Allow searching /proc/sys/fs when using /proc/sys/fs/binfmt_misc

Interface fs_register_binary_executable_type allow registering interpreters using a filesystem monted on /proc/sys/fs/binfmt_misc. In order to access this filesystem, the process needs to search every parent directory of the mountpoint. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-27 14:56:26 +01:00 · 2016-12-27 14:56:26 +01:00 · 0494f3c0b9
parent da59af22f4
commit 0494f3c0b9
2 changed files with 21 additions and 0 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -612,6 +612,8 @@ interface(`fs_register_binary_executable_type',`
 		type binfmt_misc_fs_t;
 	')

+	# binfmt_misc filesystem is usually mounted on /proc/sys/fs/binfmt_misc
+	kernel_search_fs_sysctls($1)
 	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
 ')

--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -1985,6 +1985,25 @@ interface(`kernel_rw_kernel_sysctl',`
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
 ')

+########################################
+## <summary>
+##	Search filesystem sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_search_fs_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_fs_t;
+	')
+
+	search_dirs_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read filesystem sysctls.