summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch')
-rw-r--r--recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch58
1 files changed, 40 insertions, 18 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
index 189dc6e..a9a0a55 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-allow-nfsd-to-exec-shell-commands.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] allow nfsd to exec shell commands.
6Upstream-Status: Inappropriate [only for Poky] 6Upstream-Status: Inappropriate [only for Poky]
7 7
8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> 8Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
9--- 10---
10 policy/modules/contrib/rpc.te | 2 +- 11 policy/modules/contrib/rpc.te | 2 +-
11 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ 12 policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
@@ -13,7 +14,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
13 14
14--- a/policy/modules/contrib/rpc.te 15--- a/policy/modules/contrib/rpc.te
15+++ b/policy/modules/contrib/rpc.te 16+++ b/policy/modules/contrib/rpc.te
16@@ -222,11 +222,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir 17@@ -224,11 +224,11 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
17 18
18 kernel_read_network_state(nfsd_t) 19 kernel_read_network_state(nfsd_t)
19 kernel_dontaudit_getattr_core_if(nfsd_t) 20 kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -28,32 +29,53 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
28 29
29--- a/policy/modules/kernel/kernel.if 30--- a/policy/modules/kernel/kernel.if
30+++ b/policy/modules/kernel/kernel.if 31+++ b/policy/modules/kernel/kernel.if
31@@ -844,10 +844,28 @@ interface(`kernel_unmount_proc',` 32@@ -880,43 +880,42 @@ interface(`kernel_unmount_proc',`
32 allow $1 proc_t:filesystem unmount; 33 allow $1 proc_t:filesystem unmount;
33 ') 34 ')
34 35
35 ######################################## 36 ########################################
36 ## <summary> 37 ## <summary>
38-## Get the attributes of the proc filesystem.
37+## Mounton a proc filesystem. 39+## Mounton a proc filesystem.
38+## </summary> 40 ## </summary>
39+## <param name="domain"> 41 ## <param name="domain">
40+## <summary> 42 ## <summary>
41+## Domain allowed access. 43 ## Domain allowed access.
42+## </summary> 44 ## </summary>
43+## </param> 45 ## </param>
44+# 46 #
47-interface(`kernel_getattr_proc',`
45+interface(`kernel_mounton_proc',` 48+interface(`kernel_mounton_proc',`
46+ gen_require(` 49 gen_require(`
47+ type proc_t; 50 type proc_t;
48+ ') 51 ')
49+ 52
53- allow $1 proc_t:filesystem getattr;
50+ allow $1 proc_t:dir mounton; 54+ allow $1 proc_t:dir mounton;
51+') 55 ')
52+ 56
53+######################################## 57 ########################################
54+## <summary> 58 ## <summary>
55 ## Get the attributes of the proc filesystem. 59-## Mount on proc directories.
60+## Get the attributes of the proc filesystem.
56 ## </summary> 61 ## </summary>
57 ## <param name="domain"> 62 ## <param name="domain">
58 ## <summary> 63 ## <summary>
59 ## Domain allowed access. 64 ## Domain allowed access.
65 ## </summary>
66 ## </param>
67-## <rolecap/>
68 #
69-interface(`kernel_mounton_proc',`
70+interface(`kernel_getattr_proc',`
71 gen_require(`
72 type proc_t;
73 ')
74
75- allow $1 proc_t:dir mounton;
76+ allow $1 proc_t:filesystem getattr;
77 ')
78
79 ########################################
80 ## <summary>
81 ## Do not audit attempts to set the
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-11-27 02:38:01 +0000