From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 20:05:22 -0400
Subject: [refpolicy] [PATCH] modutils: libkmod mmap()s modules.dep and
 *.ko's
In-Reply-To: <20170911031807.3980-1-aranea@aixah.de>
References: <20170911031807.3980-1-aranea@aixah.de>
Message-ID: <90270ff6-5baa-e61c-bb3f-b49486e222b0@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> Note that not only kmod needs this permission, other libkmod consumers
> like udev require it, too. Hence I'm adding the permission to the
> relevant interfaces.
> ---
>   policy/modules/system/modutils.if | 4 ++--
>   policy/modules/system/modutils.te | 2 ++
>   2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
> index d6b92ba4..e9ee3c29 100644
> --- a/policy/modules/system/modutils.if
> +++ b/policy/modules/system/modutils.if
> @@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',`
>   	')
>   
>   	files_list_kernel_modules($1)
> -	allow $1 modules_dep_t:file read_file_perms;
> +	allow $1 modules_dep_t:file { read_file_perms map };
>   ')
>   
>   ########################################
> @@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',`
>   	')
>   
>   	files_list_kernel_modules($1)
> -	allow $1 modules_object_t:file read_file_perms;
> +	allow $1 modules_object_t:file { read_file_perms map };
>   ')
>   
>   ########################################
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index 7cc6985d..70efffc1 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
>   read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
>   list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
>   manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
> +allow kmod_t modules_dep_t:file map;
>   filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
>   create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
>   delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
> +allow kmod_t modules_object_t:file map;
>   
>   can_exec(kmod_t, kmod_exec_t)

Merged.

-- 
Chris PeBenito