From 1c5dacd2c0eb571e42a811cae5131789058ff721 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 13 Sep 2011 14:45:14 -0400
Subject: [PATCH] Change secure_mode_insmod to control sys_module capability
 rather than controlling domain transitions to insmod.

Based on a patch from Dan Walsh.
---
 Changelog                           |  2 ++
 policy/global_booleans              |  7 -------
 policy/modules/admin/bootloader.te  |  4 ++--
 policy/modules/contrib              |  2 +-
 policy/modules/kernel/kernel.if     |  7 +------
 policy/modules/kernel/kernel.te     | 27 ++++++++++++++++++++++++---
 policy/modules/system/modutils.if   |  7 +++----
 policy/modules/system/modutils.te   | 10 ++--------
 policy/modules/system/unconfined.if |  4 ++--
 policy/modules/system/unconfined.te |  2 +-
 10 files changed, 38 insertions(+), 34 deletions(-)

diff --git a/Changelog b/Changelog
index 4736da442..1fa54a35d 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Change secure_mode_insmod to control sys_module capability rather than
+  controlling domain transitions to insmod.
 - Openrc and portage updates from Sven Vermeulen.
 - Allow user and role changes on dynamic transitions with the same
   constraints as regular transitions.
diff --git a/policy/global_booleans b/policy/global_booleans
index 111d004ca..71ff1415b 100644
--- a/policy/global_booleans
+++ b/policy/global_booleans
@@ -13,13 +13,6 @@
 ## </desc>
 gen_bool(secure_mode,false)
 
-## <desc>
-## <p>
-## Disable transitions to insmod.
-## </p>
-## </desc>
-gen_bool(secure_mode_insmod,false)
-
 ## <desc>
 ## <p>
 ## boolean to determine whether the system permits loading policy, setting
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index d3da8f23d..1e771ba63 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.12.0)
+policy_module(bootloader, 1.12.1)
 
 ########################################
 #
@@ -121,7 +121,7 @@ logging_rw_generic_logs(bootloader_t)
 
 miscfiles_read_localization(bootloader_t)
 
-modutils_domtrans_insmod_uncond(bootloader_t)
+modutils_domtrans_insmod(bootloader_t)
 
 seutil_read_bin_policy(bootloader_t)
 seutil_read_loadpolicy(bootloader_t)
diff --git a/policy/modules/contrib b/policy/modules/contrib
index 9401ae104..f0f7b65d3 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit 9401ae10439194149e43f840803281590111978f
+Subproject commit f0f7b65d39c33c76773ef405ab0e7fe4b35d8371
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 634637855..4bf45cb7f 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,7 @@ interface(`kernel_load_module',`
 		attribute can_load_kernmodule;
 	')
 
-	allow $1 self:capability sys_module;
 	typeattribute $1 can_load_kernmodule;
-
-	# load_module() calls stop_machine() which
-	# calls sched_setscheduler()
-	allow $1 self:capability sys_nice;
-	kernel_setsched($1)
 ')
 
 ########################################
@@ -2962,4 +2956,5 @@ interface(`kernel_unconfined',`
 	')
 
 	typeattribute $1 kern_unconfined;
+	kernel_load_module($1)
 ')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index eac99614b..15f7ea2b2 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,16 +1,23 @@
-policy_module(kernel, 1.14.0)
+policy_module(kernel, 1.14.1)
 
 ########################################
 #
 # Declarations
 #
 
+## <desc>
+## <p>
+## Disable kernel module loading.
+## </p>
+## </desc>
+gen_bool(secure_mode_insmod, false)
+
 # assertion related attributes
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
 attribute can_dump_kernel;
 
-neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
+neverallow ~can_load_kernmodule self:capability sys_module;
 
 # domains with unconfined access to kernel resources
 attribute kern_unconfined;
@@ -181,7 +188,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 # kernel local policy
 #
 
-allow kernel_t self:capability *;
+allow kernel_t self:capability ~sys_module;
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
 allow kernel_t self:sem create_sem_perms;
@@ -372,6 +379,20 @@ optional_policy(`
 	init_sigchld(unlabeled_t)
 ')
 
+########################################
+#
+# Kernel module loading policy
+#
+
+if( ! secure_mode_insmod ) {
+	allow can_load_kernmodule self:capability sys_module;
+
+	# load_module() calls stop_machine() which
+	# calls sched_setscheduler()
+	allow can_load_kernmodule self:capability sys_nice;
+	kernel_setsched(can_load_kernmodule)
+}
+
 ########################################
 #
 # Rules for unconfined acccess to this module
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab1e..b492674d6 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -153,12 +153,11 @@ interface(`modutils_domtrans_insmod_uncond',`
 #
 interface(`modutils_domtrans_insmod',`
 	gen_require(`
-		bool secure_mode_insmod;
+		type insmod_t, insmod_exec_t;
 	')
 
-	if (!secure_mode_insmod) {
-		modutils_domtrans_insmod_uncond($1)
-	}
+	corecmd_search_bin($1)
+	domtrans_pattern($1, insmod_exec_t, insmod_t)
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index da014edb4..2e1c522dc 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,8 +1,4 @@
-policy_module(modutils, 1.11.0)
-
-gen_require(`
-	bool secure_mode_insmod;
-')
+policy_module(modutils, 1.11.1)
 
 ########################################
 #
@@ -178,9 +174,7 @@ userdom_use_user_terminals(insmod_t)
 
 userdom_dontaudit_search_user_home_dirs(insmod_t)
 
-if( ! secure_mode_insmod ) {
-	kernel_domtrans_to(insmod_t, insmod_exec_t)
-}
+kernel_domtrans_to(insmod_t, insmod_exec_t)
 
 optional_policy(`
 	alsa_domtrans(insmod_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 416e66857..db7aabbf4 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -18,8 +18,8 @@ interface(`unconfined_domain_noaudit',`
 		class passwd all_passwd_perms;
 	')
 
-	# Use any Linux capability.
-	allow $1 self:capability *;
+	# Use most Linux capabilities
+	allow $1 self:capability ~sys_module;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae500191..eefcba37d 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.3.0)
+policy_module(unconfined, 3.3.1)
 
 ########################################
 #