more setcurrent stuff
This commit is contained in:
parent
2a3478cf15
commit
007ca5600c
|
@ -79,6 +79,18 @@ interface(`domain_wide_inherit_fd',`
|
|||
typeattribute $1 privfd;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_dyntrans_type(domain)
|
||||
#
|
||||
interface(`domain_dyntrans_type',`
|
||||
gen_require(`
|
||||
attribute set_curr_context;
|
||||
')
|
||||
|
||||
typeattribute $1 set_curr_context;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_subj_id_change_exempt">
|
||||
## <description>
|
||||
|
@ -461,7 +473,7 @@ interface(`domain_read_all_entry_files',`
|
|||
#
|
||||
# domain_trans(source_domain,entrypoint_file,target_domain)
|
||||
#
|
||||
interface(`domain_trans',`
|
||||
define(`domain_trans',`
|
||||
gen_require(`
|
||||
class file rx_file_perms;
|
||||
process { transition noatsecure siginh rlimitinh };
|
||||
|
@ -476,7 +488,7 @@ interface(`domain_trans',`
|
|||
#
|
||||
# domain_auto_trans(source_domain,entrypoint_file,target_domain)
|
||||
#
|
||||
interface(`domain_auto_trans',`
|
||||
define(`domain_auto_trans',`
|
||||
domain_trans($1,$2,$3)
|
||||
type_transition $1 $2:process $3;
|
||||
')
|
||||
|
|
|
@ -10,6 +10,10 @@ attribute entry_type;
|
|||
# widely-inheritable file descriptors
|
||||
attribute privfd;
|
||||
|
||||
# Domains that can set their current context
|
||||
# (perform dynamic transitions)
|
||||
attribute set_curr_context;
|
||||
|
||||
# constraint related attributes
|
||||
attribute can_change_process_identity;
|
||||
attribute can_change_process_role;
|
||||
|
@ -21,7 +25,7 @@ neverallow domain ~domain:process { transition dyntransition };
|
|||
# enabling setcurrent breaks process tranquility. If you do not
|
||||
# know what this means or do not understand the implications of a
|
||||
# dynamic transition, you should not be using it!!!
|
||||
neverallow * *:process setcurrent;
|
||||
neverallow { domain -set_curr_context } self:process setcurrent;
|
||||
|
||||
# Files with domain types are currently only proc files
|
||||
neverallow * domain:dir ~r_dir_perms;
|
||||
|
|
Loading…
Reference in New Issue