Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp2241793ybe; Tue, 3 Sep 2019 09:53:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqxBCtPnsntwdVxax+hF3o+qV0fDHdG6bf9EsD5i9srrxPnXL5YwtH8Mibt8SMl386007RO4 X-Received: by 2002:a63:36cc:: with SMTP id d195mr30727934pga.157.1567529610417; Tue, 03 Sep 2019 09:53:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567529610; cv=none; d=google.com; s=arc-20160816; b=YBJeGyHIaRy84k9gJkCIZUuD66+XTx9zzqPqH+SZgUnQLHh35Afuk0NseKy9i/QYfQ dw/6aD3wwz84PIhEZVqWlIZVZ+oeShVd5vyIfOJW2edCwm6kPlhiXMPsp0kfwWC7Tk2w tFCqc7oR3ME2uieZptdzFFuz1ud3M1hUdKqsDocUYp4ZHZa3sS6fCQ/rW7OW+KgQfZU9 aD5E47lFnZfPOwWA3WZmfOUnRfHr0BhJEWXMxEsJCajTNhGAnHXCjJxZuIehlw0YsEEt DS+k0ByrONS8YyHU51u1k2KMGxOkD8ZXKAR17wm6AATjRJwHHmcPPcKU/CAcfXQvn2Ut Houg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=4OHwPHqxRm4TjJg0DovV012a0zs178CcImd1Vtb5h1o=; b=OfY/z/jJYtZNonmSpZ+BhNRzw//bUgomVmxSX/mwCZPJ0a7pqUO2CTHYJtFPYurq0s f0WE8TbR0RQarTNshVCagcFltkiMTSsIXfgP5/Ch58wFJz7d0J6Po0gmpmI6xuUlcdMf QSJlKjjF8fZpeE9jmBROu8tyuQWiUmuOjlqspCdcoNbetYcr9yelpaSf2JxMkjkVB1tt 5n/22YnHVXxtOvSrN/SzWBaNN9hadIrU9CsM07p7uKbCf4HbbJdPimIXS5pFGabC9q4G TzvzDCVJf5Oa3t1OU85ernj6QzwKX2dBS2C1of7ClqtH9mSxIjwSsdT+yrqqXBUNKqjx jS+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=io75mYZA; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w9si14444321pll.241.2019.09.03.09.53.26; Tue, 03 Sep 2019 09:53:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=io75mYZA; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729005AbfICQxZ (ORCPT + 11 others); Tue, 3 Sep 2019 12:53:25 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:36668 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728571AbfICQxZ (ORCPT ); Tue, 3 Sep 2019 12:53:25 -0400 Received: by mail-ed1-f66.google.com with SMTP id g24so19201067edu.3 for ; Tue, 03 Sep 2019 09:53:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4OHwPHqxRm4TjJg0DovV012a0zs178CcImd1Vtb5h1o=; b=io75mYZAcVwdcHVENnJmM2sTURLTwpo0dmmgEffcZT3fOe7q2VpbNy/4Yf8dw819H/ AtrNT0CklHGwU2+sb/PH1+V9YlpZh8x0o40W4Hxjqd0BpKs3M1lG7sUQ2XRxMhXkHraW rb0WuU0syGG5ZjvuvONAvN5pdy2CeeEaBlLk4KBAPwmN9zjt6H6HbuhQzdIw0+WYX25N 2XJdADELpPNALnwKeDPCyE2KbOjp1tladb/Rl1BryY0mLtn+X2m/Q6M95nEI0N1kFISo vIJG14EnO7QzKCnuewBrCTlL6OQFhSZ6EhSOYKr7loPibsy6KwV4xibY7bEAmTaDULfV rWVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=4OHwPHqxRm4TjJg0DovV012a0zs178CcImd1Vtb5h1o=; b=sk16ub3BthL0nlSHONYJX6e0Gy2nBFXHavEDBj2jJTuSfhtmDRVMtXykod5XJHVHcP xIcFd2Zs4qznRp2CKYZkQJDq9cqI0GsckohG00OtZGFeUdAzGHek7YdbqCNVfQE8RH/N D8kC6ixZAuzbIgelpeRcPiUtiN7SIuruov/GaF7KxApllI/+YlHfKzb2zkdrrMM14ejA MFwT32QfoGpktSHhygldA2yNf4lPkQg9gJpffLRHTnMLh+eaYTShTzUiJwMNsjhOHC+P 5e9lz6MVFLheb26VctXisjFOBJeYLHXGLlKO25ckS+GheYeS/jcRaksNl6CKTBKuf9bL X3bg== X-Gm-Message-State: APjAAAULVEkmRatYxvwk9hylqhS4Jk/Y1ieIz4YyonbH9SBgPDleNnnp DMv8AV6+pgktWtcxCYRxH3Qmd98h X-Received: by 2002:a50:f782:: with SMTP id h2mr29208566edn.225.1567529603273; Tue, 03 Sep 2019 09:53:23 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id k8sm771472edn.52.2019.09.03.09.53.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Sep 2019 09:53:22 -0700 (PDT) From: Dominick Grift To: selinux-refpolicy@vger.kernel.org Cc: Dominick Grift Subject: [PATCH] domain: unconfined access to bpf Date: Tue, 3 Sep 2019 18:53:15 +0200 Message-Id: <20190903165315.1043856-1-dac.override@gmail.com> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Signed-off-by: Dominick Grift --- policy/modules/kernel/domain.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 1a55e3d2..a4c78af9 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -152,6 +152,9 @@ optional_policy(` # is handled in the interface as typeattribute cannot # be used on an attribute. +# unconfined access to bpf +allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run }; + # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms send_msg lock relabelto name_bind recv_msg map sendto recvfrom relabelfrom }; allow unconfined_domain_type domain:rawip_socket node_bind; -- 2.23.0