From: Wenzong Fan <wenzong....@windriver.com> When ping is installed with capabilities instead of being marked setuid, then the ping_t domain needs to be allowed to getcap/setcap.
Signed-off-by: Wenzong Fan <wenzong....@windriver.com> --- .../Allow-ping-to-get-set-capabilities.patch | 32 ++++++++++++++++++++ .../refpolicy/refpolicy_2.20130424.inc | 4 +++ 2 files changed, 36 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch new file mode 100644 index 0000000..fced84a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-ping-to-get-set-capabilities.patch @@ -0,0 +1,32 @@ +From 56c43144d7dcf5fec969c9aa9cb97679ccad50cc Mon Sep 17 00:00:00 2001 +From: Sven Vermeulen <sven.vermeu...@siphos.be> +Date: Wed, 25 Sep 2013 20:27:34 +0200 +Subject: [PATCH] Allow ping to get/set capabilities + +When ping is installed with capabilities instead of being marked setuid, +then the ping_t domain needs to be allowed to getcap/setcap. + +Reported-by: Luis Ressel <ara...@aixah.de> +Signed-off-by: Sven Vermeulen <sven.vermeu...@siphos.be> + +Upstream-Status: backport +--- + policy/modules/admin/netutils.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te +index 557da97..cfe036a 100644 +--- a/policy/modules/admin/netutils.te ++++ b/policy/modules/admin/netutils.te +@@ -106,6 +106,8 @@ optional_policy(` + # + + allow ping_t self:capability { setuid net_raw }; ++# When ping is installed with capabilities instead of setuid ++allow ping_t self:process { getcap setcap }; + dontaudit ping_t self:capability sys_tty_config; + allow ping_t self:tcp_socket create_socket_perms; + allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; +-- +1.7.10.4 + diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index cb1dec6..4b618b2 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc @@ -52,4 +52,8 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \ " +# Backport from upstream +SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \ + " + include refpolicy_common.inc -- 1.7.9.5 _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto