[refpolicy] [PATCH] Add module_load permission to can_load_kernmodule

[refpolicy] [PATCH] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/kernel.te |    4 ++++
 1 file changed, 4 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-06 21:26:43.287774191 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-07 22:39:58.704800333 +0200
@@ -18,6 +18,7 @@ attribute can_receive_kernel_messages;
 attribute can_dump_kernel;
 
 neverallow ~can_load_kernmodule self:capability sys_module;
+neverallow ~can_load_kernmodule modules_object_t:system module_load;
 
 # domains with unconfined access to kernel resources
 attribute kern_unconfined;
@@ -216,6 +217,8 @@ allow kernel_t self:fd use;
 
 allow kernel_t debugfs_t:dir search_dir_perms;
 
+allow kernel_t modules_object_t:system ~module_load;
+
 allow kernel_t proc_t:dir list_dir_perms;
 allow kernel_t proc_t:file read_file_perms;
 allow kernel_t proc_t:lnk_file read_lnk_file_perms;
@@ -428,6 +431,7 @@ optional_policy(`
 
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
+	allow can_load_kernmodule modules_object_t:system module_load;
 
 	# load_module() calls stop_machine() which
 	# calls sched_setscheduler()

[refpolicy] [PATCH v2] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.

A couple of unneeded permissions are removed from the kernel
module loading section.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/kernel.te |    9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-06 21:26:43.287774191 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-09 15:55:46.652356995 +0200
@@ -18,6 +18,7 @@ attribute can_receive_kernel_messages;
 attribute can_dump_kernel;
 
 neverallow ~can_load_kernmodule self:capability sys_module;
+neverallow ~can_load_kernmodule modules_object_t:system module_load;
 
 # domains with unconfined access to kernel resources
 attribute kern_unconfined;
@@ -216,6 +217,8 @@ allow kernel_t self:fd use;
 
 allow kernel_t debugfs_t:dir search_dir_perms;
 
+allow kernel_t modules_object_t:system ~module_load;
+
 allow kernel_t proc_t:dir list_dir_perms;
 allow kernel_t proc_t:file read_file_perms;
 allow kernel_t proc_t:lnk_file read_lnk_file_perms;
@@ -428,11 +431,7 @@ optional_policy(`
 
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
-
-	# load_module() calls stop_machine() which
-	# calls sched_setscheduler()
-	allow can_load_kernmodule self:capability sys_nice;
-	kernel_setsched(can_load_kernmodule)
+	allow can_load_kernmodule modules_object_t:system module_load;
 }
 
 ########################################

[refpolicy] [PATCH v2] Add module_load permission to can_load_kernmodule

[Chris PeBenito]

On 08/09/16 10:18, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> A couple of unneeded permissions are removed from the kernel
> module loading section.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/kernel.te |    9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-06 21:26:43.287774191 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-09 15:55:46.652356995 +0200
> @@ -18,6 +18,7 @@ attribute can_receive_kernel_messages;
>  attribute can_dump_kernel;
>
>  neverallow ~can_load_kernmodule self:capability sys_module;
> +neverallow ~can_load_kernmodule modules_object_t:system module_load;

Problematic, as modules_object_t is not owned by this module.


>  # domains with unconfined access to kernel resources
>  attribute kern_unconfined;
> @@ -216,6 +217,8 @@ allow kernel_t self:fd use;
>
>  allow kernel_t debugfs_t:dir search_dir_perms;
>
> +allow kernel_t modules_object_t:system ~module_load;
> +
>  allow kernel_t proc_t:dir list_dir_perms;
>  allow kernel_t proc_t:file read_file_perms;
>  allow kernel_t proc_t:lnk_file read_lnk_file_perms;
> @@ -428,11 +431,7 @@ optional_policy(`
>
>  if( ! secure_mode_insmod ) {
>  	allow can_load_kernmodule self:capability sys_module;
> -
> -	# load_module() calls stop_machine() which
> -	# calls sched_setscheduler()
> -	allow can_load_kernmodule self:capability sys_nice;
> -	kernel_setsched(can_load_kernmodule)
> +	allow can_load_kernmodule modules_object_t:system module_load;
>  }
>
>  ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

[refpolicy] [PATCH v3] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.

A couple of unneeded permissions (probably obsolete) are removed
from the kernel module loading section.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/files.te  |   11 +++++++++++
 policy/modules/kernel/kernel.te |    7 ++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

--- refpolicy-git-06082016-orig/policy/modules/kernel/files.te	2016-08-06
21:26:43.284774157 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/files.te	2016-08-14
22:35:30.602463332 +0200
@@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
 
 ########################################
 #
+# Kernel module loading policy
+#
+
+neverallow ~can_load_kernmodule modules_object_t:system module_load;
+
+if( ! secure_mode_insmod ) {
+	allow can_load_kernmodule modules_object_t:system module_load;
+}
+
+########################################
+#
 # Unconfined access to this module
 #
 
--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09
16:09:48.811753763 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-14
22:35:47.997714250 +0200
@@ -216,6 +216,8 @@ allow kernel_t self:fd use;
 
 allow kernel_t debugfs_t:dir search_dir_perms;
 
+allow kernel_t modules_object_t:system ~module_load;
+
 allow kernel_t proc_t:dir list_dir_perms;
 allow kernel_t proc_t:file read_file_perms;
 allow kernel_t proc_t:lnk_file read_lnk_file_perms;
@@ -428,11 +430,6 @@ optional_policy(`
 
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
-
-	# load_module() calls stop_machine() which
-	# calls sched_setscheduler()
-	allow can_load_kernmodule self:capability sys_nice;
-	kernel_setsched(can_load_kernmodule)
 }
 
 ########################################

[refpolicy] [PATCH v3] Add module_load permission to can_load_kernmodule

[Dominick Grift]

On 08/14/2016 11:02 PM, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
> 
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
> 
> A couple of unneeded permissions (probably obsolete) are removed
> from the kernel module loading section.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/files.te  |   11 +++++++++++
>  policy/modules/kernel/kernel.te |    7 ++-----
>  2 files changed, 13 insertions(+), 5 deletions(-)
> 
> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te	2016-08-06
> 21:26:43.284774157 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/files.te	2016-08-14
> 22:35:30.602463332 +0200
> @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
>  
>  ########################################
>  #
> +# Kernel module loading policy
> +#
> +
> +neverallow ~can_load_kernmodule modules_object_t:system module_load;
> +
> +if( ! secure_mode_insmod ) {
> +	allow can_load_kernmodule modules_object_t:system module_load;
> +}
> +
> +########################################
> +#
>  # Unconfined access to this module
>  #
>  
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09
> 16:09:48.811753763 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-14
> 22:35:47.997714250 +0200
> @@ -216,6 +216,8 @@ allow kernel_t self:fd use;
>  
>  allow kernel_t debugfs_t:dir search_dir_perms;
>  
> +allow kernel_t modules_object_t:system ~module_load;

I can't make sense of this rule

> +
>  allow kernel_t proc_t:dir list_dir_perms;
>  allow kernel_t proc_t:file read_file_perms;
>  allow kernel_t proc_t:lnk_file read_lnk_file_perms;
> @@ -428,11 +430,6 @@ optional_policy(`
>  
>  if( ! secure_mode_insmod ) {
>  	allow can_load_kernmodule self:capability sys_module;
> -
> -	# load_module() calls stop_machine() which
> -	# calls sched_setscheduler()
> -	allow can_load_kernmodule self:capability sys_nice;
> -	kernel_setsched(can_load_kernmodule)

I would not remove the above. Might break compatibility

>  }
>  
>  ########################################
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/1de00de3/attachment.bin 

[refpolicy] [PATCH v4] Add module_load permission to can_load_kernmodule

[Chris PeBenito]

On 08/15/16 18:22, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> A couple of unneeded permissions are removed from the kernel
> module loading section.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/files.te  |   11 +++++++++++
>  policy/modules/kernel/kernel.te |    5 -----
>  2 files changed, 11 insertions(+), 5 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te	2016-08-06 21:26:43.284774157 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/files.te	2016-08-14 22:35:30.602463332 +0200
> @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
>
>  ########################################
>  #
> +# Kernel module loading policy
> +#
> +
> +neverallow ~can_load_kernmodule modules_object_t:system module_load;
> +
> +if( ! secure_mode_insmod ) {
> +	allow can_load_kernmodule modules_object_t:system module_load;
> +}

Now we have the problem where can_load_kernmodule isn't owned by this 
module.  You'll have to create the first neverallow interface I think.



> +########################################
> +#
>  # Unconfined access to this module
>  #
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09 16:09:48.811753763 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-16 00:09:58.411688357 +0200
> @@ -428,11 +428,6 @@ optional_policy(`
>
>  if( ! secure_mode_insmod ) {
>  	allow can_load_kernmodule self:capability sys_module;
> -
> -	# load_module() calls stop_machine() which
> -	# calls sched_setscheduler()
> -	allow can_load_kernmodule self:capability sys_nice;
> -	kernel_setsched(can_load_kernmodule)
>  }
>
>  ########################################

I also agree with Dominick on this.  These are relatively uninteresting 
permissions compared to the sys_module, so until we have some 
explanation, I'd prefer to keep it.  I tried looked at Red Hat bugzilla, 
as this came from Dan Walsh, but it's all the way back from 2011, so 
it's not coming up easily for me.


-- 
Chris PeBenito

[refpolicy] [PATCH v3] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

Hello Dominick.

On Sun, 14/08/2016 at 23.23 +0200, Dominick Grift wrote:
> On 08/14/2016 11:02 PM, Guido Trentalancia wrote:
> > The "module_load" permission has been recently added to the
> > "system"
> > class (kernel 4.7).
> > 
> > The following patch updates the Reference Policy so that the new
> > permission is allowed when a kernel module should be loaded.
> > 
> > A couple of unneeded permissions (probably obsolete) are removed
> > from the kernel module loading section.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/kernel/files.te??|???11 +++++++++++
> > ?policy/modules/kernel/kernel.te |????7 ++-----
> > ?2 files changed, 13 insertions(+), 5 deletions(-)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te	
> > 2016-08-06
> > 21:26:43.284774157 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/files.te	20
> > 16-08-14
> > 22:35:30.602463332 +0200
> > @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
> > ?
> > ?########################################
> > ?#
> > +# Kernel module loading policy
> > +#
> > +
> > +neverallow ~can_load_kernmodule modules_object_t:system
> > module_load;
> > +
> > +if( ! secure_mode_insmod ) {
> > +	allow can_load_kernmodule modules_object_t:system
> > module_load;
> > +}
> > +
> > +########################################
> > +#
> > ?# Unconfined access to this module
> > ?#
> > ?
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	
> > 2016-08-09
> > 16:09:48.811753763 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2
> > 016-08-14
> > 22:35:47.997714250 +0200
> > @@ -216,6 +216,8 @@ allow kernel_t self:fd use;
> > ?
> > ?allow kernel_t debugfs_t:dir search_dir_perms;
> > ?
> > +allow kernel_t modules_object_t:system ~module_load;
> 
> I can't make sense of this rule

It's a mistake and it has been removed in the latest forthcoming
version of this patch.

> > +
> > ?allow kernel_t proc_t:dir list_dir_perms;
> > ?allow kernel_t proc_t:file read_file_perms;
> > ?allow kernel_t proc_t:lnk_file read_lnk_file_perms;
> > @@ -428,11 +430,6 @@ optional_policy(`
> > ?
> > ?if( ! secure_mode_insmod ) {
> > ?	allow can_load_kernmodule self:capability sys_module;
> > -
> > -	# load_module() calls stop_machine() which
> > -	# calls sched_setscheduler()
> > -	allow can_load_kernmodule self:capability sys_nice;
> > -	kernel_setsched(can_load_kernmodule)
> 
> I would not remove the above. Might break compatibility

I have checked backwards up to kernel version 2.6.37 and there is no
trace of calls to sched_setsched().

Also, even if there was such a call, it was most probably something
wrong !

Therefore, I oppose reverting that (sys_nice + kernel_setsched()).

Regards,

Guido

[refpolicy] [PATCH v4] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.

A couple of unneeded permissions are removed from the kernel
module loading section.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/files.te  |   11 +++++++++++
 policy/modules/kernel/kernel.te |    5 -----
 2 files changed, 11 insertions(+), 5 deletions(-)

--- refpolicy-git-06082016-orig/policy/modules/kernel/files.te	2016-08-06 21:26:43.284774157 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/files.te	2016-08-14 22:35:30.602463332 +0200
@@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
 
 ########################################
 #
+# Kernel module loading policy
+#
+
+neverallow ~can_load_kernmodule modules_object_t:system module_load;
+
+if( ! secure_mode_insmod ) {
+	allow can_load_kernmodule modules_object_t:system module_load;
+}
+
+########################################
+#
 # Unconfined access to this module
 #
 
--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09 16:09:48.811753763 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-16 00:09:58.411688357 +0200
@@ -428,11 +428,6 @@ optional_policy(`
 
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
-
-	# load_module() calls stop_machine() which
-	# calls sched_setscheduler()
-	allow can_load_kernmodule self:capability sys_nice;
-	kernel_setsched(can_load_kernmodule)
 }
 
 ########################################

[refpolicy] [PATCH v4] Add module_load permission to can_load_kernmodule

[Chris PeBenito]

On 08/18/16 11:01, Guido Trentalancia wrote:
> Hello Christopher,
>
> thanks for your feedback on this patch !
>
> On Mon, 15/08/2016 at 16.20 -0400, Chris PeBenito wrote:
>> On 08/15/16 18:22, Guido Trentalancia wrote:
>>> The "module_load" permission has been recently added to the
>>> "system"
>>> class (kernel 4.7).
>>>
>>> The following patch updates the Reference Policy so that the new
>>> permission is allowed when a kernel module should be loaded.
>>>
>>> A couple of unneeded permissions are removed from the kernel
>>> module loading section.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/kernel/files.te  |   11 +++++++++++
>>>  policy/modules/kernel/kernel.te |    5 -----
>>>  2 files changed, 11 insertions(+), 5 deletions(-)
>>>
>>> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te	
>>> 2016-08-06 21:26:43.284774157 +0200
>>> +++ refpolicy-git-06082016/policy/modules/kernel/files.te	20
>>> 16-08-14 22:35:30.602463332 +0200
>>> @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
>>>
>>>  ########################################
>>>  #
>>> +# Kernel module loading policy
>>> +#
>>> +
>>> +neverallow ~can_load_kernmodule modules_object_t:system
>>> module_load;
>>> +
>>> +if( ! secure_mode_insmod ) {
>>> +	allow can_load_kernmodule modules_object_t:system
>>> module_load;
>>> +}
>>
>> Now we have the problem where can_load_kernmodule isn't owned by
>> this
>> module.  You'll have to create the first neverallow interface I
>> think.
>
> I am sorry but I do not understand what you mean.
>
> It compiles fine. What change do you propose exactly ?

It compiles fine because the kernel and files modules are always in the 
base.pp.  However the refpolicy module encapsulation should be 
preserved.  The difficulty is can_load_kernmodule is owned by the kernel 
module and modules_object_t is owned by the files module, so you can't 
have a raw rule by itself, so you need an interface.

-- 
Chris PeBenito

[refpolicy] [PATCH v5] Add module_load permission to can_load_kernmodule

[Chris PeBenito]

On 08/19/16 09:27, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> To preserve the module encapsulation, a new interface is defined
> in the kernel files module and that interface is then used in the
> kernel module.
>
> A short note is added about unneeded permissions that set the
> kernel scheduling parameters (might lead to service disruption).

The policy change is fine, but I want to think about the name of the 
interface.  The name doesn't seem right, but I can't immediately come up 
with a better one.


