path: root/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-add-capability2-bpf-and-perfmon-f.patch

From b46903aaf7e52f9c4c51a2fa7fe7a85190da98b1 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Wed, 29 Sep 2021 16:43:54 +0800
Subject: [PATCH] refpolicy-targeted: add capability2 bpf and perfmon for
 unconfined_t

Fixes:
avc: denied { bpf } for pid=433 comm="systemd" capability=39
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=capability2 permissive=0

avc: denied { perfmon } for pid=433 comm="systemd" capability=38
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=capability2 permissive=0

type=USER_AVC msg=audit(1632901631.693:86): pid=433 uid=0 auid=0 ses=3
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='avc:
denied { reload } for auid=n/a uid=0 gid=0 cmdline=""
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=system permissive=0  exe="/lib/systemd/systemd" sauid=0
hostname=? addr=? terminal=?'UID="root" AUID="root" AUID="root"
UID="root" GID="root" SAUID="root"

Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/unconfined.if | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index a139cfe78..807e959c3 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -66,6 +66,11 @@ interface(`unconfined_domain_noaudit',`
 	files_start_etc_service($1)
 	files_stop_etc_service($1)
 
+	ifdef(`init_systemd',`
+		allow $1 self:capability2 { bpf perfmon };
+		allow $1 self:system reload;
+	')
+
 	tunable_policy(`allow_execheap',`
 		# Allow making the stack executable via mprotect.
 		allow $1 self:process execheap;
-- 
2.17.1