91 строка
3.1 KiB
Diff
91 строка
3.1 KiB
Diff
From ec779c3d9bd12ebfe3cf88c6a25e140d6c6e46aa Mon Sep 17 00:00:00 2001
|
|
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
|
|
Date: Fri, 26 Aug 2022 18:05:28 +0000
|
|
Subject: [PATCH 10/35] systemd: Minor coredump fixes.
|
|
|
|
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
|
|
---
|
|
policy/modules/kernel/corecommands.if | 20 ++++++++++++++++++++
|
|
policy/modules/system/systemd.te | 11 ++++-------
|
|
2 files changed, 24 insertions(+), 7 deletions(-)
|
|
|
|
MSFT_TAG: pending
|
|
|
|
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
|
|
index 231aa69d9..328fc4419 100644
|
|
--- a/policy/modules/kernel/corecommands.if
|
|
+++ b/policy/modules/kernel/corecommands.if
|
|
@@ -666,6 +666,26 @@ interface(`corecmd_read_all_executables',`
|
|
read_files_pattern($1, exec_type, exec_type)
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Mmap read-only all executable files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`corecmd_mmap_read_all_executables',`
|
|
+ gen_require(`
|
|
+ attribute exec_type;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ mmap_read_files_pattern($1, exec_type, exec_type)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Execute all executable files.
|
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
|
index 3b36837b3..a5ca5575b 100644
|
|
--- a/policy/modules/system/systemd.te
|
|
+++ b/policy/modules/system/systemd.te
|
|
@@ -425,13 +425,13 @@ ifdef(`enable_mls',`
|
|
# coredump local policy
|
|
#
|
|
|
|
-allow systemd_coredump_t self:capability { setgid setuid setpcap sys_ptrace };
|
|
+allow systemd_coredump_t self:capability { dac_read_search setgid setuid setpcap sys_ptrace };
|
|
+dontaudit systemd_coredump_t self:capability { dac_override net_admin };
|
|
allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace };
|
|
allow systemd_coredump_t self:process { getcap setcap setfscreate };
|
|
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
|
|
allow systemd_coredump_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow systemd_coredump_t self:fifo_file rw_inherited_fifo_file_perms;
|
|
-dontaudit systemd_coredump_t self:capability net_admin;
|
|
|
|
mmap_manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
|
|
|
|
@@ -442,7 +442,7 @@ kernel_rw_pipes(systemd_coredump_t)
|
|
kernel_use_fds(systemd_coredump_t)
|
|
|
|
corecmd_exec_bin(systemd_coredump_t)
|
|
-corecmd_read_all_executables(systemd_coredump_t)
|
|
+corecmd_mmap_read_all_executables(systemd_coredump_t)
|
|
|
|
dev_write_kmsg(systemd_coredump_t)
|
|
|
|
@@ -453,12 +453,9 @@ files_read_etc_files(systemd_coredump_t)
|
|
files_search_var_lib(systemd_coredump_t)
|
|
files_mounton_root(systemd_coredump_t)
|
|
|
|
-fs_getattr_xattr_fs(systemd_coredump_t)
|
|
+fs_getattr_all_fs(systemd_coredump_t)
|
|
fs_getattr_nsfs_files(systemd_coredump_t)
|
|
fs_search_cgroup_dirs(systemd_coredump_t)
|
|
-fs_getattr_cgroup(systemd_coredump_t)
|
|
-
|
|
-selinux_getattr_fs(systemd_coredump_t)
|
|
|
|
init_list_var_lib_dirs(systemd_coredump_t)
|
|
init_read_state(systemd_coredump_t)
|
|
--
|
|
2.34.1
|
|
|