]>
Commit | Line | Data |
---|---|---|
162a57e5 | 1 | ## <summary>Policy for kernel module utilities</summary> |
e181fe05 | 2 | |
7491a9ed CP |
3 | ###################################### |
4 | ## <summary> | |
5 | ## Getattr the dependencies of kernel modules. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
8 | ## <summary> | |
9 | ## Domain allowed access. | |
10 | ## </summary> | |
11 | ## </param> | |
12 | # | |
13 | interface(`modutils_getattr_module_deps',` | |
14 | gen_require(` | |
5c339835 | 15 | type modules_dep_t, modules_object_t; |
7491a9ed CP |
16 | ') |
17 | ||
18 | getattr_files_pattern($1, modules_object_t, modules_dep_t) | |
19 | ') | |
20 | ||
b4cd1533 | 21 | ######################################## |
f7ebea06 | 22 | ## <summary> |
414e4151 | 23 | ## Read the dependencies of kernel modules. |
f7ebea06 | 24 | ## </summary> |
414e4151 | 25 | ## <param name="domain"> |
885b83ec | 26 | ## <summary> |
ac9db9b5 | 27 | ## Domain allowed access. |
885b83ec | 28 | ## </summary> |
414e4151 | 29 | ## </param> |
b4cd1533 | 30 | # |
1815bad1 | 31 | interface(`modutils_read_module_deps',` |
139520a2 CP |
32 | gen_require(` |
33 | type modules_dep_t; | |
139520a2 | 34 | ') |
0c73cd25 | 35 | |
1c1ac67f | 36 | files_list_kernel_modules($1) |
c0868a7a | 37 | allow $1 modules_dep_t:file read_file_perms; |
b4cd1533 CP |
38 | ') |
39 | ||
3eaa9939 DW |
40 | ######################################## |
41 | ## <summary> | |
42 | ## list the configuration options used when | |
43 | ## loading modules. | |
44 | ## </summary> | |
45 | ## <param name="domain"> | |
46 | ## <summary> | |
47 | ## Domain allowed access. | |
48 | ## </summary> | |
49 | ## </param> | |
50 | ## <rolecap/> | |
51 | # | |
52 | interface(`modutils_list_module_config',` | |
53 | gen_require(` | |
54 | type modules_conf_t; | |
55 | ') | |
56 | ||
57 | list_dirs_pattern($1, modules_conf_t, modules_conf_t) | |
58 | ') | |
59 | ||
b4cd1533 | 60 | ######################################## |
f7ebea06 | 61 | ## <summary> |
414e4151 CP |
62 | ## Read the configuration options used when |
63 | ## loading modules. | |
f7ebea06 | 64 | ## </summary> |
414e4151 | 65 | ## <param name="domain"> |
885b83ec | 66 | ## <summary> |
ac9db9b5 | 67 | ## Domain allowed access. |
885b83ec | 68 | ## </summary> |
414e4151 | 69 | ## </param> |
bbcd3c97 | 70 | ## <rolecap/> |
b4cd1533 | 71 | # |
1815bad1 | 72 | interface(`modutils_read_module_config',` |
139520a2 CP |
73 | gen_require(` |
74 | type modules_conf_t; | |
139520a2 | 75 | ') |
b4cd1533 | 76 | |
139520a2 CP |
77 | # This file type can be in /etc or |
78 | # /lib(64)?/modules | |
79 | files_search_etc($1) | |
1c1ac67f | 80 | files_search_boot($1) |
0c73cd25 | 81 | |
7491a9ed CP |
82 | read_files_pattern($1, modules_conf_t, modules_conf_t) |
83 | read_lnk_files_pattern($1, modules_conf_t, modules_conf_t) | |
b4cd1533 CP |
84 | ') |
85 | ||
fe9d17fe CP |
86 | ######################################## |
87 | ## <summary> | |
88 | ## Rename a file with the configuration options used when | |
89 | ## loading modules. | |
90 | ## </summary> | |
