All of lore.kernel.org
 help / color / mirror / Atom feed
From: guido@trentalancia.net (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v3] Add module_load permission to can_load_kernmodule
Date: Tue, 16 Aug 2016 00:21:32 +0200	[thread overview]
Message-ID: <1471299692.2901.0.camel@trentalancia.net> (raw)
In-Reply-To: <5ce89d31-5641-a464-cd73-43590848aa49@gmail.com>

Hello Dominick.

On Sun, 14/08/2016 at 23.23 +0200, Dominick Grift wrote:
> On 08/14/2016 11:02 PM, Guido Trentalancia wrote:
> > The "module_load" permission has been recently added to the
> > "system"
> > class (kernel 4.7).
> > 
> > The following patch updates the Reference Policy so that the new
> > permission is allowed when a kernel module should be loaded.
> > 
> > A couple of unneeded permissions (probably obsolete) are removed
> > from the kernel module loading section.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/kernel/files.te??|???11 +++++++++++
> > ?policy/modules/kernel/kernel.te |????7 ++-----
> > ?2 files changed, 13 insertions(+), 5 deletions(-)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te	
> > 2016-08-06
> > 21:26:43.284774157 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/files.te	20
> > 16-08-14
> > 22:35:30.602463332 +0200
> > @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
> > ?
> > ?########################################
> > ?#
> > +# Kernel module loading policy
> > +#
> > +
> > +neverallow ~can_load_kernmodule modules_object_t:system
> > module_load;
> > +
> > +if( ! secure_mode_insmod ) {
> > +	allow can_load_kernmodule modules_object_t:system
> > module_load;
> > +}
> > +
> > +########################################
> > +#
> > ?# Unconfined access to this module
> > ?#
> > ?
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	
> > 2016-08-09
> > 16:09:48.811753763 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2
> > 016-08-14
> > 22:35:47.997714250 +0200
> > @@ -216,6 +216,8 @@ allow kernel_t self:fd use;
> > ?
> > ?allow kernel_t debugfs_t:dir search_dir_perms;
> > ?
> > +allow kernel_t modules_object_t:system ~module_load;
> 
> I can't make sense of this rule

It's a mistake and it has been removed in the latest forthcoming
version of this patch.

> > +
> > ?allow kernel_t proc_t:dir list_dir_perms;
> > ?allow kernel_t proc_t:file read_file_perms;
> > ?allow kernel_t proc_t:lnk_file read_lnk_file_perms;
> > @@ -428,11 +430,6 @@ optional_policy(`
> > ?
> > ?if( ! secure_mode_insmod ) {
> > ?	allow can_load_kernmodule self:capability sys_module;
> > -
> > -	# load_module() calls stop_machine() which
> > -	# calls sched_setscheduler()
> > -	allow can_load_kernmodule self:capability sys_nice;
> > -	kernel_setsched(can_load_kernmodule)
> 
> I would not remove the above. Might break compatibility

I have checked backwards up to kernel version 2.6.37 and there is no
trace of calls to sched_setsched().

Also, even if there was such a call, it was most probably something
wrong !

Therefore, I oppose reverting that (sys_nice + kernel_setsched()).

Regards,

Guido

  reply	other threads:[~2016-08-15 22:21 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-07 21:08 [refpolicy] [PATCH] Add module_load permission to can_load_kernmodule Guido Trentalancia
2016-08-09 14:18 ` [refpolicy] [PATCH v2] " Guido Trentalancia
2016-08-13 13:21   ` Chris PeBenito
2016-08-14 21:02     ` [refpolicy] [PATCH v3] " Guido Trentalancia
2016-08-14 21:23       ` Dominick Grift
2016-08-15 22:21         ` Guido Trentalancia [this message]
2016-08-15 22:22       ` [refpolicy] [PATCH v4] " Guido Trentalancia
2016-08-15 20:20         ` Chris PeBenito
2016-08-18 15:01           ` Guido Trentalancia
2016-08-17 19:37             ` Chris PeBenito
2016-08-19 13:27         ` [refpolicy] [PATCH v5] " Guido Trentalancia
2016-08-17 20:05           ` Chris PeBenito
2016-08-19 20:41             ` Guido Trentalancia
2016-08-30  0:30           ` Chris PeBenito
2016-08-30 10:58             ` Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1471299692.2901.0.camel@trentalancia.net \
    --to=guido@trentalancia.net \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.