From e276b8e5d0e25d32890e5554a82c43a0ff6ecef1 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 19 Nov 2009 09:25:38 -0500
Subject: [PATCH] Add kernel patch from Dan Walsh

---
 policy/modules/kernel/kernel.if | 47 ++++++++++++++++++++++++++++++---
 policy/modules/kernel/kernel.te | 17 ++++++------
 2 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index d6ec5467..f8fad776 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1,5 +1,5 @@
 ## <summary>
-##	Policy for kernel threads, proc filesystem, 
+##	Policy for kernel threads, proc filesystem,
 ##	and unlabeled processes and objects.
 ## </summary>
 ## <required val="true">
@@ -57,7 +57,7 @@ interface(`kernel_ranged_domtrans_to',`
 		type kernel_t;
 	')
 
-	kernel_domtrans_to($1,$2)
+	kernel_domtrans_to($1, $2)
 
 	ifdef(`enable_mcs',`
 		range_transition kernel_t $2:process $3;
@@ -483,13 +483,32 @@ interface(`kernel_clear_ring_buffer',`
 	allow $1 kernel_t:system syslog_mod;
 ')
 
+########################################
+## <summary>
+##	Allows caller to request the kernel to load a module
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_request_load_module',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:system module_request;
+')
+
 ########################################
 ## <summary>
 ##	Get information on all System V IPC objects.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -939,6 +958,28 @@ interface(`kernel_dontaudit_getattr_core_if',`
 	dontaudit $1 proc_kcore_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Allows caller to read the core kernel interface.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_read_core_if',`
+	gen_require(`
+		type proc_t, proc_kcore_t;
+		attribute can_dump_kernel;
+	')
+
+	read_files_pattern($1, proc_t, proc_kcore_t)
+	list_dirs_pattern($1, proc_t, proc_t)
+
+	typeattribute $1 can_dump_kernel;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read kernel messages
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index faf39a52..42a4d056 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.11.0)
+policy_module(kernel, 1.11.1)
 
 ########################################
 #
@@ -9,6 +9,7 @@ policy_module(kernel, 1.11.0)
 # assertion related attributes
 attribute can_load_kernmodule;
 attribute can_receive_kernel_messages;
+attribute can_dump_kernel;
 
 neverallow ~{ can_load_kernmodule kern_unconfined } self:capability sys_module;
 
@@ -37,7 +38,7 @@ ifdef(`enable_mls',`
 #
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
-# 
+#
 type kernel_t, can_load_kernmodule;
 domain_base_type(kernel_t)
 mls_rangetrans_source(kernel_t)
@@ -90,7 +91,7 @@ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~ge
 
 # /proc kcore: inaccessible
 type proc_kcore_t, proc_type;
-neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
+neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~getattr;
 genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
 
 type proc_mdstat_t, proc_type;
@@ -248,7 +249,7 @@ corenet_send_all_packets(kernel_t)
 dev_read_sysfs(kernel_t)
 dev_search_usbfs(kernel_t)
 
-# Mount root file system.  Used when loading a policy
+# Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
 fs_mount_all_fs(kernel_t)
 fs_unmount_all_fs(kernel_t)
@@ -275,7 +276,7 @@ mcs_process_set_categories(kernel_t)
 mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
 mls_file_write_all_levels(kernel_t)
-mls_file_read_all_levels(kernel_t) 
+mls_file_read_all_levels(kernel_t)
 
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
@@ -309,7 +310,7 @@ optional_policy(`
 	allow kernel_t self:tcp_socket create_stream_socket_perms;
 	allow kernel_t self:udp_socket create_socket_perms;
 
-	# nfs kernel server needs kernel UDP access.  It is less risky and painful
+	# nfs kernel server needs kernel UDP access. It is less risky and painful
 	# to just give it everything.
 	corenet_udp_sendrecv_generic_if(kernel_t)
 	corenet_udp_sendrecv_generic_node(kernel_t)
@@ -326,7 +327,7 @@ optional_policy(`
 
 	rpc_manage_nfs_ro_content(kernel_t)
 	rpc_manage_nfs_rw_content(kernel_t)
-	rpc_udp_rw_nfs_sockets(kernel_t) 
+	rpc_udp_rw_nfs_sockets(kernel_t)
 
 	tunable_policy(`nfs_export_all_ro',`
 		fs_getattr_noxattr_fs(kernel_t)
@@ -355,7 +356,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	unconfined_domain(kernel_t)
+	unconfined_domain_noaudit(kernel_t)
 ')
 
 ########################################