Domain patch from Dan Walsh.

2010-03-17 10:02:07 -04:00 · 2010-03-17 10:02:07 -04:00 · 1f6d975502
commit 1f6d975502
parent 7b50b7053d
2 changed files with 103 additions and 2 deletions
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@ -848,6 +848,42 @@ interface(`domain_dontaudit_getsession_all_domains',`
 	dontaudit $1 domain:process getsession;
 ')

+########################################
+## <summary>
+##	Get the process group ID of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getpgid_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process getpgid;
+')
+
+########################################
+## <summary>
+##	Get the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getsched_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:process getsched;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all domains
@ -1058,6 +1094,25 @@ interface(`domain_dontaudit_getattr_all_dgram_sockets',`
 	dontaudit $1 domain:unix_dgram_socket getattr;
 ')

+########################################
+## <summary>
+##	Get the attributes
+##	of all domains unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getattr_all_stream_sockets',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:unix_stream_socket getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@ -1077,6 +1132,35 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',`
 	dontaudit $1 domain:unix_stream_socket getattr;
 ')

+########################################
+## <summary>
+##	Get the attributes of all domains
+##	unnamed pipes.
+## </summary>
+## <desc>
+##	<p>
+##	Get the attributes of all domains
+##	unnamed pipes.
+##	</p>
+##	<p>
+##	This is commonly used for domains
+##	that can use lsof on all domains.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_getattr_all_pipes',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:fifo_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
@ -1318,6 +1402,24 @@ interface(`domain_all_recvfrom_all_domains',`
 	corenet_all_recvfrom_labeled($1, domain)
 ')

+########################################
+## <summary>
+##	Send generic signals to the unconfined domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_unconfined_signal',`
+	gen_require(`
+		attribute unconfined_domain_type;
+	')
+
+	allow $1 unconfined_domain_type:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to domains.
@ -1343,4 +1445,3 @@ interface(`domain_unconfined',`
 	typeattribute $1 set_curr_context;
 	typeattribute $1 process_uncond_exempt;
 ')
-
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@ -1,5 +1,5 @@

-policy_module(domain, 1.7.0)
+policy_module(domain, 1.7.1)

 ########################################
 #