modutils: libkmod mmap()s modules.dep and *.ko's

Note that not only kmod needs this permission, other libkmod consumers like udev require it, too. Hence I'm adding the permission to the relevant interfaces.
2017-09-11 05:18:07 +02:00 · 2017-09-11 05:18:07 +02:00 · 14107ce1c0
parent 7025086a9c
commit 14107ce1c0
2 changed files with 4 additions and 2 deletions
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',`
 	')
 	files_list_kernel_modules($1)
-	allow $1 modules_dep_t:file read_file_perms;
+	allow $1 modules_dep_t:file { read_file_perms map };
 ')
 ########################################
@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',`
 	')
 	files_list_kernel_modules($1)
-	allow $1 modules_object_t:file read_file_perms;
+	allow $1 modules_object_t:file { read_file_perms map };
 ')
 ########################################
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
 read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
 manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
 allow kmod_t modules_dep_t:file map;
 filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
 create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
 delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
 allow kmod_t modules_object_t:file map;
 can_exec(kmod_t, kmod_exec_t)