59 lines
3.6 KiB
Diff
59 lines
3.6 KiB
Diff
|
From a266ee5b8b29d8f64a51cc408d558ae92c5e86ee Mon Sep 17 00:00:00 2001
|
|||
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|||
|
|
Date: Wed, 4 Jan 2023 14:16:56 +0100
|
|||
|
|
Subject: [PATCH] Allow systemd-userdbd the sys_resource capability
|
|||
|
|
MIME-Version: 1.0
|
|||
|
|
Content-Type: text/plain; charset=UTF-8
|
|||
|
|
Content-Transfer-Encoding: 8bit
|
|||
|
|
|
|||
|
|
This permission is required for the process be able to set its
|
|||
|
|
arg start and end address, refer to prctl(2):
|
|||
|
|
|
|||
|
|
PR_SET_MM (since Linux 3.3)
|
|||
|
|
Modify certain kernel memory map descriptor fields of the calling
|
|||
|
|
process. Usually these fields are set by the kernel and dynamic loader
|
|||
|
|
(see ld.so(8) for more information) and a regular application should not
|
|||
|
|
use this feature. However, there are cases, such as self-modifying pro‐
|
|||
|
|
grams, where a program might find it useful to change its own memory
|
|||
|
|
map.
|
|||
|
|
|
|||
|
|
The calling process must have the CAP_SYS_RESOURCE capability. The
|
|||
|
|
value in arg2 is one of the options below, while arg3 provides a new
|
|||
|
|
value for the option. The arg4 and arg5 arguments must be zero if un‐
|
|||
|
|
used.
|
|||
|
|
|
|||
|
|
PR_SET_MM_ARG_START
|
|||
|
|
Set the address above which the program command line is placed.
|
|||
|
|
|
|||
|
|
PR_SET_MM_ARG_END
|
|||
|
|
Set the address below which the program command line is placed.
|
|||
|
|
|
|||
|
|
Addresses the following AVC denials:
|
|||
|
|
|
|||
|
|
type=PROCTITLE msg=audit(01/04/2023 06:21:21.285:112) : proctitle=(sd-worker)
|
|||
|
|
type=SYSCALL msg=audit(01/04/2023 06:21:21.285:112) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fa791901000 a3=0x0 items=0 ppid=1367 pid=1384 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-worker) exe=/usr/lib/systemd/systemd-userdbd subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
|
|||
|
|
type=AVC msg=audit(01/04/2023 06:21:21.285:112) : avc: denied { sys_resource } for pid=1384 comm=(sd-worker) capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1
|
|||
|
|
|
|||
|
|
type=PROCTITLE msg=audit(01/04/2023 06:21:23.761:156) : proctitle=systemd-userwork: processing...
|
|||
|
|
type=SYSCALL msg=audit(01/04/2023 06:21:23.761:156) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x9 a2=0x7fcc48186020 a3=0x0 items=0 ppid=1367 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-userwor exe=/usr/lib/systemd/systemd-userwork subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
|
|||
|
|
type=AVC msg=audit(01/04/2023 06:21:23.761:156) : avc: denied { sys_resource } for pid=1385 comm=systemd-userwor capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1
|
|||
|
|
|
|||
|
|
Resolves: rhbz#2166509
|
|||
|
|
---
|
|||
|
|
policy/modules/system/systemd.te | 2 +-
|
|||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|||
|
|
|
|||
|
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
|||
|
|
index 10b1b2d9b2..7c625074c4 100644
|
|||
|
|
--- a/policy/modules/system/systemd.te
|
|||
|
|
+++ b/policy/modules/system/systemd.te
|
|||
|
|
@@ -1461,7 +1461,7 @@ optional_policy(`
|
|||
|
|
#
|
|||
|
|
# systemd_userdbd local policy
|
|||
|
|
#
|
|||
|
|
-allow systemd_userdbd_t self:capability dac_read_search;
|
|||
|
|
+allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
|
|||
|
|
|
|||
|
|
manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
|||
|
|
manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|