diff --git a/Changelog b/Changelog index 4736da442..1fa54a35d 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Change secure_mode_insmod to control sys_module capability rather than + controlling domain transitions to insmod. - Openrc and portage updates from Sven Vermeulen. - Allow user and role changes on dynamic transitions with the same constraints as regular transitions. diff --git a/policy/global_booleans b/policy/global_booleans index 111d004ca..71ff1415b 100644 --- a/policy/global_booleans +++ b/policy/global_booleans @@ -13,13 +13,6 @@ ## gen_bool(secure_mode,false) -## -##

-## Disable transitions to insmod. -##

-## -gen_bool(secure_mode_insmod,false) - ## ##

## boolean to determine whether the system permits loading policy, setting diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index d3da8f23d..1e771ba63 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.12.0) +policy_module(bootloader, 1.12.1) ######################################## # @@ -121,7 +121,7 @@ logging_rw_generic_logs(bootloader_t) miscfiles_read_localization(bootloader_t) -modutils_domtrans_insmod_uncond(bootloader_t) +modutils_domtrans_insmod(bootloader_t) seutil_read_bin_policy(bootloader_t) seutil_read_loadpolicy(bootloader_t) diff --git a/policy/modules/contrib b/policy/modules/contrib index 9401ae104..f0f7b65d3 160000 --- a/policy/modules/contrib +++ b/policy/modules/contrib @@ -1 +1 @@ -Subproject commit 9401ae10439194149e43f840803281590111978f +Subproject commit f0f7b65d39c33c76773ef405ab0e7fe4b35d8371 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 634637855..4bf45cb7f 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -345,13 +345,7 @@ interface(`kernel_load_module',` attribute can_load_kernmodule; ') - allow $1 self:capability sys_module; typeattribute $1 can_load_kernmodule; - - # load_module() calls stop_machine() which - # calls sched_setscheduler() - allow $1 self:capability sys_nice; - kernel_setsched($1) ') ######################################## @@ -2962,4 +2956,5 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; + kernel_load_module($1) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index eac99614b..15f7ea2b2 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,16 +1,23 @@ -policy_module(kernel, 1.14.0) +policy_module(kernel, 1.14.1) ######################################## # # Declarations # +## +##

+## Disable kernel module loading. +##

+## +gen_bool(secure_mode_insmod, false) + # assertion related attributes attribute can_load_kernmodule; attribute can_receive_kernel_messages; attribute can_dump_kernel; -neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module; +neverallow ~can_load_kernmodule self:capability sys_module; # domains with unconfined access to kernel resources attribute kern_unconfined; @@ -181,7 +188,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # -allow kernel_t self:capability *; +allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; allow kernel_t self:sem create_sem_perms; @@ -372,6 +379,20 @@ optional_policy(` init_sigchld(unlabeled_t) ') +######################################## +# +# Kernel module loading policy +# + +if( ! secure_mode_insmod ) { + allow can_load_kernmodule self:capability sys_module; + + # load_module() calls stop_machine() which + # calls sched_setscheduler() + allow can_load_kernmodule self:capability sys_nice; + kernel_setsched(can_load_kernmodule) +} + ######################################## # # Rules for unconfined acccess to this module diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 9c0faab1e..b492674d6 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -153,12 +153,11 @@ interface(`modutils_domtrans_insmod_uncond',` # interface(`modutils_domtrans_insmod',` gen_require(` - bool secure_mode_insmod; + type insmod_t, insmod_exec_t; ') - if (!secure_mode_insmod) { - modutils_domtrans_insmod_uncond($1) - } + corecmd_search_bin($1) + domtrans_pattern($1, insmod_exec_t, insmod_t) ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index da014edb4..2e1c522dc 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,8 +1,4 @@ -policy_module(modutils, 1.11.0) - -gen_require(` - bool secure_mode_insmod; -') +policy_module(modutils, 1.11.1) ######################################## # @@ -178,9 +174,7 @@ userdom_use_user_terminals(insmod_t) userdom_dontaudit_search_user_home_dirs(insmod_t) -if( ! secure_mode_insmod ) { - kernel_domtrans_to(insmod_t, insmod_exec_t) -} +kernel_domtrans_to(insmod_t, insmod_exec_t) optional_policy(` alsa_domtrans(insmod_t) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 416e66857..db7aabbf4 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -18,8 +18,8 @@ interface(`unconfined_domain_noaudit',` class passwd all_passwd_perms; ') - # Use any Linux capability. - allow $1 self:capability *; + # Use most Linux capabilities + allow $1 self:capability ~sys_module; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index eae500191..eefcba37d 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,4 +1,4 @@ -policy_module(unconfined, 3.3.0) +policy_module(unconfined, 3.3.1) ######################################## #