diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch | 83 |
1 files changed, 45 insertions, 38 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch index 85bb82b..6a48b3d 100644 --- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-systemd-systemd-user-fixes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 5b6f3fcb1ddabd0a66541959306e7b0adfe2b2b0 Mon Sep 17 00:00:00 2001 | 1 | From 9dcbec008d4213c6649f894fda0e87b0829c56de Mon Sep 17 00:00:00 2001 |
2 | From: Yi Zhao <yi.zhao@windriver.com> | 2 | From: Yi Zhao <yi.zhao@windriver.com> |
3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 | 3 | Date: Thu, 4 Feb 2021 10:48:54 +0800 |
4 | Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes | 4 | Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes |
@@ -26,59 +26,66 @@ Upstream-Status: Inappropriate [embedded specific] | |||
26 | 26 | ||
27 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | 27 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> |
28 | --- | 28 | --- |
29 | policy/modules/roles/sysadm.te | 2 ++ | 29 | policy/modules/system/systemd.if | 30 +++++++++++++++++++++++++++++ |
30 | policy/modules/system/systemd.if | 21 ++++++++++++++++++++- | 30 | policy/modules/system/userdomain.if | 4 ++++ |
31 | 2 files changed, 22 insertions(+), 1 deletion(-) | 31 | 2 files changed, 34 insertions(+) |
32 | 32 | ||
33 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
34 | index 088c954f5..92f50fd5a 100644 | ||
35 | --- a/policy/modules/roles/sysadm.te | ||
36 | +++ b/policy/modules/roles/sysadm.te | ||
37 | @@ -98,6 +98,8 @@ ifdef(`init_systemd',` | ||
38 | |||
39 | # Allow sysadm to follow logs in the journal, i.e. with podman logs -f | ||
40 | systemd_watch_journal_dirs(sysadm_t) | ||
41 | + | ||
42 | + systemd_sysadm_user(sysadm_t) | ||
43 | ') | ||
44 | |||
45 | tunable_policy(`allow_ptrace',` | ||
46 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | 33 | diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
47 | index 9dc91fbb7..325ca548b 100644 | 34 | index 6054b5038..d89ad35b1 100644 |
48 | --- a/policy/modules/system/systemd.if | 35 | --- a/policy/modules/system/systemd.if |
49 | +++ b/policy/modules/system/systemd.if | 36 | +++ b/policy/modules/system/systemd.if |
50 | @@ -58,7 +58,7 @@ template(`systemd_role_template',` | 37 | @@ -199,6 +199,36 @@ template(`systemd_role_template',` |
51 | allow $1_systemd_t self:process { getsched signal }; | 38 | ') |
52 | allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
53 | allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms; | ||
54 | - allow $1_systemd_t $3:process { setsched rlimitinh signal_perms }; | ||
55 | + allow $1_systemd_t $3:process { setsched rlimitinh signal_perms noatsecure }; | ||
56 | corecmd_shell_domtrans($1_systemd_t, $3) | ||
57 | corecmd_bin_domtrans($1_systemd_t, $3) | ||
58 | |||
59 | @@ -2613,3 +2613,22 @@ interface(`systemd_use_inherited_machined_ptys', ` | ||
60 | allow $1 systemd_machined_t:fd use; | ||
61 | allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms; | ||
62 | ') | 39 | ') |
63 | + | 40 | |
64 | +######################################### | 41 | +###################################### |
65 | +## <summary> | 42 | +## <summary> |
66 | +## sysadm user for systemd --user | 43 | +## Admin role for systemd --user |
67 | +## </summary> | 44 | +## </summary> |
45 | +## <param name="prefix"> | ||
46 | +## <summary> | ||
47 | +## Prefix for generated types | ||
48 | +## </summary> | ||
49 | +## </param> | ||
68 | +## <param name="role"> | 50 | +## <param name="role"> |
69 | +## <summary> | 51 | +## <summary> |
70 | +## Role allowed access. | 52 | +## The admin role. |
53 | +## </summary> | ||
54 | +## </param> | ||
55 | +## <param name="userdomain"> | ||
56 | +## <summary> | ||
57 | +## The amdin domain for the role. | ||
71 | +## </summary> | 58 | +## </summary> |
72 | +## </param> | 59 | +## </param> |
73 | +# | 60 | +# |
74 | +interface(`systemd_sysadm_user',` | 61 | +template(`systemd_admin_role_extra',` |
75 | + gen_require(` | 62 | + gen_require(` |
76 | + type sysadm_systemd_t; | 63 | + type $1_systemd_t; |
77 | + ') | 64 | + ') |
78 | + | 65 | + |
79 | + allow sysadm_systemd_t self:capability { mknod sys_admin }; | 66 | + allow $1_systemd_t $3:process noatsecure; |
80 | + allow sysadm_systemd_t self:capability2 { bpf perfmon }; | 67 | + allow $1_systemd_t self:capability { mknod sys_admin }; |
68 | + allow $1_systemd_t self:capability2 { bpf perfmon }; | ||
81 | +') | 69 | +') |
70 | + | ||
71 | ###################################### | ||
72 | ## <summary> | ||
73 | ## Allow the specified domain to be started as a daemon by the | ||
74 | diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if | ||
75 | index 24c3cb012..80072c03e 100644 | ||
76 | --- a/policy/modules/system/userdomain.if | ||
77 | +++ b/policy/modules/system/userdomain.if | ||
78 | @@ -1455,6 +1455,10 @@ template(`userdom_admin_user_template',` | ||
79 | optional_policy(` | ||
80 | userhelper_exec($1_t) | ||
81 | ') | ||
82 | + | ||
83 | + optional_policy(` | ||
84 | + systemd_admin_role_extra($1, $1_r, $1_t) | ||
85 | + ') | ||
86 | ') | ||
87 | |||
88 | ######################################## | ||
82 | -- | 89 | -- |
83 | 2.25.1 | 90 | 2.25.1 |
84 | 91 | ||