All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy]   [PATCH] ifconfig loads kernel modules
@ 2016-07-31  9:48 Russell Coker
  2016-08-02 23:38 ` Chris PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2016-07-31  9:48 UTC (permalink / raw)
  To: refpolicy

The following patch allows ifconfig to trigger module loads.


diff -ruN /home/rjc/src/pol-git/policy/modules/system/sysnetwork.te ./policy/modules/system/sysnetwork.te
--- /home/rjc/src/pol-git/policy/modules/system/sysnetwork.te	2016-07-28 20:33:39.971961928 +1000
+++ ./policy/modules/system/sysnetwork.te	2016-07-31 19:47:25.822898970 +1000
@@ -261,6 +261,7 @@
 # Ifconfig local policy
 #
 
+kernel_load_module(ifconfig_t)
 allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [refpolicy] [PATCH] ifconfig loads kernel modules
  2016-07-31  9:48 [refpolicy] [PATCH] ifconfig loads kernel modules Russell Coker
@ 2016-08-02 23:38 ` Chris PeBenito
  2016-08-03  2:28   ` Russell Coker
  0 siblings, 1 reply; 4+ messages in thread
From: Chris PeBenito @ 2016-08-02 23:38 UTC (permalink / raw)
  To: refpolicy

On 07/31/16 05:48, Russell Coker wrote:
> The following patch allows ifconfig to trigger module loads.
>
>
> diff -ruN /home/rjc/src/pol-git/policy/modules/system/sysnetwork.te ./policy/modules/system/sysnetwork.te
> --- /home/rjc/src/pol-git/policy/modules/system/sysnetwork.te	2016-07-28 20:33:39.971961928 +1000
> +++ ./policy/modules/system/sysnetwork.te	2016-07-31 19:47:25.822898970 +1000
> @@ -261,6 +261,7 @@
>  # Ifconfig local policy
>  #
>
> +kernel_load_module(ifconfig_t)
>  allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
>  allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
>  allow ifconfig_t self:fd use;

Is this a current denial?  If so, what version of net-tools is that on?

ifconfig_t already has kernel_request_load_module(ifconfig_t) so I'm 
unclear why it would be directly loading modules itself.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [refpolicy] [PATCH] ifconfig loads kernel modules
  2016-08-02 23:38 ` Chris PeBenito
@ 2016-08-03  2:28   ` Russell Coker
  2016-08-03  2:37     ` Jason Zaman
  0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2016-08-03  2:28 UTC (permalink / raw)
  To: refpolicy

On Wed, 3 Aug 2016 09:38:02 AM Chris PeBenito wrote:
> > +kernel_load_module(ifconfig_t)
> >
> >  allow ifconfig_t self:capability { net_raw net_admin sys_admin
> >sys_tty_config }; allow ifconfig_t self:process ~{ ptrace setcurrent
> >setexec setfscreate setrlimit execmem execheap execstack }; allow
> >ifconfig_t self:fd use;
> 
> Is this a current denial?  If so, what version of net-tools is that on?
> 
> ifconfig_t already has kernel_request_load_module(ifconfig_t) so I'm 
> unclear why it would be directly loading modules itself.

It's been in my tree for years.  I'll remove it and see what happens.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [refpolicy] [PATCH] ifconfig loads kernel modules
  2016-08-03  2:28   ` Russell Coker
@ 2016-08-03  2:37     ` Jason Zaman
  0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2016-08-03  2:37 UTC (permalink / raw)
  To: refpolicy

On Wed, Aug 03, 2016 at 12:28:53PM +1000, Russell Coker wrote:
> On Wed, 3 Aug 2016 09:38:02 AM Chris PeBenito wrote:
> > > +kernel_load_module(ifconfig_t)
> > >
> > >  allow ifconfig_t self:capability { net_raw net_admin sys_admin
> > >sys_tty_config }; allow ifconfig_t self:process ~{ ptrace setcurrent
> > >setexec setfscreate setrlimit execmem execheap execstack }; allow
> > >ifconfig_t self:fd use;
> > 
> > Is this a current denial?  If so, what version of net-tools is that on?
> > 
> > ifconfig_t already has kernel_request_load_module(ifconfig_t) so I'm 
> > unclear why it would be directly loading modules itself.
> 
> It's been in my tree for years.  I'll remove it and see what happens.

I've seen this on my gentoo machines for a fair while too but not dug
deeper into why. I assumed it was something to do with firmware loading
when the wifi modules come up but could be completely wrong. I think I
only see it during first boot tho not later on.

-- Jason
> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-08-03  2:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-31  9:48 [refpolicy] [PATCH] ifconfig loads kernel modules Russell Coker
2016-08-02 23:38 ` Chris PeBenito
2016-08-03  2:28   ` Russell Coker
2016-08-03  2:37     ` Jason Zaman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.