From mboxrd@z Thu Jan  1 00:00:00 1970
From: bigon@debian.org (Laurent Bigonville)
Date: Fri, 11 Dec 2015 14:30:06 +0100
Subject: [refpolicy] [PATCH v2] Add interfaces to read/write
 /proc/sys/vm/overcommit_memory
In-Reply-To: <1449839016-13799-1-git-send-email-bigon@debian.org>
References: <1449839016-13799-1-git-send-email-bigon@debian.org>
Message-ID: <566ACFDE.8070508@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le 11/12/15 14:03, Laurent Bigonville a ?crit :
> From: Laurent Bigonville <bigon@bigon.be>
>
> ---
>   policy/modules/kernel/kernel.if | 40 ++++++++++++++++++++++++++++++++++++++++
>   1 file changed, 40 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index f1130d1..e0f23ec 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -3323,3 +3323,43 @@ interface(`kernel_unconfined',`
>   	typeattribute $1 kern_unconfined;
>   	kernel_load_module($1)
>   ')
> +
> +########################################
> +## <summary>
> +##	Read virtual memory overcommit sysctl.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>

Mhh I guess the rolecap should be removed?

> +#
> +interface(`kernel_read_vm_overcommit_sysctl',`
> +	gen_require(`
> +		type sysctl_vm_overcommit_t;
> +	')
> +
> +	kernel_search_vm_sysctl($1)
> +	allow $1 sysctl_vm_overcommit_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Read and write virtual memory overcommit sysctl.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kernel_rw_vm_overcommit_sysctl',`
> +	gen_require(`
> +		type sysctl_vm_overcommit_t;
> +	')
> +
> +	kernel_search_vm_sysctl($1)
> +	allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
> +')