commit: 9f360ceda6290fc51e9f537d59574810e5a876b6 Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com> AuthorDate: Wed Aug 17 17:53:26 2022 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Sep 3 19:07:49 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f360ced
systemd: Add interface for systemctl exec. Adds necessary baseline permissions for the command. Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/system/systemd.if | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 62545021..f48cc541 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -2388,6 +2388,37 @@ interface(`systemd_read_resolved_runtime',` read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t) ') +######################################## +## <summary> +## Execute the systemctl program. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`systemd_exec_systemctl',` + gen_require(` + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; + ') + + dontaudit $1 self:capability { net_admin sys_resource }; + allow $1 self:process signal; + allow $1 self:unix_stream_socket create_socket_perms; + + # the command is a regular bin + corecmd_exec_bin($1) + + domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) + allow $1 systemd_passwd_agent_t:process signal; + + init_read_state($1) + init_stream_connect($1) + init_telinit($1) + init_dbus_chat($1) +') + ####################################### ## <summary> ## Allow domain to getattr on .updated file (generated by systemd-update-done