Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/flask/
Date: Sun, 25 Mar 2018 10:29:30
Message-Id: 1521973686.5513c5076d69710712b8df417c5bd91913999bf9.swift@gentoo
1 commit: 5513c5076d69710712b8df417c5bd91913999bf9
2 Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
3 AuthorDate: Wed Mar 21 10:57:45 2018 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Sun Mar 25 10:28:06 2018 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5513c507
7
8 add definition of bpf class and systemd perms
9
10 policy/flask/access_vectors | 9 +++++++++
11 policy/flask/security_classes | 2 ++
12 policy/modules/system/init.te | 1 +
13 3 files changed, 12 insertions(+)
14
15 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
16 index 4f57fb40..0630f012 100644
17 --- a/policy/flask/access_vectors
18 +++ b/policy/flask/access_vectors
19 @@ -1081,3 +1081,12 @@ inherits socket
20
21 class smc_socket
22 inherits socket
23 +
24 +class bpf
25 +{
26 + map_create
27 + map_read
28 + map_write
29 + prog_load
30 + prog_run
31 +}
32
33 diff --git a/policy/flask/security_classes b/policy/flask/security_classes
34 index 3ff1b72d..2ae34306 100644
35 --- a/policy/flask/security_classes
36 +++ b/policy/flask/security_classes
37 @@ -190,4 +190,6 @@ class smc_socket
38
39 class process2
40
41 +class bpf
42 +
43 # FLASK
44
45 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
46 index 846ab7b5..94234055 100644
47 --- a/policy/modules/system/init.te
48 +++ b/policy/modules/system/init.te
49 @@ -228,6 +228,7 @@ ifdef(`init_systemd',`
50 allow init_t self:netlink_route_socket create_netlink_socket_perms;
51 allow init_t initrc_t:unix_dgram_socket create_socket_perms;
52 allow init_t self:capability2 audit_read;
53 + allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
54
55 # for /run/systemd/inaccessible/{chr,blk}
56 allow init_t init_var_run_t:blk_file { create getattr };
Report Message
Find on MARC Find on Google Groups