Add documentation for new system permissions

dburgener · dburgener · commit 894007301bb4 · 2025-04-21T15:44:00.000-04:00
These new permissions break up module_load into more granular kernel
load related permissions when the object being loaded is not a kernel
module.

Signed-off-by: Daniel Burgener &lt;Daniel.Burgener@microsoft.com&gt;
diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
@@ -1991,12 +1991,24 @@ Note that while this is defined as a kernel object class, the userspace
 
 This is the overall system object and there is only one instance of this object.
 
-**Permissions** - 6 unique permissions:
+**Permissions** - 10 unique permissions:
+
+*firmware_load*
+
+- Load firmware updates through the Linux firmware API.
 
 *ipc_info*
 
 - Get info about an IPC object.
 
+*kexec_image_load*
+
+- Load a new kernel image for kexec.
+
+*kexec_initramfs_load*
+
+- Load an initrd image for use with *kexec --initrd*
+
 *module_load*
 
 - Required permission when reading a file that is a 'kernel module'.
@@ -2007,6 +2019,11 @@ This is the overall system object and there is only one instance of this object.
 
 - Request the kernel to load a module.
 
+*policy_load*
+
+- Load a policy for a kernel module that takes policy from userspace (besides
+  SELinux).  Current examples are IMA, loadpin and zram.
+
 *syslog_console*
 
 - Control output of kernel messages to the console with ***syslog**(2)*.
