commit:     519f184b43a2c49d64bba5739c2f7be4f84bdcbd
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Tue Sep  2 11:52:25 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 16 00:13:57 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=519f184b

Do not audit kernel attempts to load firmware files with the kernel_t label.

Because the firmware files are standard files
and the policy does not define the use of the
kernel_t file context for any file, no domain
should be allowed to load firmware files with
the kernel_t label and such attempts should
not be audited.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/kernel.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 29fa3ba81..ba3a133aa 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,9 @@
 policy_module(kernel)
 
+gen_require(`
+       class system firmware_load;
+')
+
 ########################################
 #
 # Declarations
@@ -237,6 +241,7 @@ sid tcp_socket              
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 allow kernel_t self:capability { audit_control audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap 
setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio 
sys_resource sys_time sys_tty_config };
 allow kernel_t self:capability2 checkpoint_restore;
 allow kernel_t self:process { dyntransition getattr getcap getpgid getrlimit 
getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched 
setsockcreate share siginh signal_perms transition };
+dontaudit kernel_t self:system firmware_load;
 allow kernel_t self:shm create_shm_perms;
 allow kernel_t self:sem create_sem_perms;
 allow kernel_t self:msg { receive send };

Reply via email to