From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 27 Dec 2016 21:22:21 +0100 (CET) Subject: [refpolicy] [PATCH v2] kernel: missing permissions for confined execution In-Reply-To: <8317c7e0-7d87-6726-837c-1c39b0bfb8c1@ieee.org> References: <1482021787.10349.1.camel@trentalancia.net> <1482094724.22132.12.camel@trentalancia.net> <8317c7e0-7d87-6726-837c-1c39b0bfb8c1@ieee.org> Message-ID: <1078174712.17762.1482870141948.JavaMail.open-xchange@popper10.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. Thanks for merging this. We should now have a fully functional kernel module that, as such, should not need the unconfined_domain interface calls anymore. Unfortunately, version 2 of this patch did not actually removed such interface call. Now, we have two options: - remove it in a new simple patch today or tomorrow; - wait to remove it until after the next release, so that we can benefit from some more development-stage testing, just in case some kernel installation around needs some other permission which did not show up in the tests that I carried out. For sure, we shall strive to get rid of it, for maximum security. > On the 27th of December 2016 at 16.52 Chris PeBenito > wrote: > > > On 12/18/16 15:58, Guido Trentalancia via refpolicy wrote: > > This patch adds missing permissions in the kernel module that prevent > > to run it without the unconfined module. > > > > This second version improves the comment section of new interfaces: > > "Domain" is replaced by "Domain allowed access". > > I thought that all of the added rules were for the initramfs. Since > only a few are, I'm fine without the tunable, so I merged this version > of the patch. > > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/kernel/devices.if | 56 +++++++++++++++ > > policy/modules/kernel/files.if | 131 > > ++++++++++++++++++++++++++++++++++++ > > policy/modules/kernel/filesystem.if | 18 ++++ > > policy/modules/kernel/kernel.if | 18 ++++ > > policy/modules/kernel/kernel.te | 34 +++++++++ > > policy/modules/kernel/terminal.if | 20 +++++ > > 6 files changed, 277 insertions(+) [...] Regards, Guido