matrixd: add tunable for binding to all unreserved ports

This is to support using Synapse workers which require binding to multiple TCP ports in lieu of manually labeling unreserved ports for use. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-06 16:33:13 -04:00 · 2024-05-06 16:33:13 -04:00 · d917092a81
parent 3dba91dd48
commit d917092a81
1 changed files with 15 additions and 1 deletions
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true)
 ## </desc>
 gen_tunable(matrix_postgresql_connect, false)

+## <desc>
+##  <p>
+##  Determine whether Matrixd is allowed to bind all
+##  TCP ports. This is intended for more complex Matrix
+##	server configurations (e.g. Synapse workers) and may
+##	be used in lieu of manually labeling each port.
+##  </p>
+## </desc>
+gen_tunable(matrix_bind_all_unreserved_tcp_ports, false)
+
 type matrixd_t;
 type matrixd_exec_t;
 init_daemon_domain(matrixd_t, matrixd_exec_t)
@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',`
 	postgresql_tcp_connect(matrixd_t)
 ')

+tunable_policy(`matrix_bind_all_unreserved_tcp_ports',`
+	corenet_tcp_bind_all_unreserved_ports(matrixd_t)
+')
+
 optional_policy(`
 	apache_search_config(matrixd_t)
 ')
- 
+