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/files.if  |   19 +++++++++++++++++++
>  policy/modules/kernel/kernel.te |    4 ++++
>  2 files changed, 23 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.if	2016-08-06 21:26:43.284774157 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/files.if	2016-08-19 15:05:34.503054733 +0200
> @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
>
>  ########################################
>  ## <summary>
> +##	Load kernel module files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_load_kernel_modules',`
> +	gen_require(`
> +		type modules_object_t;
> +	')
> +
> +	files_read_kernel_modules($1)
> +	allow $1 modules_object_t:system module_load;
> +')
> +
> +########################################
> +## <summary>
>  ##	List world-readable directories.
>  ## </summary>
>  ## <param name="domain">
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09 16:09:48.811753763 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-19 15:07:21.169666858 +0200
> @@ -429,8 +429,12 @@ optional_policy(`
>  if( ! secure_mode_insmod ) {
>  	allow can_load_kernmodule self:capability sys_module;
>
> +	files_load_kernel_modules(can_load_kernmodule)
> +
>  	# load_module() calls stop_machine() which
>  	# calls sched_setscheduler()
> +	# gt: there seems to be no trace of the above, at
> +	# least in kernel versions greater than 2.6.37...
>  	allow can_load_kernmodule self:capability sys_nice;
>  	kernel_setsched(can_load_kernmodule)
>  }
>


-- 
Chris PeBenito

[refpolicy] [PATCH v4] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

Hello Christopher,

thanks for your feedback on this patch !

On Mon, 15/08/2016 at 16.20 -0400, Chris PeBenito wrote:
> On 08/15/16 18:22, Guido Trentalancia wrote:
> > The "module_load" permission has been recently added to the
> > "system"
> > class (kernel 4.7).
> > 
> > The following patch updates the Reference Policy so that the new
> > permission is allowed when a kernel module should be loaded.
> > 
> > A couple of unneeded permissions are removed from the kernel
> > module loading section.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/kernel/files.te??|???11 +++++++++++
> > ?policy/modules/kernel/kernel.te |????5 -----
> > ?2 files changed, 11 insertions(+), 5 deletions(-)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.te	
> > 2016-08-06 21:26:43.284774157 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/files.te	20
> > 16-08-14 22:35:30.602463332 +0200
> > @@ -208,6 +208,17 @@ fs_associate_tmpfs(tmpfsfile)
> > 
> > ?########################################
> > ?#
> > +# Kernel module loading policy
> > +#
> > +
> > +neverallow ~can_load_kernmodule modules_object_t:system
> > module_load;
> > +
> > +if( ! secure_mode_insmod ) {
> > +	allow can_load_kernmodule modules_object_t:system
> > module_load;
> > +}
> 
> Now we have the problem where can_load_kernmodule isn't owned by
> this?
> module.??You'll have to create the first neverallow interface I
> think.

I am sorry but I do not understand what you mean.

It compiles fine. What change do you propose exactly ?

> > +########################################
> > +#
> > ?# Unconfined access to this module
> > ?#
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	
> > 2016-08-09 16:09:48.811753763 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2
> > 016-08-16 00:09:58.411688357 +0200
> > @@ -428,11 +428,6 @@ optional_policy(`
> > 
> > ?if( ! secure_mode_insmod ) {
> > ?	allow can_load_kernmodule self:capability sys_module;
> > -
> > -	# load_module() calls stop_machine() which
> > -	# calls sched_setscheduler()
> > -	allow can_load_kernmodule self:capability sys_nice;
> > -	kernel_setsched(can_load_kernmodule)
> > ?}
> > 
> > ?########################################
> 
> I also agree with Dominick on this.??These are relatively
> uninteresting?
> permissions compared to the sys_module, so until we have some?
> explanation, I'd prefer to keep it.??I tried looked at Red Hat
> bugzilla,?
> as this came from Dan Walsh, but it's all the way back from 2011, so?
> it's not coming up easily for me.

That's fine, I'll recreate the patch with the sys_nice permission back
in, although I still think it is much better to avoid granting that.

I will add a short note so that hopefully we'll be able to get an
explanation one day...

Best regards,

Guido

[refpolicy] [PATCH v5] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.

To preserve the module encapsulation, a new interface is defined
in the kernel files module and that interface is then used in the
kernel module.

