1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
new file mode 100644
index 0000000..e4c081d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
@@ -0,0 +1,52 @@
+From b46903aaf7e52f9c4c51a2fa7fe7a85190da98b1 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Wed, 29 Sep 2021 16:43:54 +0800
+Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for
+ unconfined_t
+Fixes:
+avc: denied { bpf } for pid=433 comm="systemd" capability=39
+scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tclass=capability2 permissive=0
+avc: denied { perfmon } for pid=433 comm="systemd" capability=38
+scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tclass=capability2 permissive=0
+type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3
+subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:
+denied { reload } for auid=n/a uid=0 gid=0 cmdline=""
+scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+tclass=system permissive=0  exe="/lib/systemd/systemd" sauid=0
+hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root"
+UID="root" GID="root" SAUID="root"
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/unconfined.if | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
+index a139cfe78..807e959c3 100644
+--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
+@@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',`
+        files_start_etc_service($1)
+        files_stop_etc_service($1)
+ 
+       ifdef(`init_systemd',`
+               allow $1 self:capability2 { bpf perfmon };
+               allow $1 self:system reload;
+       ')
+
+        tunable_policy(`allow_execheap',`
+                # Allow making the stack executable via mprotect.
+                allow $1 self:process execheap;
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch new file mode 100644 index 0000000..e4c081d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch
@@ -0,0 +1,52 @@
	1	From b46903aaf7e52f9c4c51a2fa7fe7a85190da98b1 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Wed, 29 Sep 2021 16:43:54 +0800
	4	Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for
	5	unconfined_t
	6
	7	Fixes:
	8	avc: denied { bpf } for pid=433 comm="systemd" capability=39
	9	scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
	10	tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
	11	tclass=capability2 permissive=0
	12
	13	avc: denied { perfmon } for pid=433 comm="systemd" capability=38
	14	scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
	15	tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
	16	tclass=capability2 permissive=0
	17
	18	type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3
	19	subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:
	20	denied { reload } for auid=n/a uid=0 gid=0 cmdline=""
	21	scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
	22	tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
	23	tclass=system permissive=0 exe="/lib/systemd/systemd" sauid=0
	24	hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root"
	25	UID="root" GID="root" SAUID="root"
	26
	27	Upstream-Status: Inappropriate [embedded specific]
	28
	29	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	30	---
	31	policy/modules/system/unconfined.if \| 5 +++++
	32	1 file changed, 5 insertions(+)
	33
	34	diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
	35	index a139cfe78..807e959c3 100644
	36	--- a/policy/modules/system/unconfined.if
	37	+++ b/policy/modules/system/unconfined.if
	38	@@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',`
	39	files_start_etc_service($1)
	40	files_stop_etc_service($1)
	41
	42	+ ifdef(`init_systemd',`
	43	+ allow $1 self:capability2 { bpf perfmon };
	44	+ allow $1 self:system reload;
	45	+ ')
	46	+
	47	tunable_policy(`allow_execheap',`
	48	# Allow making the stack executable via mprotect.
	49	allow $1 self:process execheap;
	50	--
	51	2.17.1
	52