91 | ## <param name="domain"> | |
885b83ec | 92 | ## <summary> |
ac9db9b5 | 93 | ## Domain allowed access. |
885b83ec | 94 | ## </summary> |
fe9d17fe CP |
95 | ## </param> |
96 | # | |
1815bad1 | 97 | interface(`modutils_rename_module_config',` |
fe9d17fe CP |
98 | gen_require(` |
99 | type modules_conf_t; | |
100 | ') | |
101 | ||
7491a9ed | 102 | rename_files_pattern($1, modules_conf_t, modules_conf_t) |
fe9d17fe CP |
103 | ') |
104 | ||
36095d11 CP |
105 | ######################################## |
106 | ## <summary> | |
107 | ## Unlink a file with the configuration options used when | |
108 | ## loading modules. | |
109 | ## </summary> | |
110 | ## <param name="domain"> | |
111 | ## <summary> | |
112 | ## Domain allowed access. | |
113 | ## </summary> | |
114 | ## </param> | |
115 | # | |
116 | interface(`modutils_delete_module_config',` | |
117 | gen_require(` | |
118 | type modules_conf_t; | |
119 | ') | |
120 | ||
7491a9ed CP |
121 | delete_files_pattern($1, modules_conf_t, modules_conf_t) |
122 | ') | |
123 | ||
124 | ######################################## | |
125 | ## <summary> | |
126 | ## Manage files with the configuration options used when | |
127 | ## loading modules. | |
128 | ## </summary> | |
129 | ## <param name="domain"> | |
130 | ## <summary> | |
131 | ## Domain allowed access. | |
132 | ## </summary> | |
133 | ## </param> | |
134 | # | |
135 | interface(`modutils_manage_module_config',` | |
136 | gen_require(` | |
137 | type modules_conf_t; | |
138 | ') | |
139 | ||
140 | manage_files_pattern($1, modules_conf_t, modules_conf_t) | |
36095d11 CP |
141 | ') |
142 | ||
b4cd1533 | 143 | ######################################## |
f7ebea06 | 144 | ## <summary> |
8967bf8b | 145 | ## Unconditionally execute insmod in the insmod domain. |
f7ebea06 | 146 | ## </summary> |
414e4151 | 147 | ## <param name="domain"> |
885b83ec | 148 | ## <summary> |
a0546c9d | 149 | ## Domain allowed to transition. |
885b83ec | 150 | ## </summary> |
414e4151 | 151 | ## </param> |
b4cd1533 | 152 | # |
8967bf8b CP |
153 | # cjp: this is added for pppd, due to nested |
154 | # conditionals not working. | |
155 | interface(`modutils_domtrans_insmod_uncond',` | |
139520a2 CP |
156 | gen_require(` |
157 | type insmod_t, insmod_exec_t; | |
139520a2 CP |
158 | ') |
159 | ||
8021cb4f | 160 | corecmd_search_bin($1) |
c0868a7a | 161 | domtrans_pattern($1, insmod_exec_t, insmod_t) |
b4cd1533 CP |
162 | ') |
163 | ||
8967bf8b CP |
164 | ######################################## |
165 | ## <summary> | |
166 | ## Execute insmod in the insmod domain. | |
167 | ## </summary> | |
168 | ## <param name="domain"> | |
885b83ec | 169 | ## <summary> |
a0546c9d | 170 | ## Domain allowed to transition. |
885b83ec | 171 | ## </summary> |
8967bf8b CP |
172 | ## </param> |
173 | # | |
174 | interface(`modutils_domtrans_insmod',` | |
175 | gen_require(` | |
176 | bool secure_mode_insmod; | |
177 | ') | |
178 | ||
179 | if (!secure_mode_insmod) { | |
180 | modutils_domtrans_insmod_uncond($1) | |
181 | } | |
182 | ') | |
183 | ||
daa0e0b0 | 184 | ######################################## |
