Allow searching /proc/sys/fs when using /proc/sys/fs/binfmt_misc

Interface fs_register_binary_executable_type allow registering
interpreters using a filesystem monted on /proc/sys/fs/binfmt_misc. In
order to access this filesystem, the process needs to search every
parent directory of the mountpoint.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

2 files changed, 21 insertions, 0 deletions

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 9471dbe38..c85d8059b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -612,6 +612,8 @@ interface(`fs_register_binary_executable_type',`
 		type binfmt_misc_fs_t;
 	')
 
+	# binfmt_misc filesystem is usually mounted on /proc/sys/fs/binfmt_misc
+	kernel_search_fs_sysctls($1)
 	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
 ')
 
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 29709dfbe..2c7ad0cc6 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2005,6 +2005,25 @@ interface(`kernel_rw_kernel_sysctl',`
 
 ########################################
 ## <summary>
+##	Search filesystem sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_search_fs_sysctls',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_fs_t;
+	')
+
+	search_dirs_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t)
+')
+
+########################################
+## <summary>
 ##	Read filesystem sysctls.
 ## </summary>
 ## <param name="domain">