From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 11 Sep 2017 20:05:22 -0400 Subject: [refpolicy] [PATCH] modutils: libkmod mmap()s modules.dep and *.ko's In-Reply-To: <20170911031807.3980-1-aranea@aixah.de> References: <20170911031807.3980-1-aranea@aixah.de> Message-ID: <90270ff6-5baa-e61c-bb3f-b49486e222b0@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote: > Note that not only kmod needs this permission, other libkmod consumers > like udev require it, too. Hence I'm adding the permission to the > relevant interfaces. > --- > policy/modules/system/modutils.if | 4 ++-- > policy/modules/system/modutils.te | 2 ++ > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if > index d6b92ba4..e9ee3c29 100644 > --- a/policy/modules/system/modutils.if > +++ b/policy/modules/system/modutils.if > @@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',` > ') > > files_list_kernel_modules($1) > - allow $1 modules_dep_t:file read_file_perms; > + allow $1 modules_dep_t:file { read_file_perms map }; > ') > > ######################################## > @@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',` > ') > > files_list_kernel_modules($1) > - allow $1 modules_object_t:file read_file_perms; > + allow $1 modules_object_t:file { read_file_perms map }; > ') > > ######################################## > diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te > index 7cc6985d..70efffc1 100644 > --- a/policy/modules/system/modutils.te > +++ b/policy/modules/system/modutils.te > @@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) > read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) > list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t) > manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t) > +allow kmod_t modules_dep_t:file map; > filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file) > create_files_pattern(kmod_t, modules_object_t, modules_dep_t) > delete_files_pattern(kmod_t, modules_object_t, modules_dep_t) > +allow kmod_t modules_object_t:file map; > > can_exec(kmod_t, kmod_exec_t) Merged. -- Chris PeBenito