A short note is added about unneeded permissions that set the
kernel scheduling parameters (might lead to service disruption).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/files.if  |   19 +++++++++++++++++++
 policy/modules/kernel/kernel.te |    4 ++++
 2 files changed, 23 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/kernel/files.if	2016-08-06 21:26:43.284774157 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/files.if	2016-08-19 15:05:34.503054733 +0200
@@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
 
 ########################################
 ## <summary>
+##	Load kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_load_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	files_read_kernel_modules($1)
+	allow $1 modules_object_t:system module_load;
+')
+
+########################################
+## <summary>
 ##	List world-readable directories.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09 16:09:48.811753763 +0200
+++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-19 15:07:21.169666858 +0200
@@ -429,8 +429,12 @@ optional_policy(`
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
 
+	files_load_kernel_modules(can_load_kernmodule)
+
 	# load_module() calls stop_machine() which
 	# calls sched_setscheduler()
+	# gt: there seems to be no trace of the above, at
+	# least in kernel versions greater than 2.6.37...
 	allow can_load_kernmodule self:capability sys_nice;
 	kernel_setsched(can_load_kernmodule)
 }

[refpolicy] [PATCH v5] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

Hello Christopher.

On Wed, 17/08/2016 at 16.05 -0400, Chris PeBenito wrote:
> On 08/19/16 09:27, Guido Trentalancia wrote:
> > The "module_load" permission has been recently added to the
> > "system"
> > class (kernel 4.7).
> > 
> > The following patch updates the Reference Policy so that the new
> > permission is allowed when a kernel module should be loaded.
> > 
> > To preserve the module encapsulation, a new interface is defined
> > in the kernel files module and that interface is then used in the
> > kernel module.
> > 
> > A short note is added about unneeded permissions that set the
> > kernel scheduling parameters (might lead to service disruption).
> 
> The policy change is fine, but I want to think about the name of the?
> interface.??The name doesn't seem right, but I can't immediately come
> up?
> with a better one.

An alternative name could be:

files_kernel_module_load()

> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/kernel/files.if??|???19 +++++++++++++++++++
> > ?policy/modules/kernel/kernel.te |????4 ++++
> > ?2 files changed, 23 insertions(+)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/files.if	
> > 2016-08-06 21:26:43.284774157 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/files.if	20
> > 16-08-19 15:05:34.503054733 +0200
> > @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
> > 
> > ?########################################
> > ?## <summary>
> > +##	Load kernel module files.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`files_load_kernel_modules',`
> > +	gen_require(`
> > +		type modules_object_t;
> > +	')
> > +
> > +	files_read_kernel_modules($1)
> > +	allow $1 modules_object_t:system module_load;
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?##	List world-readable directories.
> > ?## </summary>
> > ?## <param name="domain">
> > --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	
> > 2016-08-09 16:09:48.811753763 +0200
> > +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2
> > 016-08-19 15:07:21.169666858 +0200
> > @@ -429,8 +429,12 @@ optional_policy(`
> > ?if( ! secure_mode_insmod ) {
> > ?	allow can_load_kernmodule self:capability sys_module;
> > 
> > +	files_load_kernel_modules(can_load_kernmodule)
> > +
> > ?	# load_module() calls stop_machine() which
> > ?	# calls sched_setscheduler()
> > +	# gt: there seems to be no trace of the above, at
> > +	# least in kernel versions greater than 2.6.37...
> > ?	allow can_load_kernmodule self:capability sys_nice;
> > ?	kernel_setsched(can_load_kernmodule)
> > ?}
> >?

Best regards,

Guido

[refpolicy] [PATCH v5] Add module_load permission to can_load_kernmodule

[Chris PeBenito]

On 08/19/16 09:27, Guido Trentalancia wrote:
> The "module_load" permission has been recently added to the "system"
> class (kernel 4.7).
>
> The following patch updates the Reference Policy so that the new
> permission is allowed when a kernel module should be loaded.
>
> To preserve the module encapsulation, a new interface is defined
> in the kernel files module and that interface is then used in the
> kernel module.
>
> A short note is added about unneeded permissions that set the
> kernel scheduling parameters (might lead to service disruption).

I couldn't come up with a better interface name, so I've merged this patch.


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/files.if  |   19 +++++++++++++++++++
>  policy/modules/kernel/kernel.te |    4 ++++
>  2 files changed, 23 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/kernel/files.if	2016-08-06 21:26:43.284774157 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/files.if	2016-08-19 15:05:34.503054733 +0200
> @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
>
>  ########################################
>  ## <summary>
> +##	Load kernel module files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_load_kernel_modules',`
> +	gen_require(`
> +		type modules_object_t;
> +	')
> +
> +	files_read_kernel_modules($1)
> +	allow $1 modules_object_t:system module_load;
> +')
> +
> +########################################
> +## <summary>
>  ##	List world-readable directories.
>  ## </summary>
>  ## <param name="domain">
> --- refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09 16:09:48.811753763 +0200
> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-19 15:07:21.169666858 +0200
> @@ -429,8 +429,12 @@ optional_policy(`
>  if( ! secure_mode_insmod ) {
>  	allow can_load_kernmodule self:capability sys_module;
>
> +	files_load_kernel_modules(can_load_kernmodule)
> +
>  	# load_module() calls stop_machine() which
>  	# calls sched_setscheduler()
> +	# gt: there seems to be no trace of the above, at
> +	# least in kernel versions greater than 2.6.37...
>  	allow can_load_kernmodule self:capability sys_nice;
>  	kernel_setsched(can_load_kernmodule)
>  }
>


-- 
Chris PeBenito

[refpolicy] [PATCH v5] Add module_load permission to can_load_kernmodule

[Guido Trentalancia]

Hello Christopher. 

You've done the right thing. 

Thanks for sorting this out. 

I am finally seeing the light with the gnome and dbus modules! It comes at the cost of confining the whole desktop, but so far so good... 

I have removed the variable types $1_dbusd_t: it doesn't work, end of the story, it's poor design in my opinion because it leads to an unmanageable situation (conflicting type rules).

Regards, 

Guido 

On the 30th August 2016 02:30:33 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>On 08/19/16 09:27, Guido Trentalancia wrote:
>> The "module_load" permission has been recently added to the "system"
>> class (kernel 4.7).
>>
>> The following patch updates the Reference Policy so that the new
>> permission is allowed when a kernel module should be loaded.
>>
>> To preserve the module encapsulation, a new interface is defined
>> in the kernel files module and that interface is then used in the
>> kernel module.
>>
>> A short note is added about unneeded permissions that set the
>> kernel scheduling parameters (might lead to service disruption).
>
>I couldn't come up with a better interface name, so I've merged this
>patch.
>
>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/kernel/files.if  |   19 +++++++++++++++++++
>>  policy/modules/kernel/kernel.te |    4 ++++
>>  2 files changed, 23 insertions(+)
>>
>> ---
>refpolicy-git-06082016-orig/policy/modules/kernel/files.if	2016-08-06
>21:26:43.284774157 +0200
>> +++ refpolicy-git-06082016/policy/modules/kernel/files.if	2016-08-19
>15:05:34.503054733 +0200
>> @@ -4158,6 +4158,25 @@ interface(`files_kernel_modules_filetran
>>
>>  ########################################
>>  ## <summary>
>> +##	Load kernel module files.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`files_load_kernel_modules',`
>> +	gen_require(`
>> +		type modules_object_t;
>> +	')
>> +
>> +	files_read_kernel_modules($1)
>> +	allow $1 modules_object_t:system module_load;
>> +')
>> +
>> +########################################
>> +## <summary>
>>  ##	List world-readable directories.
>>  ## </summary>
>>  ## <param name="domain">
>> ---
>refpolicy-git-06082016-orig/policy/modules/kernel/kernel.te	2016-08-09
>16:09:48.811753763 +0200
>> +++ refpolicy-git-06082016/policy/modules/kernel/kernel.te	2016-08-19
>15:07:21.169666858 +0200
>> @@ -429,8 +429,12 @@ optional_policy(`
>>  if( ! secure_mode_insmod ) {
>>  	allow can_load_kernmodule self:capability sys_module;
>>
>> +	files_load_kernel_modules(can_load_kernmodule)
>> +
>>  	# load_module() calls stop_machine() which
>>  	# calls sched_setscheduler()
>> +	# gt: there seems to be no trace of the above, at
>> +	# least in kernel versions greater than 2.6.37...
>>  	allow can_load_kernmodule self:capability sys_nice;
>>  	kernel_setsched(can_load_kernmodule)
>>  }
>>