commit: 2d3434d450e59823792bf8071e07cacf5c9e9fd4
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Tue Dec 27 13:56:26 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:26:28 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2d3434d4
Allow searching /proc/sys/fs when using /proc/sys/fs/binfmt_misc
Interface fs_register_binary_executable_type allow registering
interpreters using a filesystem monted on /proc/sys/fs/binfmt_misc. In
order to access this filesystem, the process needs to search every
parent directory of the mountpoint.
Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>
policy/modules/kernel/filesystem.if | 2 ++
policy/modules/kernel/kernel.if | 19 +++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index 9471dbe..c85d805 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -612,6 +612,8 @@ interface(`fs_register_binary_executable_type',`
type binfmt_misc_fs_t;
')
+ # binfmt_misc filesystem is usually mounted on /proc/sys/fs/binfmt_misc
+ kernel_search_fs_sysctls($1)
rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 29709df..2c7ad0c 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2005,6 +2005,25 @@ interface(`kernel_rw_kernel_sysctl',`
########################################
## <summary>
+## Search filesystem sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_search_fs_sysctls',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ search_dirs_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+')
+
+########################################
+## <summary>
## Read filesystem sysctls.
## </summary>
## <param name="domain">
