1 |
commit: 5513c5076d69710712b8df417c5bd91913999bf9 |
2 |
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Wed Mar 21 10:57:45 2018 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Mar 25 10:28:06 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5513c507 |
7 |
|
8 |
add definition of bpf class and systemd perms |
9 |
|
10 |
policy/flask/access_vectors | 9 +++++++++ |
11 |
policy/flask/security_classes | 2 ++ |
12 |
policy/modules/system/init.te | 1 + |
13 |
3 files changed, 12 insertions(+) |
14 |
|
15 |
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors |
16 |
index 4f57fb40..0630f012 100644 |
17 |
--- a/policy/flask/access_vectors |
18 |
+++ b/policy/flask/access_vectors |
19 |
@@ -1081,3 +1081,12 @@ inherits socket |
20 |
|
21 |
class smc_socket |
22 |
inherits socket |
23 |
+ |
24 |
+class bpf |
25 |
+{ |
26 |
+ map_create |
27 |
+ map_read |
28 |
+ map_write |
29 |
+ prog_load |
30 |
+ prog_run |
31 |
+} |
32 |
|
33 |
diff --git a/policy/flask/security_classes b/policy/flask/security_classes |
34 |
index 3ff1b72d..2ae34306 100644 |
35 |
--- a/policy/flask/security_classes |
36 |
+++ b/policy/flask/security_classes |
37 |
@@ -190,4 +190,6 @@ class smc_socket |
38 |
|
39 |
class process2 |
40 |
|
41 |
+class bpf |
42 |
+ |
43 |
# FLASK |
44 |
|
45 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
46 |
index 846ab7b5..94234055 100644 |
47 |
--- a/policy/modules/system/init.te |
48 |
+++ b/policy/modules/system/init.te |
49 |
@@ -228,6 +228,7 @@ ifdef(`init_systemd',` |
50 |
allow init_t self:netlink_route_socket create_netlink_socket_perms; |
51 |
allow init_t initrc_t:unix_dgram_socket create_socket_perms; |
52 |
allow init_t self:capability2 audit_read; |
53 |
+ allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; |
54 |
|
55 |
# for /run/systemd/inaccessible/{chr,blk} |
56 |
allow init_t init_var_run_t:blk_file { create getattr }; |