diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch | 58 |
1 files changed, 40 insertions, 18 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch index 189dc6e..a9a0a55 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch | |||
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands. | |||
6 | Upstream-Status: Inappropriate [only for Poky] | 6 | Upstream-Status: Inappropriate [only for Poky] |
7 | 7 | ||
8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 8 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
9 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
9 | --- | 10 | --- |
10 | policy/modules/contrib/rpc.te | 2 +- | 11 | policy/modules/contrib/rpc.te | 2 +- |
11 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ | 12 | policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ |
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
13 | 14 | ||
14 | --- a/policy/modules/contrib/rpc.te | 15 | --- a/policy/modules/contrib/rpc.te |
15 | +++ b/policy/modules/contrib/rpc.te | 16 | +++ b/policy/modules/contrib/rpc.te |
16 | @@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir | 17 | @@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir |
17 | 18 | ||
18 | kernel_read_network_state(nfsd_t) | 19 | kernel_read_network_state(nfsd_t) |
19 | kernel_dontaudit_getattr_core_if(nfsd_t) | 20 | kernel_dontaudit_getattr_core_if(nfsd_t) |
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
28 | 29 | ||
29 | --- a/policy/modules/kernel/kernel.if | 30 | --- a/policy/modules/kernel/kernel.if |
30 | +++ b/policy/modules/kernel/kernel.if | 31 | +++ b/policy/modules/kernel/kernel.if |
31 | @@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',` | 32 | @@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',` |
32 | allow $1 proc_t:filesystem unmount; | 33 | allow $1 proc_t:filesystem unmount; |
33 | ') | 34 | ') |
34 | 35 | ||
35 | ######################################## | 36 | ######################################## |
36 | ## <summary> | 37 | ## <summary> |
38 | -## Get the attributes of the proc filesystem. | ||
37 | +## Mounton a proc filesystem. | 39 | +## Mounton a proc filesystem. |
38 | +## </summary> | 40 | ## </summary> |
39 | +## <param name="domain"> | 41 | ## <param name="domain"> |
40 | +## <summary> | 42 | ## <summary> |
41 | +## Domain allowed access. | 43 | ## Domain allowed access. |
42 | +## </summary> | 44 | ## </summary> |
43 | +## </param> | 45 | ## </param> |
44 | +# | 46 | # |
47 | -interface(`kernel_getattr_proc',` | ||
45 | +interface(`kernel_mounton_proc',` | 48 | +interface(`kernel_mounton_proc',` |
46 | + gen_require(` | 49 | gen_require(` |
47 | + type proc_t; | 50 | type proc_t; |
48 | + ') | 51 | ') |
49 | + | 52 | |
53 | - allow $1 proc_t:filesystem getattr; | ||
50 | + allow $1 proc_t:dir mounton; | 54 | + allow $1 proc_t:dir mounton; |
51 | +') | 55 | ') |
52 | + | 56 | |
53 | +######################################## | 57 | ######################################## |
54 | +## <summary> | 58 | ## <summary> |
55 | ## Get the attributes of the proc filesystem. | 59 | -## Mount on proc directories. |
60 | +## Get the attributes of the proc filesystem. | ||
56 | ## </summary> | 61 | ## </summary> |
57 | ## <param name="domain"> | 62 | ## <param name="domain"> |
58 | ## <summary> | 63 | ## <summary> |
59 | ## Domain allowed access. | 64 | ## Domain allowed access. |
65 | ## </summary> | ||
66 | ## </param> | ||
67 | -## <rolecap/> | ||
68 | # | ||
69 | -interface(`kernel_mounton_proc',` | ||
70 | +interface(`kernel_getattr_proc',` | ||
71 | gen_require(` | ||
72 | type proc_t; | ||
73 | ') | ||
74 | |||
75 | - allow $1 proc_t:dir mounton; | ||
76 | + allow $1 proc_t:filesystem getattr; | ||
77 | ') | ||
78 | |||
79 | ######################################## | ||
80 | ## <summary> | ||
81 | ## Do not audit attempts to set the | ||