f7ebea06 | 185 | ## <summary> |
414e4151 CP |
186 | ## Execute insmod in the insmod domain, and |
187 | ## allow the specified role the insmod domain, | |
188 | ## and use the caller's terminal. Has a sigchld | |
189 | ## backchannel. | |
f7ebea06 | 190 | ## </summary> |
414e4151 | 191 | ## <param name="domain"> |
885b83ec | 192 | ## <summary> |
a0546c9d | 193 | ## Domain allowed to transition. |
885b83ec | 194 | ## </summary> |
414e4151 CP |
195 | ## </param> |
196 | ## <param name="role"> | |
885b83ec | 197 | ## <summary> |
a7ee7f81 | 198 | ## Role allowed access. |
885b83ec | 199 | ## </summary> |
414e4151 | 200 | ## </param> |
bbcd3c97 | 201 | ## <rolecap/> |
daa0e0b0 | 202 | # |
199895e2 | 203 | interface(`modutils_run_insmod',` |
139520a2 CP |
204 | gen_require(` |
205 | type insmod_t; | |
139520a2 | 206 | ') |
0c73cd25 | 207 | |
c9428d33 | 208 | modutils_domtrans_insmod($1) |
0c73cd25 | 209 | role $2 types insmod_t; |
daa0e0b0 CP |
210 | ') |
211 | ||
b4cd1533 | 212 | ######################################## |
ac9db9b5 CP |
213 | ## <summary> |
214 | ## Execute insmod in the caller domain. | |
215 | ## </summary> | |
216 | ## <param name="domain"> | |
217 | ## <summary> | |
218 | ## Domain allowed access. | |
219 | ## </summary> | |
220 | ## </param> | |
b4cd1533 | 221 | # |
199895e2 | 222 | interface(`modutils_exec_insmod',` |
139520a2 | 223 | gen_require(` |
71fe0fa4 | 224 | type insmod_exec_t; |
139520a2 | 225 | ') |
0c73cd25 | 226 | |
8021cb4f | 227 | corecmd_search_bin($1) |
80048ca5 | 228 | can_exec($1, insmod_exec_t) |
b4cd1533 CP |
229 | ') |
230 | ||
9eb5e812 | 231 | ######################################## |
f7ebea06 | 232 | ## <summary> |
414e4151 | 233 | ## Execute depmod in the depmod domain. |
f7ebea06 | 234 | ## </summary> |
414e4151 | 235 | ## <param name="domain"> |
885b83ec | 236 | ## <summary> |
a0546c9d | 237 | ## Domain allowed to transition. |
885b83ec | 238 | ## </summary> |
414e4151 | 239 | ## </param> |
9eb5e812 | 240 | # |
199895e2 | 241 | interface(`modutils_domtrans_depmod',` |
139520a2 CP |
242 | gen_require(` |
243 | type depmod_t, depmod_exec_t; | |
139520a2 CP |
244 | ') |
245 | ||
8021cb4f | 246 | corecmd_search_bin($1) |
c0868a7a | 247 | domtrans_pattern($1, depmod_exec_t, depmod_t) |
9eb5e812 CP |
248 | ') |
249 | ||
daa0e0b0 | 250 | ######################################## |
f7ebea06 | 251 | ## <summary> |
414e4151 | 252 | ## Execute depmod in the depmod domain. |
f7ebea06 | 253 | ## </summary> |
414e4151 | 254 | ## <param name="domain"> |
885b83ec | 255 | ## <summary> |
a0546c9d | 256 | ## Domain allowed to transition. |
885b83ec | 257 | ## </summary> |
414e4151 CP |
258 | ## </param> |
259 | ## <param name="role"> | |
885b83ec | 260 | ## <summary> |
a7ee7f81 | 261 | ## Role allowed access. |
885b83ec | 262 | ## </summary> |
414e4151 | 263 | ## </param> |
bbcd3c97 | 264 | ## <rolecap/> |
daa0e0b0 | 265 | # |
199895e2 | 266 | interface(`modutils_run_depmod',` |
139520a2 | 267 | gen_require(` |
8f3a0a95 | 268 | type depmod_t, insmod_t; |
139520a2 | 269 | ') |
0c73cd25 | 270 | |
c9428d33 | 271 | modutils_domtrans_depmod($1) |
