[refpolicy] [PATCH] modutils: libkmod mmap()s modules.dep and *.ko's

[refpolicy] [PATCH] modutils: libkmod mmap()s modules.dep and *.ko's

[Luis Ressel]

Note that not only kmod needs this permission, other libkmod consumers
like udev require it, too. Hence I'm adding the permission to the
relevant interfaces.
---
 policy/modules/system/modutils.if | 4 ++--
 policy/modules/system/modutils.te | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index d6b92ba4..e9ee3c29 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',`
 	')
 
 	files_list_kernel_modules($1)
-	allow $1 modules_dep_t:file read_file_perms;
+	allow $1 modules_dep_t:file { read_file_perms map };
 ')
 
 ########################################
@@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',`
 	')
 
 	files_list_kernel_modules($1)
-	allow $1 modules_object_t:file read_file_perms;
+	allow $1 modules_object_t:file { read_file_perms map };
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7cc6985d..70efffc1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
 read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
 manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
+allow kmod_t modules_dep_t:file map;
 filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
 create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
 delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+allow kmod_t modules_object_t:file map;
 
 can_exec(kmod_t, kmod_exec_t)
 
-- 
2.14.1

[refpolicy] [PATCH] modutils: libkmod mmap()s modules.dep and *.ko's

[Chris PeBenito]

On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> Note that not only kmod needs this permission, other libkmod consumers
> like udev require it, too. Hence I'm adding the permission to the
> relevant interfaces.
> ---
>   policy/modules/system/modutils.if | 4 ++--
>   policy/modules/system/modutils.te | 2 ++
>   2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
> index d6b92ba4..e9ee3c29 100644
> --- a/policy/modules/system/modutils.if
> +++ b/policy/modules/system/modutils.if
> @@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',`
>   	')
>   
>   	files_list_kernel_modules($1)
> -	allow $1 modules_dep_t:file read_file_perms;
> +	allow $1 modules_dep_t:file { read_file_perms map };
>   ')
>   
>   ########################################
> @@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',`
>   	')
>   
>   	files_list_kernel_modules($1)
> -	allow $1 modules_object_t:file read_file_perms;
> +	allow $1 modules_object_t:file { read_file_perms map };
>   ')
>   
>   ########################################
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index 7cc6985d..70efffc1 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
>   read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
>   list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
>   manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
> +allow kmod_t modules_dep_t:file map;
>   filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
>   create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
>   delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
> +allow kmod_t modules_object_t:file map;
>   
>   can_exec(kmod_t, kmod_exec_t)

Merged.

-- 
Chris PeBenito