From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 17 May 2017 17:59:37 -0400
Subject: [refpolicy] [PATCH] refpolicy: Define getrlimit permission for
 class process
In-Reply-To: <20170517153346.29242-1-sds@tycho.nsa.gov>
References: <20170517153346.29242-1-sds@tycho.nsa.gov>
Message-ID: <f9957f6b-edef-689c-4157-6dcecb984dc8@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/17/2017 11:33 AM, Stephen Smalley via refpolicy wrote:
> This permission was added to the kernel in commit 791ec491c372
> ("prlimit,security,selinux: add a security hook for prlimit")
> circa Linux 4.12 in order to control the ability to get the resource
> limits of another process.  It is only checked when acting on another
> process, so getrlimit permission is not required for use of getrlimit(2).
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  policy/flask/access_vectors | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 69f69af..6204e68 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -383,6 +383,7 @@ class process
>  	execheap
>  	setkeycreate
>  	setsockcreate
> +	getrlimit
>  }

Merged.

-- 
Chris PeBenito