diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch new file mode 100644 index 0000000..e4c081d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b46903aaf7e52f9c4c51a2fa7fe7a85190da98b1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 29 Sep 2021 16:43:54 +0800 | ||
4 | Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for | ||
5 | unconfined_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { bpf } for pid=433 comm="systemd" capability=39 | ||
9 | scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
10 | tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
11 | tclass=capability2 permissive=0 | ||
12 | |||
13 | avc: denied { perfmon } for pid=433 comm="systemd" capability=38 | ||
14 | scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
15 | tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
16 | tclass=capability2 permissive=0 | ||
17 | |||
18 | type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3 | ||
19 | subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc: | ||
20 | denied { reload } for auid=n/a uid=0 gid=0 cmdline="" | ||
21 | scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
22 | tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
23 | tclass=system permissive=0 exe="/lib/systemd/systemd" sauid=0 | ||
24 | hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root" | ||
25 | UID="root" GID="root" SAUID="root" | ||
26 | |||
27 | Upstream-Status: Inappropriate [embedded specific] | ||
28 | |||
29 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
30 | --- | ||
31 | policy/modules/system/unconfined.if | 5 +++++ | ||
32 | 1 file changed, 5 insertions(+) | ||
33 | |||
34 | diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if | ||
35 | index a139cfe78..807e959c3 100644 | ||
36 | --- a/policy/modules/system/unconfined.if | ||
37 | +++ b/policy/modules/system/unconfined.if | ||
38 | @@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',` | ||
39 | files_start_etc_service($1) | ||
40 | files_stop_etc_service($1) | ||
41 | |||
42 | + ifdef(`init_systemd',` | ||
43 | + allow $1 self:capability2 { bpf perfmon }; | ||
44 | + allow $1 self:system reload; | ||
45 | + ') | ||
46 | + | ||
47 | tunable_policy(`allow_execheap',` | ||
48 | # Allow making the stack executable via mprotect. | ||
49 | allow $1 self:process execheap; | ||
50 | -- | ||
51 | 2.17.1 | ||
52 | |||