commit: 8bb8af09473326d9b48783118f3f0694ef6b0ed0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 17 09:32:28 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Aug 17 09:32:28 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8bb8af09
Add block_suspend to admin users
Administrative user domains often perform system tasks in their user
domain (for instance sysadm_t). These tasks should be able to
run-to-complete and should not be interrupted by suspend operations that
might be scheduled.
Tasks that use the epoll() system might use the EPOLLWAKEUP flag to
prevent suspends while epoll events are ready. This only works if
CAP_BLOCK_SUSPEND is active (otherwise EPOLLWAKEUP is ignored).
---
policy/modules/system/userdomain.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index f299e2e..5b26aef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1243,6 +1243,8 @@ template(`userdom_admin_user_template',`
')
ifdef(`distro_gentoo',`
+ # Grant block_suspend capability2 to administrators, this
annoys the heck out of me
+ allow $1_t self:capability2 { block_suspend };
# Moved out of files_relabel_non_auth_files as it cannot be
used in tunable_policy otherwise
seutil_relabelto_bin_policy($1_t)
')
