From: Wenzong Fan <wenzong....@windriver.com> Backport upstream patches: - 0001-refpolicy-Define-getrlimit-permission-for-class-proc.patch - 0002-refpolicy-Define-smc_socket-security-class.patch
This fixes the runtime issues: $ load_policy SELinux: Permission getrlimit in class process not defined in policy. SELinux: Class smc_socket not defined in policy. SELinux: the above unknown classes and permissions will be allowed Signed-off-by: Wenzong Fan <wenzong....@windriver.com> --- ...efine-getrlimit-permission-for-class-proc.patch | 33 ++++++++++ ...efpolicy-Define-smc_socket-security-class.patch | 74 ++++++++++++++++++++++ .../refpolicy/refpolicy_2.20170204.inc | 6 ++ 3 files changed, 113 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/0001-refpolicy-Define-getrlimit-permission-for-class-proc.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20170204/0002-refpolicy-Define-smc_socket-security-class.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/0001-refpolicy-Define-getrlimit-permission-for-class-proc.patch b/recipes-security/refpolicy/refpolicy-2.20170204/0001-refpolicy-Define-getrlimit-permission-for-class-proc.patch new file mode 100644 index 0000000..727e48a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20170204/0001-refpolicy-Define-getrlimit-permission-for-class-proc.patch @@ -0,0 +1,33 @@ +From c5cdfec50b4d6191173725b32b311399345962ac Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <s...@tycho.nsa.gov> +Date: Wed, 17 May 2017 11:33:46 -0400 +Subject: [PATCH 1/2] refpolicy: Define getrlimit permission for class process + +This permission was added to the kernel in commit 791ec491c372 +("prlimit,security,selinux: add a security hook for prlimit") +circa Linux 4.12 in order to control the ability to get the resource +limits of another process. It is only checked when acting on another +process, so getrlimit permission is not required for use of getrlimit(2). + +Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> + +Upstream-Status: Backport +--- + policy/flask/access_vectors | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors +index 69f69af..6204e68 100644 +--- a/policy/flask/access_vectors ++++ b/policy/flask/access_vectors +@@ -383,6 +383,7 @@ class process + execheap + setkeycreate + setsockcreate ++ getrlimit + } + + +-- +2.7.4 + diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/0002-refpolicy-Define-smc_socket-security-class.patch b/recipes-security/refpolicy/refpolicy-2.20170204/0002-refpolicy-Define-smc_socket-security-class.patch new file mode 100644 index 0000000..e8ef659 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20170204/0002-refpolicy-Define-smc_socket-security-class.patch @@ -0,0 +1,74 @@ +From cfe0a94feb3e965663ea20961ac866ac8712b94a Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <s...@tycho.nsa.gov> +Date: Wed, 17 May 2017 11:31:48 -0400 +Subject: [PATCH 2/2] refpolicy: Define smc_socket security class + +Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all +network address families") triggers a build error if a new address family +is added without defining a corresponding SELinux security class. As a +result, the smc_socket class was added to the kernel to resolve a build +failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa +Linux 4.11. Define this security class and its access vector, note that it +is enabled as part of the extended_socket_class policy capability, and add +it to the socket_class_set macro. + +Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> + +Upstream-Status: Backport +--- + policy/flask/access_vectors | 3 +++ + policy/flask/security_classes | 1 + + policy/policy_capabilities | 1 + + policy/support/obj_perm_sets.spt | 2 +- + 4 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors +index 6204e68..7652a31 100644 +--- a/policy/flask/access_vectors ++++ b/policy/flask/access_vectors +@@ -1059,3 +1059,6 @@ inherits socket + + class qipcrtr_socket + inherits socket ++ ++class smc_socket ++inherits socket +diff --git a/policy/flask/security_classes b/policy/flask/security_classes +index 18f18fd..18c4f97 100644 +--- a/policy/flask/security_classes ++++ b/policy/flask/security_classes +@@ -182,5 +182,6 @@ class nfc_socket + class vsock_socket + class kcm_socket + class qipcrtr_socket ++class smc_socket + + # FLASK +diff --git a/policy/policy_capabilities b/policy/policy_capabilities +index 39e3930..e0ff6e3 100644 +--- a/policy/policy_capabilities ++++ b/policy/policy_capabilities +@@ -77,6 +77,7 @@ policycap open_perms; + # vsock_socket + # kcm_socket + # qipcrtr_socket ++# smc_socket + # + # Available in kernel 4.11+. + # Requires libsepol 2.7+ to build policy with this enabled. +diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt +index 590ea63..872ca1d 100644 +--- a/policy/support/obj_perm_sets.spt ++++ b/policy/support/obj_perm_sets.spt +@@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }') + # + # All socket classes. + # +-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}') ++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }') + + # + # Datagram socket classes. +-- +2.7.4 + diff --git a/recipes-security/refpolicy/refpolicy_2.20170204.inc b/recipes-security/refpolicy/refpolicy_2.20170204.inc index 8b72cbd..51c5050 100644 --- a/recipes-security/refpolicy/refpolicy_2.20170204.inc +++ b/recipes-security/refpolicy/refpolicy_2.20170204.inc @@ -55,4 +55,10 @@ SRC_URI += " \ file://ftp-add-ftpd_t-to-mlsfilewrite.patch \ " +# Backport from upstream +SRC_URI += " \ + file://0001-refpolicy-Define-getrlimit-permission-for-class-proc.patch \ + file://0002-refpolicy-Define-smc_socket-security-class.patch \ + " + include refpolicy_common.inc -- 2.13.0 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto