules_object_t is owned by the files module, so you can't have a raw rule by itself, so you need an interface. -- Chris PeBenito