LinuxLists.cc - [refpolicy] [PATCH] Add interfaces to read/write /proc/sys/vm/overcommit

2015-12-11 12:48:33

Subject: [refpolicy] [PATCH] Add interfaces to read/write /proc/sys/vm/overcommit_memory

From: Laurent Bigonville <[email protected]>

Inspired from the Fedora policy
---
policy/modules/kernel/kernel.if | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index f1130d1..9ef2fae 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3323,3 +3323,44 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
kernel_load_module($1)
')
+
+########################################
+## <summary>
+## Allow caller to read virtual memory overcommit sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_read_vm_overcommit_sysctl',`
+ gen_require(`
+ type sysctl_vm_overcommit_t;
+ ')
+
+ kernel_search_vm_sysctl($1)
+ read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
+
+########################################
+## <summary>
+## Read and write virtual memory overcommit sysctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_rw_vm_overcommit_sysctl',`
+ gen_require(`
+ type sysctl_vm_overcommit_t;
+ ')
+
+ kernel_search_vm_sysctl($1)
+ rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
--
2.6.4