diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch deleted file mode 100644 index f7758c5..0000000 --- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-add-capability2-bpf-and-p.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | From 2d932ba7140d91cf2a8386b0240f4f1014124746 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 3 Feb 2021 09:47:59 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/init: add capability2 bpf and perfmon | ||
5 | for init_t | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { bpf } for pid=1 comm="systemd" capability=39 | ||
9 | scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t | ||
10 | tclass=capability2 permissive=0 | ||
11 | avc: denied { perfmon } for pid=1 comm="systemd" capability=38 | ||
12 | scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t | ||
13 | tclass=capability2 permissive=0 | ||
14 | |||
15 | Upstream-Status: Inappropriate [embedded specific] | ||
16 | |||
17 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
18 | --- | ||
19 | policy/modules/system/init.te | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te | ||
23 | index e82177938..b7d494398 100644 | ||
24 | --- a/policy/modules/system/init.te | ||
25 | +++ b/policy/modules/system/init.te | ||
26 | @@ -134,7 +134,7 @@ ifdef(`enable_mls',` | ||
27 | |||
28 | # Use capabilities. old rule: | ||
29 | allow init_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; | ||
30 | -allow init_t self:capability2 { wake_alarm block_suspend }; | ||
31 | +allow init_t self:capability2 { wake_alarm block_suspend bpf perfmon }; | ||
32 | # is ~sys_module really needed? observed: | ||
33 | # sys_boot | ||
34 | # sys_tty_config | ||
35 | -- | ||
36 | 2.17.1 | ||
37 | |||