commit: 7046e6e637ea4eda195cb9992a99229fdffae959 Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com> AuthorDate: Sun Aug 31 19:52:49 2025 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Nov 16 00:13:57 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7046e6e6
Let the kernel load firmware files during boot. See: https://github.com/torvalds/linux/commit/2c2b1e059792f610bae4fee8ed517b8ce9c585fb Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/kernel/kernel.te | 1 + policy/modules/system/libraries.if | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 3751b3082..29fa3ba81 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -443,6 +443,7 @@ optional_policy(` ') optional_policy(` + libs_load_firmware(kernel_t) libs_use_ld_so(kernel_t) libs_use_shared_libs(kernel_t) ') diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 00128ef6d..fa546d070 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -1,5 +1,24 @@ ## <summary>Policy for system libraries.</summary> +######################################## +## <summary> +## Load firmware files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`libs_load_firmware',` + gen_require(` + type lib_t; + class system firmware_load; + ') + + allow $1 lib_t:system firmware_load; +') + ######################################## ## <summary> ## Execute ldconfig in the ldconfig domain.
