1 |
commit: 5eb6ba4f89dbcd6b1c5c4e394164aa989c1d140b |
2 |
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be> |
3 |
AuthorDate: Fri Dec 11 13:03:36 2015 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Dec 17 15:25:22 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5eb6ba4f |
7 |
|
8 |
Add interfaces to read/write /proc/sys/vm/overcommit_memory |
9 |
|
10 |
policy/modules/kernel/kernel.if | 40 ++++++++++++++++++++++++++++++++++++++++ |
11 |
1 file changed, 40 insertions(+) |
12 |
|
13 |
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if |
14 |
index df42fa3..5f2f78e 100644 |
15 |
--- a/policy/modules/kernel/kernel.if |
16 |
+++ b/policy/modules/kernel/kernel.if |
17 |
@@ -3341,3 +3341,43 @@ interface(`kernel_unconfined',` |
18 |
typeattribute $1 kern_unconfined; |
19 |
kernel_load_module($1) |
20 |
') |
21 |
+ |
22 |
+######################################## |
23 |
+## <summary> |
24 |
+## Read virtual memory overcommit sysctl. |
25 |
+## </summary> |
26 |
+## <param name="domain"> |
27 |
+## <summary> |
28 |
+## Domain allowed access. |
29 |
+## </summary> |
30 |
+## </param> |
31 |
+## <rolecap/> |
32 |
+# |
33 |
+interface(`kernel_read_vm_overcommit_sysctl',` |
34 |
+ gen_require(` |
35 |
+ type sysctl_vm_overcommit_t; |
36 |
+ ') |
37 |
+ |
38 |
+ kernel_search_vm_sysctl($1) |
39 |
+ allow $1 sysctl_vm_overcommit_t:file read_file_perms; |
40 |
+') |
41 |
+ |
42 |
+######################################## |
43 |
+## <summary> |
44 |
+## Read and write virtual memory overcommit sysctl. |
45 |
+## </summary> |
46 |
+## <param name="domain"> |
47 |
+## <summary> |
48 |
+## Domain allowed access. |
49 |
+## </summary> |
50 |
+## </param> |
51 |
+## <rolecap/> |
52 |
+# |
53 |
+interface(`kernel_rw_vm_overcommit_sysctl',` |
54 |
+ gen_require(` |
55 |
+ type sysctl_vm_overcommit_t; |
56 |
+ ') |
57 |
+ |
58 |
+ kernel_search_vm_sysctl($1) |
59 |
+ allow $1 sysctl_vm_overcommit_t:file rw_file_perms; |
60 |
+') |