Change secure_mode_insmod to control sys_module capability rather than controlling domain transitions to insmod.

Based on a patch from Dan Walsh.
2025-02-02 21:01:32 +00:00 · 2011-09-13 14:45:14 -04:00 · 2011-09-13 14:45:14 -04:00 · 1c5dacd2c0
commit 1c5dacd2c0
parent f718181930
10 changed files with 38 additions and 34 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+- Change secure_mode_insmod to control sys_module capability rather than
+  controlling domain transitions to insmod.
 - Openrc and portage updates from Sven Vermeulen.
 - Allow user and role changes on dynamic transitions with the same
  constraints as regular transitions.
--- a/policy/global_booleans
+++ b/policy/global_booleans
@ -13,13 +13,6 @@
 ## </desc>
 gen_bool(secure_mode,false)

-## <desc>
-## <p>
-## Disable transitions to insmod.
-## </p>
-## </desc>
-gen_bool(secure_mode_insmod,false)
-
 ## <desc>
 ## <p>
 ## boolean to determine whether the system permits loading policy, setting
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@ -1,4 +1,4 @@
-policy_module(bootloader, 1.12.0)
+policy_module(bootloader, 1.12.1)

 ########################################
 #
@ -121,7 +121,7 @@ logging_rw_generic_logs(bootloader_t)

 miscfiles_read_localization(bootloader_t)

-modutils_domtrans_insmod_uncond(bootloader_t)
+modutils_domtrans_insmod(bootloader_t)

 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@ -1 +1 @@
-Subproject commit 9401ae10439194149e43f840803281590111978f
+Subproject commit f0f7b65d39c33c76773ef405ab0e7fe4b35d8371
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -345,13 +345,7 @@ interface(`kernel_load_module',`
 		attribute can_load_kernmodule;
 	')

-	allow $1 self:capability sys_module;
 	typeattribute $1 can_load_kernmodule;
-
-	# load_module() calls stop_machine() which
-	# calls sched_setscheduler()
-	allow $1 self:capability sys_nice;
-	kernel_setsched($1)
 ')

 ########################################
@ -2962,4 +2956,5 @@ interface(`kernel_unconfined',`
 	')

 	typeattribute $1 kern_unconfined;
+	kernel_load_module($1)
 ')
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@ -1,16 +1,23 @@
-policy_module(kernel, 1.14.0)
+policy_module(kernel, 1.14.1)

 ########################################
 #
 # Declarations
 #

+## <desc>
+## <p>
+## Disable kernel module loading.
+## </p>
+## </desc>
+gen_bool(secure_mode_insmod, false)
+
 # assertion related attributes
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
 attribute can_dump_kernel;

-neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
+neverallow ~can_load_kernmodule self:capability sys_module;

 # domains with unconfined access to kernel resources
 attribute kern_unconfined;
@ -181,7 +188,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #

-allow kernel_t self:capability *;
+allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
 allow kernel_t self:sem create_sem_perms;
@ -372,6 +379,20 @@ optional_policy(`
 	init_sigchld(unlabeled_t)
 ')

+########################################
+#
+# Kernel module loading policy
+#
+
+if( ! secure_mode_insmod ) {
+	allow can_load_kernmodule self:capability sys_module;
+
+	# load_module() calls stop_machine() which
+	# calls sched_setscheduler()
+	allow can_load_kernmodule self:capability sys_nice;
+	kernel_setsched(can_load_kernmodule)
+}
+
 ########################################
 #
 # Rules for unconfined acccess to this module
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@ -153,12 +153,11 @@ interface(`modutils_domtrans_insmod_uncond',`
 #
 interface(`modutils_domtrans_insmod',`
 	gen_require(`
-		bool secure_mode_insmod;
+		type insmod_t, insmod_exec_t;
 	')

-	if (!secure_mode_insmod) {
-		modutils_domtrans_insmod_uncond($1)
-	}
+	corecmd_search_bin($1)
+	domtrans_pattern($1, insmod_exec_t, insmod_t)
 ')

 ########################################
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@ -1,8 +1,4 @@
-policy_module(modutils, 1.11.0)
-
-gen_require(`
-	bool secure_mode_insmod;
-')
+policy_module(modutils, 1.11.1)

 ########################################
 #
@ -178,9 +174,7 @@ userdom_use_user_terminals(insmod_t)

 userdom_dontaudit_search_user_home_dirs(insmod_t)

-if( ! secure_mode_insmod ) {
-	kernel_domtrans_to(insmod_t, insmod_exec_t)
-}
+kernel_domtrans_to(insmod_t, insmod_exec_t)

 optional_policy(`
 	alsa_domtrans(insmod_t)
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@ -18,8 +18,8 @@ interface(`unconfined_domain_noaudit',`
 		class passwd all_passwd_perms;
 	')

-	# Use any Linux capability.
-	allow $1 self:capability *;
+	# Use most Linux capabilities
+	allow $1 self:capability ~sys_module;
 	allow $1 self:fifo_file manage_fifo_file_perms;

 	# Transition to myself, to make get_ordered_context_list happy.
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -1,4 +1,4 @@
-policy_module(unconfined, 3.3.0)
+policy_module(unconfined, 3.3.1)

 ########################################
 #