From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 30 Aug 2016 12:58:09 +0200 Subject: [refpolicy] [PATCH v5] Add module_load permission to can_load_kernmodule In-Reply-To: <033ff4ce-ff99-ac67-1ba2-1e7ed51c38b1@ieee.org> References: <1470604093.2822.5.camel@trentalancia.net> <1470752290.26741.0.camel@trentalancia.net> <1401960383.997208.1471208558275.JavaMail.open-xchange@popper06.register.it> <1471299772.3112.0.camel@trentalancia.net> <1471613252.2903.14.camel@trentalancia.net> <033ff4ce-ff99-ac67-1ba2-1e7ed51c38b1@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. You've done the right thing. Thanks for sorting this out. I am finally seeing the light with the gnome and dbus modules! It comes at the cost of confining the whole desktop, but so far so good... I have removed the variable types $1_dbusd_t: it doesn't work, end of the story, it's poor design in my opinion because it leads to an unmanageable situation (conflicting type rules). Regards, Guido On the 30th August 2016 02:30:33 CEST, Chris PeBenito wrote: >On 08/19/16 09:27, Guido Trentalancia wrote: >> The "module_load" permission has been recently added to the "system" >> class (kernel 4.7). >> >> The following patch updates the Reference Policy so that the new >> permission is allowed when a kernel module should be loaded. >> >> To preserve the module encapsulation, a new interface is defined >> in the kernel files module and that interface is then used in the >> kernel module. >> >> A short note is added about unneeded permissions that set the >> kernel scheduling parameters (might lead to service disruption). > >I couldn't come up with a better interface name, so I've merged this >patch. > > >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/kernel/files.if | 19 +++++++++++++++++++ >> policy/modules/kernel/kernel.te | 4 ++++ >> 2 files changed, 23 insertions(+) >> >> --- >refpolicy-git-06082016-orig/policy/modules/kernel/files.if 2016-08-06 >21:26:43.284774157 +0200 >> +++ refpolicy-git-06082016/policy/modules/kernel/files.if 2016-08-19 >15:05:34.503054733 +0200 >> @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran >> >> ######################################## >> ## >> +## Load kernel module files. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`files_load_kernel_modules',` >> + gen_require(` >> + type modules_object_t; >> + ') >> + >> + files_read_kernel_modules($1) >> + allow $1 modules_object_t:system module_load; >> +') >> + >> +######################################## >> +## >> ## List world-readable directories. >> ## >> ## >> --- >refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te 2016-08-09 >16:09:48.811753763 +0200 >> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te 2016-08-19 >15:07:21.169666858 +0200 >> @@ -429,8 +429,12 @@ optional_policy(` >> if( ! secure_mode_insmod ) { >> allow can_load_kernmodule self:capability sys_module; >> >> + files_load_kernel_modules(can_load_kernmodule) >> + >> # load_module() calls stop_machine() which >> # calls sched_setscheduler() >> + # gt: there seems to be no trace of the above, at >> + # least in kernel versions greater than 2.6.37... >> allow can_load_kernmodule self:capability sys_nice; >> kernel_setsched(can_load_kernmodule) >> } >>