From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 30 Aug 2016 12:58:09 +0200
Subject: [refpolicy] [PATCH v5] Add module_load permission to
	can_load_kernmodule
In-Reply-To: <033ff4ce-ff99-ac67-1ba2-1e7ed51c38b1@ieee.org>
References: <1470604093.2822.5.camel@trentalancia.net>
	<1470752290.26741.0.camel@trentalancia.net>
	<cf1ea694-5c65-6704-1220-be3b1de5a38e@ieee.org>
	<1401960383.997208.1471208558275.JavaMail.open-xchange@popper06.register.it>
	<1471299772.3112.0.camel@trentalancia.net>
	<1471613252.2903.14.camel@trentalancia.net>
	<033ff4ce-ff99-ac67-1ba2-1e7ed51c38b1@ieee.org>
Message-ID: <E899AAD5-2A32-4A15-BF03-3298C3BBF1EE@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher. 

You've done the right thing. 

Thanks for sorting this out. 

I am finally seeing the light with the gnome and dbus modules! It comes at the cost of confining the whole desktop, but so far so good... 

I have removed the variable types $1_dbusd_t: it doesn't work, end of the story, it's poor design in my opinion because it leads to an unmanageable situation (conflicting type rules).

Regards, 

Guido 

On the 30th August 2016 02:30:33 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>On 08/19/16 09:27, Guido Trentalancia wrote:
>> The "module_load" permission has been recently added to the "system"
>> class (kernel 4.7).
>>
>> The following patch updates the Reference Policy so that the new
>> permission is allowed when a kernel module should be loaded.
>>
>> To preserve the module encapsulation, a new interface is defined
>> in the kernel files module and that interface is then used in the
>> kernel module.
>>
>> A short note is added about unneeded permissions that set the
>> kernel scheduling parameters (might lead to service disruption).
>
>I couldn't come up with a better interface name, so I've merged this
>patch.
>
>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/kernel/files.if  |   19 +++++++++++++++++++
>>  policy/modules/kernel/kernel.te |    4 ++++
>>  2 files changed, 23 insertions(+)
>>
>> ---
>refpolicy-git-06082016-orig/policy/modules/kernel/files.if	2016-08-06
>21:26:43.284774157 +0200
>> +++ refpolicy-git-06082016/policy/modules/kernel/files.if	2016-08-19
>15:05:34.503054733 +0200
>> @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
>>
>>  ########################################
>>  ## <summary>
>> +##	Load kernel module files.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`files_load_kernel_modules',`
>> +	gen_require(`
>> +		type modules_object_t;
>> +	')
>> +
>> +	files_read_kernel_modules($1)
>> +	allow $1 modules_object_t:system module_load;
>> +')
>> +
>> +########################################
>> +## <summary>
>>  ##	List world-readable directories.
>>  ## </summary>
>>  ## <param name="domain">
>> ---
>refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09
>16:09:48.811753763 +0200
>> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-19
>15:07:21.169666858 +0200
>> @@ -429,8 +429,12 @@ optional_policy(`
>>  if( ! secure_mode_insmod ) {
>>  	allow can_load_kernmodule self:capability sys_module;
>>
>> +	files_load_kernel_modules(can_load_kernmodule)
>> +
>>  	# load_module() calls stop_machine() which
>>  	# calls sched_setscheduler()
>> +	# gt: there seems to be no trace of the above, at
>> +	# least in kernel versions greater than 2.6.37...
>>  	allow can_load_kernmodule self:capability sys_nice;
>>  	kernel_setsched(can_load_kernmodule)
>>  }
>>