From 1c20c002cd4b88df2dec97dc56d5403a1e6343c0 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Thu, 29 Feb 2024 09:53:18 -0500
Subject: [PATCH] minissdpd: Revoke kernel module loading permissions.

This domain also calls kernel_request_load_module(), which should be
sufficent.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/modules/services/minissdpd.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/services/minissdpd.te b/policy/modules/services/minissdpd.te
index cf8bd9d85..909d019b8 100644
--- a/policy/modules/services/minissdpd.te
+++ b/policy/modules/services/minissdpd.te
@@ -23,7 +23,7 @@ files_runtime_file(minissdpd_runtime_t)
 # Local policy
 #
 
-allow minissdpd_t self:capability { net_admin sys_module };
+allow minissdpd_t self:capability net_admin;
 allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
 allow minissdpd_t self:udp_socket create_socket_perms;
 allow minissdpd_t self:unix_dgram_socket create_socket_perms;
@@ -33,7 +33,6 @@ allow minissdpd_t minissdpd_runtime_t:file manage_file_perms;
 allow minissdpd_t minissdpd_runtime_t:sock_file manage_sock_file_perms;
 files_runtime_filetrans(minissdpd_t, minissdpd_runtime_t, { file sock_file })
 
-kernel_load_module(minissdpd_t)
 kernel_read_network_state(minissdpd_t)
 kernel_request_load_module(minissdpd_t)