2019-09-03 16:53:30

by Dac Override

[permalink] [raw]
Subject: [PATCH] domain: unconfined access to bpf

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/domain.te | 3 +++
1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 1a55e3d2..a4c78af9 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -152,6 +152,9 @@ optional_policy(`
# is handled in the interface as typeattribute cannot
# be used on an attribute.

+# unconfined access to bpf
+allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
+
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms send_msg lock relabelto name_bind recv_msg map sendto recvfrom relabelfrom };
allow unconfined_domain_type domain:rawip_socket node_bind;
--
2.23.0


2019-09-03 23:52:42

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] domain: unconfined access to bpf

On 9/3/19 12:53 PM, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/kernel/domain.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index 1a55e3d2..a4c78af9 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -152,6 +152,9 @@ optional_policy(`
> # is handled in the interface as typeattribute cannot
> # be used on an attribute.
>
> +# unconfined access to bpf
> +allow unconfined_domain_type domain:bpf { map_create map_read map_write prog_load prog_run };
> +
> # Use/sendto/connectto sockets created by any domain.
> allow unconfined_domain_type domain:{ socket_class_set socket key_socket } { create_stream_socket_perms send_msg lock relabelto name_bind recv_msg map sendto recvfrom relabelfrom };
> allow unconfined_domain_type domain:rawip_socket node_bind;

Merged.

--
Chris PeBenito