From 77fd73e6b894b3e1ee7db8d6f697638d55a04f02 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 24 Sep 2020 14:05:52 +0800
Subject: [PATCH] sysnetwork: fix privilege separation functionality of dhcpcd

Fixes:
dhcpcd[410]: ps_dropprivs: chroot: /var/lib/dhcpcd: Operation not permitted
dhcpcd[410]: failed to drop privileges: Operation not permitted
dhcpcd[264]: setrlimit RLIMIT_NOFILE: Permission denied
dhcpcd[264]: setrlimit RLIMIT_NPROC: Permission denied

avc:  denied  { sys_chroot } for  pid=332 comm="dhcpcd" capability=18
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setgid } for  pid=332 comm="dhcpcd" capability=6
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setuid } for  pid=332 comm="dhcpcd" capability=7
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability
permissive=0

avc:  denied  { setrlimit } for  pid=332 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process
permissive=0

avc:  denied  { getattr } for  pid=330 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/system/sysnetwork.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index fb562afe4..fdbceafd2 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -61,11 +61,11 @@ ifdef(`distro_debian',`
 #
 # DHCP client local policy
 #
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setgid setpcap setuid sys_chroot sys_nice sys_resource sys_tty_config };
 dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
 allow dhcpc_t self:cap_userns { net_bind_service };
 
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
@@ -149,6 +149,7 @@ files_getattr_generic_locks(dhcpc_t)
 files_manage_var_files(dhcpc_t)
 
 fs_getattr_all_fs(dhcpc_t)
+fs_getattr_nsfs_files(dhcpc_t)
 fs_search_auto_mountpoints(dhcpc_t)
 fs_search_cgroup_dirs(dhcpc_t)