dbus, init: add interface for pidfd usage

Commit 4e7511f4a previously added access for init to use DBUS system bus file descriptors while the intended access was for pidfds. Add an interface for pidfd usage so that when pidfds are eventually handled separately from regular fds, this interface can be adjusted. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-26 11:35:09 -04:00 · 2024-06-26 11:35:09 -04:00 · 7fd9032d88
parent a6d6921a9c
commit 7fd9032d88
2 changed files with 20 additions and 1 deletions
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@ -621,6 +621,25 @@ interface(`dbus_use_system_bus_fds',`
 	allow $1 system_dbusd_t:fd use;
 ')

+########################################
+## <summary>
+##	Use PIDFD file descriptors from the
+##	DBUS system bus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_use_system_bus_pidfds',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -610,7 +610,7 @@ ifdef(`init_systemd',`

 	optional_policy(`
 		dbus_connect_system_bus(init_t)
-		dbus_use_system_bus_fds(init_t)
+		dbus_use_system_bus_pidfds(init_t)
 	')

 	optional_policy(`