commit: 15c72c7459aa4dbc7912543b85f5631677a2a957
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Jul 31 09:16:36 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15c72c74
user_udp_server tunable
The following patch adds a tunable user_udp_server for the user domains to
run UDP services.
policy/global_tunables | 8 ++++++++
policy/modules/system/userdomain.if | 7 +++++++
2 files changed, 15 insertions(+)
diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..affc020 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -111,3 +111,11 @@ gen_tunable(use_samba_home_dirs,false)
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to run UDP servers (bind to ports and accept connection from
+## the same domain and outside users)
+## </p>
+## </desc>
+gen_tunable(user_udp_server,false)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index b04d149..9c40ce1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1069,6 +1069,13 @@ template(`userdom_unpriv_user_template', `
corenet_tcp_bind_generic_port($1_t)
')
+ # Allow users to run UDP servers (bind to ports and accept connection
from
+ # the same domain and outside users)
+ tunable_policy(`user_udp_server',`
+ corenet_udp_bind_generic_node($1_t)
+ corenet_udp_bind_generic_port($1_t)
+ ')
+
optional_policy(`
netutils_run_ping_cond($1_t, $1_r)
netutils_run_traceroute_cond($1_t, $1_r)