46c69cb2 | 272 | role $2 types depmod_t; |
daa0e0b0 CP |
273 | ') |
274 | ||
9eb5e812 | 275 | ######################################## |
ac9db9b5 CP |
276 | ## <summary> |
277 | ## Execute depmod in the caller domain. | |
278 | ## </summary> | |
279 | ## <param name="domain"> | |
280 | ## <summary> | |
281 | ## Domain allowed access. | |
282 | ## </summary> | |
283 | ## </param> | |
9eb5e812 | 284 | # |
199895e2 | 285 | interface(`modutils_exec_depmod',` |
139520a2 | 286 | gen_require(` |
12ae7557 | 287 | type depmod_exec_t; |
139520a2 | 288 | ') |
0c73cd25 | 289 | |
8021cb4f | 290 | corecmd_search_bin($1) |
80048ca5 | 291 | can_exec($1, depmod_exec_t) |
9eb5e812 CP |
292 | ') |
293 | ||
9eb5e812 | 294 | ######################################## |
f7ebea06 | 295 | ## <summary> |
414e4151 | 296 | ## Execute depmod in the depmod domain. |
f7ebea06 | 297 | ## </summary> |
414e4151 | 298 | ## <param name="domain"> |
885b83ec | 299 | ## <summary> |
a0546c9d | 300 | ## Domain allowed to transition. |
885b83ec | 301 | ## </summary> |
414e4151 | 302 | ## </param> |
9eb5e812 | 303 | # |
199895e2 | 304 | interface(`modutils_domtrans_update_mods',` |
139520a2 CP |
305 | gen_require(` |
306 | type update_modules_t, update_modules_exec_t; | |
139520a2 CP |
307 | ') |
308 | ||
8021cb4f | 309 | corecmd_search_bin($1) |
c0868a7a | 310 | domtrans_pattern($1, update_modules_exec_t, update_modules_t) |
9eb5e812 CP |
311 | ') |
312 | ||
daa0e0b0 | 313 | ######################################## |
f7ebea06 | 314 | ## <summary> |
414e4151 | 315 | ## Execute update_modules in the update_modules domain. |
f7ebea06 | 316 | ## </summary> |
414e4151 | 317 | ## <param name="domain"> |
885b83ec | 318 | ## <summary> |
a0546c9d | 319 | ## Domain allowed to transition. |
885b83ec | 320 | ## </summary> |
414e4151 CP |
321 | ## </param> |
322 | ## <param name="role"> | |
885b83ec | 323 | ## <summary> |
a7ee7f81 | 324 | ## Role allowed access. |
885b83ec | 325 | ## </summary> |
414e4151 | 326 | ## </param> |
bbcd3c97 | 327 | ## <rolecap/> |
daa0e0b0 | 328 | # |
199895e2 | 329 | interface(`modutils_run_update_mods',` |
139520a2 CP |
330 | gen_require(` |
331 | type update_modules_t; | |
139520a2 | 332 | ') |
0c73cd25 | 333 | |
c9428d33 | 334 | modutils_domtrans_update_mods($1) |
0c73cd25 | 335 | role $2 types update_modules_t; |
36095d11 | 336 | |
296273a7 | 337 | modutils_run_insmod(update_modules_t, $2) |
daa0e0b0 CP |
338 | ') |
339 | ||
9eb5e812 | 340 | ######################################## |
ac9db9b5 CP |
341 | ## <summary> |
342 | ## Execute update_modules in the caller domain. | |
343 | ## </summary> | |
344 | ## <param name="domain"> | |
345 | ## <summary> | |
346 | ## Domain allowed access. | |
347 | ## </summary> | |
348 | ## </param> | |
9eb5e812 | 349 | # |
199895e2 | 350 | interface(`modutils_exec_update_mods',` |
139520a2 | 351 | gen_require(` |
12ae7557 | 352 | type update_modules_exec_t; |
139520a2 | 353 | ') |
0c73cd25 | 354 | |
8021cb4f | 355 | corecmd_search_bin($1) |
80048ca5 | 356 | can_exec($1, update_modules_exec_t) |
9eb5e812 | 357 | ') |