From 7fd9032d88057c50af7fa6feb6808d7ff228b582 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Wed, 26 Jun 2024 11:35:09 -0400
Subject: [PATCH] dbus, init: add interface for pidfd usage

Commit 4e7511f4a previously added access for init to use DBUS system bus
file descriptors while the intended access was for pidfds. Add an
interface for pidfd usage so that when pidfds are eventually handled
separately from regular fds, this interface can be adjusted.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/dbus.if | 19 +++++++++++++++++++
 policy/modules/system/init.te   |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index d13a53a52..d28bf8e71 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -621,6 +621,25 @@ interface(`dbus_use_system_bus_fds',`
 	allow $1 system_dbusd_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Use PIDFD file descriptors from the
+##	DBUS system bus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_use_system_bus_pidfds',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4b880e160..638723e2d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -610,7 +610,7 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		dbus_connect_system_bus(init_t)
-		dbus_use_system_bus_fds(init_t)
+		dbus_use_system_bus_pidfds(init_t)
 	')
 
 	optional_policy(`