postgres: add a standalone execmem tunable

Add a separate tunable to allow Postgres to use execmem. This is to support JIT in the Postgres server without enabling it for the entire system. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-06 16:14:04 -04:00 · 2024-05-06 16:14:04 -04:00 · 3bad3696b8
parent ef28f7879a
commit 3bad3696b8
1 changed files with 8 additions and 1 deletions
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@ -18,6 +18,13 @@ gen_require(`
 # Declarations
 #

+## <desc>
+## <p>
+## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT).
+## </p>
+## </desc>
+gen_tunable(psql_allow_execmem, false)
+
 ## <desc>
 ## <p>
 ## Allow unprived users to execute DDL statement
@ -363,7 +370,7 @@ optional_policy(`
 	mta_getattr_spool(postgresql_t)
 ')

-tunable_policy(`allow_execmem',`
+tunable_policy(`allow_execmem || psql_allow_execmem',`
 	allow postgresql_t self:process execmem;
 ')