[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

Kenton Groombridge Fri, 31 Mar 2023 16:07:18 -0700

commit:     70226d790395660a9e086b8c0eeec28acf2c7e3b
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 18:18:41 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70226d79


fs, udev: allow systemd-udevd various cgroup perms

Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/filesystem.if | 40 ++++++++++++++++++++++++++++++++++++-
 policy/modules/system/udev.te       |  6 +++++-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index af2023e62..a1282cf40 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',`
 interface(`fs_search_cgroup_dirs',`
        gen_require(`
                type cgroup_t;
-
        ')
 
        search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -843,6 +842,25 @@ interface(`fs_ioctl_cgroup_dirs', `
        dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##     Create cgroup directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_create_cgroup_dirs',`
+       gen_require(`
+               type cgroup_t;
+       ')
+
+       create_dirs_pattern($1, cgroup_t, cgroup_t)
+       dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##     Delete cgroup directories.
@@ -941,6 +959,26 @@ interface(`fs_read_cgroup_files',`
        dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##     Create cgroup files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_create_cgroup_files',`
+       gen_require(`
+               type cgroup_t;
+
+       ')
+
+       create_files_pattern($1, cgroup_t, cgroup_t)
+       dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##     Watch cgroup files.

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 56cfa2fb8..2fae88354 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -261,7 +261,11 @@ ifdef(`distro_redhat',`
 ifdef(`init_systemd',`
        files_search_kernel_modules(udev_t)
 
-       fs_read_cgroup_files(udev_t)
+       # systemd-udev creates cgroup files under
+       # /sys/fs/cgroup/system.slice/systemd-udevd.service/udev
+       fs_create_cgroup_dirs(udev_t)
+       fs_create_cgroup_files(udev_t)
+       fs_rw_cgroup_files(udev_t)
 
        init_dgram_send(udev_t)
        init_get_generic_units_status(udev_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

Reply via email to