master

分支 (14)

标签 (13)

管理

管理

master

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-22.09

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP2

openEuler-21.09

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

selinux-policy
/
backport-Allow-domain-use-userfaultfd...

From 3befcf9bdea867fca0d980871e251191fe234586 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 22 Jun 2022 21:27:59 +0200
Subject: [PATCH] Allow domain use userfaultfd over all domains

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3befcf9bdea867fca0d980871e251191fe234586
Conflict: NA

Until now, all processes were allowed to use userfaultfd as well other
anon_inodes to get a file descriptor from the same domain.
Since this commit the permissions are allowed between different domains.

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/kernel/domain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index f1e0bd6..1289b4c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -121,7 +121,7 @@ neverallow ~{ domain unlabeled_t } *:process *;
 # Rules applied to all domains
 #

-allow domain self:anon_inode userfaultfd_anon_inode_perms;
+allow domain domain:anon_inode userfaultfd_anon_inode_perms;
 # read /proc/(pid|self) entries
 allow domain self:dir { list_dir_perms watch_dir_perms };
 allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
--
1.8.3.1