diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch new file mode 100644 index 0000000..504e028 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-system-sysnetwork-support-priviledge-.patch | |||
| @@ -0,0 +1,132 @@ | |||
| 1 | From d1c159d4400722e783d12cc3684c1cf15004f7a9 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
| 3 | Date: Thu, 24 Sep 2020 14:05:52 +0800 | ||
| 4 | Subject: [PATCH] policy/modules/system/sysnetwork: support priviledge | ||
| 5 | separation for dhcpcd | ||
| 6 | |||
| 7 | Fixes: | ||
| 8 | |||
| 9 | avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18 | ||
| 10 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 11 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability | ||
| 12 | permissive=0 | ||
| 13 | |||
| 14 | avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6 | ||
| 15 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 16 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability | ||
| 17 | permissive=0 | ||
| 18 | |||
| 19 | avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7 | ||
| 20 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 21 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability | ||
| 22 | permissive=0 | ||
| 23 | |||
| 24 | avc: denied { setrlimit } for pid=332 comm="dhcpcd" | ||
| 25 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 26 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process | ||
| 27 | permissive=0 | ||
| 28 | |||
| 29 | avc: denied { create } for pid=330 comm="dhcpcd" | ||
| 30 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 31 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 32 | tclass=netlink_kobject_uevent_socket permissive=0 | ||
| 33 | |||
| 34 | avc: denied { setopt } for pid=330 comm="dhcpcd" | ||
| 35 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 36 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 37 | tclass=netlink_kobject_uevent_socket permissive=0 | ||
| 38 | |||
| 39 | avc: denied { bind } for pid=330 comm="dhcpcd" | ||
| 40 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 41 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 42 | tclass=netlink_kobject_uevent_socket permissive=0 | ||
| 43 | |||
| 44 | avc: denied { getattr } for pid=330 comm="dhcpcd" | ||
| 45 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 46 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 47 | tclass=netlink_kobject_uevent_socket permissive=0 | ||
| 48 | |||
| 49 | avc: denied { read } for pid=330 comm="dhcpcd" name="n1" dev="tmpfs" | ||
| 50 | ino=15616 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 51 | tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 | ||
| 52 | |||
| 53 | avc: denied { open } for pid=330 comm="dhcpcd" | ||
| 54 | path="/run/udev/data/n1" dev="tmpfs" ino=15616 | ||
| 55 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 56 | tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 | ||
| 57 | |||
| 58 | avc: denied { getattr } for pid=330 comm="dhcpcd" | ||
| 59 | path="/run/udev/data/n1" dev="tmpfs" ino=15616 | ||
| 60 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 61 | tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=0 | ||
| 62 | |||
| 63 | avc: denied { connectto } for pid=1600 comm="dhcpcd" | ||
| 64 | path="/run/dhcpcd/unpriv.sock" | ||
| 65 | scontext=root:sysadm_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 66 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 67 | tclass=unix_stream_socket permissive=0 | ||
| 68 | |||
| 69 | avc: denied { kill } for pid=314 comm="dhcpcd" capability=5 | ||
| 70 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 71 | tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability | ||
| 72 | permissive=0 | ||
| 73 | |||
| 74 | avc: denied { getattr } for pid=300 comm="dhcpcd" | ||
| 75 | path="net:[4026532008]" dev="nsfs" ino=4026532008 | ||
| 76 | scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 | ||
| 77 | tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 | ||
| 78 | |||
| 79 | Upstream-Status: Inappropriate [embedded specific] | ||
| 80 | |||
| 81 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
| 82 | --- | ||
| 83 | policy/modules/system/sysnetwork.te | 7 ++++++- | ||
| 84 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
| 85 | |||
| 86 | diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te | ||
| 87 | index 4c317cc4c..05a9a52b8 100644 | ||
| 88 | --- a/policy/modules/system/sysnetwork.te | ||
| 89 | +++ b/policy/modules/system/sysnetwork.te | ||
| 90 | @@ -58,10 +58,11 @@ ifdef(`distro_debian',` | ||
| 91 | # DHCP client local policy | ||
| 92 | # | ||
| 93 | allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config }; | ||
| 94 | +allow dhcpc_t self:capability { setgid setuid sys_chroot kill }; | ||
| 95 | dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config }; | ||
| 96 | # for access("/etc/bashrc", X_OK) on Red Hat | ||
| 97 | dontaudit dhcpc_t self:capability { dac_read_search sys_module }; | ||
| 98 | -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; | ||
| 99 | +allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit }; | ||
| 100 | |||
| 101 | allow dhcpc_t self:fifo_file rw_fifo_file_perms; | ||
| 102 | allow dhcpc_t self:tcp_socket create_stream_socket_perms; | ||
| 103 | @@ -69,8 +70,10 @@ allow dhcpc_t self:udp_socket create_socket_perms; | ||
| 104 | allow dhcpc_t self:packet_socket create_socket_perms; | ||
| 105 | allow dhcpc_t self:netlink_generic_socket create_socket_perms; | ||
| 106 | allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms; | ||
| 107 | +allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
| 108 | allow dhcpc_t self:rawip_socket create_socket_perms; | ||
| 109 | allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto }; | ||
| 110 | +allow dhcpc_t self:unix_stream_socket connectto; | ||
| 111 | |||
| 112 | allow dhcpc_t dhcp_etc_t:dir list_dir_perms; | ||
| 113 | read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) | ||
| 114 | @@ -146,6 +149,7 @@ files_manage_var_files(dhcpc_t) | ||
| 115 | fs_getattr_all_fs(dhcpc_t) | ||
| 116 | fs_search_auto_mountpoints(dhcpc_t) | ||
| 117 | fs_search_cgroup_dirs(dhcpc_t) | ||
| 118 | +fs_read_nsfs_files(dhcpc_t) | ||
| 119 | |||
| 120 | term_dontaudit_use_all_ttys(dhcpc_t) | ||
| 121 | term_dontaudit_use_all_ptys(dhcpc_t) | ||
| 122 | @@ -181,6 +185,7 @@ ifdef(`init_systemd',` | ||
| 123 | init_stream_connect(dhcpc_t) | ||
| 124 | init_get_all_units_status(dhcpc_t) | ||
| 125 | init_search_units(dhcpc_t) | ||
| 126 | + udev_read_runtime_files(dhcpc_t) | ||
| 127 | ') | ||
| 128 | |||
| 129 | optional_policy(` | ||
| 130 | -- | ||
| 131 | 2.17.1 | ||
| 132 | |||