packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-domain-use-userfaultfd-over-all-domains.patch
lujie54 bed9e54ba5 backport upstream patches
2022-09-15 10:25:08 +08:00

34 lines
1.2 KiB
Diff
Raw Blame History

From 3befcf9bdea867fca0d980871e251191fe234586 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 22 Jun 2022 21:27:59 +0200
Subject: [PATCH] Allow domain use userfaultfd over all domains
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3befcf9bdea867fca0d980871e251191fe234586
Conflict: NA
Until now, all processes were allowed to use userfaultfd as well other
anon_inodes to get a file descriptor from the same domain.
Since this commit the permissions are allowed between different domains.
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/domain.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index f1e0bd6..1289b4c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -121,7 +121,7 @@ neverallow ~{ domain unlabeled_t } *:process *;
# Rules applied to all domains
#
-allow domain self:anon_inode userfaultfd_anon_inode_perms;
+allow domain domain:anon_inode userfaultfd_anon_inode_perms;
# read /proc/(pid|self) entries
allow domain self:dir { list_dir_perms watch_dir_perms };
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink