From: sds@tycho.nsa.gov (Stephen Smalley)
Date: Wed, 17 May 2017 11:33:46 -0400
Subject: [refpolicy] [PATCH] refpolicy: Define getrlimit permission for
	class process
Message-ID: <20170517153346.29242-1-sds@tycho.nsa.gov>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process.  It is only checked when acting on another
process, so getrlimit permission is not required for use of getrlimit(2).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/flask/access_vectors | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 69f69af..6204e68 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -383,6 +383,7 @@ class process
 	execheap
 	setkeycreate
 	setsockcreate
+	getrlimit
 }
 
 
-- 
2.9.3