commit: 1a9ac1b5f5f82b586e7879f51670b61ee93757bd
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Mar 23 21:20:22 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr 8 15:20:51 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1a9ac1b5
userdomain: no longer allow unprivileged users to read kernel symbols
Unprivileged users don't need to read kallsyms and /boot/System.map.
This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972:
# cjp: why?
bootloader_read_kernel_symbol_table($1_t)
---
policy/modules/system/userdomain.if | 2 --
1 file changed, 2 deletions(-)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 9aeac69..822e21f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1030,8 +1030,6 @@ template(`userdom_unpriv_user_template', `
corenet_tcp_bind_xserver_port($1_t)
files_exec_usr_files($1_t)
- # cjp: why?
- files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
fs_exec_noxattr($1_t)
