diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch new file mode 100644 index 0000000..504e028 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch | |||
@@ -0,0 +1,132 @@ | |||
1 | From d1c159d4400722e783d12cc3684c1cf15004f7a9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Thu, 24 Sep 2020 14:05:52 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge | ||
5 | separation for dhcpcd | ||
6 | |||
7 | Fixes: | ||
8 | |||
9 | avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18 | ||
10 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
11 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability | ||
12 | permissive=0 | ||
13 | |||
14 | avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6 | ||
15 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
16 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability | ||
17 | permissive=0 | ||
18 | |||
19 | avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7 | ||
20 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
21 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability | ||
22 | permissive=0 | ||
23 | |||
24 | avc: denied { setrlimit } for pid=332 comm="dhcpcd" | ||
25 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
26 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process | ||
27 | permissive=0 | ||
28 | |||
29 | avc: denied { create } for pid=330 comm="dhcpcd" | ||
30 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
31 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
32 | tclass=netlink_kobject_uevent_socket permissive=0 | ||
33 | |||
34 | avc: denied { setopt } for pid=330 comm="dhcpcd" | ||
35 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
36 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
37 | tclass=netlink_kobject_uevent_socket permissive=0 | ||
38 | |||
39 | avc: denied { bind } for pid=330 comm="dhcpcd" | ||
40 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
41 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
42 | tclass=netlink_kobject_uevent_socket permissive=0 | ||
43 | |||
44 | avc: denied { getattr } for pid=330 comm="dhcpcd" | ||
45 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
46 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
47 | tclass=netlink_kobject_uevent_socket permissive=0 | ||
48 | |||
49 | avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs" | ||
50 | ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
51 | tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 | ||
52 | |||
53 | avc: denied { open } for pid=330 comm="dhcpcd" | ||
54 | path="/run/udev/data/n1" dev="tmpfs" ino=15616 | ||
55 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
56 | tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 | ||
57 | |||
58 | avc: denied { getattr } for pid=330 comm="dhcpcd" | ||
59 | path="/run/udev/data/n1" dev="tmpfs" ino=15616 | ||
60 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
61 | tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 | ||
62 | |||
63 | avc: denied { connectto } for pid=1600 comm="dhcpcd" | ||
64 | path="/run/dhcpcd/unpriv.sock" | ||
65 | scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023 | ||
66 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
67 | tclass=unix_stream_socket permissive=0 | ||
68 | |||
69 | avc: denied { kill } for pid=314 comm="dhcpcd" capability=5 | ||
70 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
71 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability | ||
72 | permissive=0 | ||
73 | |||
74 | avc: denied { getattr } for pid=300 comm="dhcpcd" | ||
75 | path="net:[4026532008]" dev="nsfs" ino=4026532008 | ||
76 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
77 | tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 | ||
78 | |||
79 | Upstream-Status: Inappropriate [embedded specific] | ||
80 | |||
81 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
82 | --- | ||
83 | policy/modules/system/sysnetwork.te | 7 ++++++- | ||
84 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
85 | |||
86 | diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te | ||
87 | index 4c317cc4c..05a9a52b8 100644 | ||
88 | --- a/policy/modules/system/sysnetwork.te | ||
89 | +++ b/policy/modules/system/sysnetwork.te | ||
90 | @@ -58,10 +58,11 @@ ifdef(`distro_debian',` | ||
91 | # DHCP client local policy | ||
92 | # | ||
93 | allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config }; | ||
94 | +allow dhcpc_t self:capability { setgid setuid sys_chroot kill }; | ||
95 | dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config }; | ||
96 | # for access("/etc/bashrc", X_OK) on Red Hat | ||
97 | dontaudit dhcpc_t self:capability { dac_read_search sys_module }; | ||
98 | -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; | ||
99 | +allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit }; | ||
100 | |||
101 | allow dhcpc_t self:fifo_file rw_fifo_file_perms; | ||
102 | allow dhcpc_t self:tcp_socket create_stream_socket_perms; | ||
103 | @@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms; | ||
104 | allow dhcpc_t self:packet_socket create_socket_perms; | ||
105 | allow dhcpc_t self:netlink_generic_socket create_socket_perms; | ||
106 | allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms; | ||
107 | +allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
108 | allow dhcpc_t self:rawip_socket create_socket_perms; | ||
109 | allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto }; | ||
110 | +allow dhcpc_t self:unix_stream_socket connectto; | ||
111 | |||
112 | allow dhcpc_t dhcp_etc_t:dir list_dir_perms; | ||
113 | read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) | ||
114 | @@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t) | ||
115 | fs_getattr_all_fs(dhcpc_t) | ||
116 | fs_search_auto_mountpoints(dhcpc_t) | ||
117 | fs_search_cgroup_dirs(dhcpc_t) | ||
118 | +fs_read_nsfs_files(dhcpc_t) | ||
119 | |||
120 | term_dontaudit_use_all_ttys(dhcpc_t) | ||
121 | term_dontaudit_use_all_ptys(dhcpc_t) | ||
122 | @@ -181,6 +185,7 @@ ifdef(`init_systemd',` | ||
123 | init_stream_connect(dhcpc_t) | ||
124 | init_get_all_units_status(dhcpc_t) | ||
125 | init_search_units(dhcpc_t) | ||
126 | + udev_read_runtime_files(dhcpc_t) | ||
127 | ') | ||
128 | |||
129 | optional_policy(` | ||
130 | -- | ||
131 | 2.17.1 | ||
132 | |||