2016-07-31 09:16:36

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] user_udp_server tunable

The following patch adds a tunable user_udp_server for the user domains to
run UDP services.


diff -ruN /home/rjc/src/pol-git/policy/global_tunables ./policy/global_tunables
--- /home/rjc/src/pol-git/policy/global_tunables 2016-07-28 20:33:39.955961513 +1000
+++ ./policy/global_tunables 2016-07-31 19:11:45.577569083 +1000
@@ -111,3 +111,11 @@
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to run UDP servers (bind to ports and accept connection from
+## the same domain and outside users)
+## </p>
+## </desc>
+gen_tunable(user_udp_server,false)
diff -ruN /home/rjc/src/pol-git/policy/modules/system/userdomain.if ./policy/modules/system/userdomain.if
--- /home/rjc/src/pol-git/policy/modules/system/userdomain.if 2016-07-28 20:33:39.971961928 +1000
+++ ./policy/modules/system/userdomain.if 2016-07-31 19:11:45.577569083 +1000
@@ -1041,6 +1041,13 @@
corenet_tcp_bind_generic_port($1_t)
')

+ # Allow users to run UDP servers (bind to ports and accept connection from
+ # the same domain and outside users)
+ tunable_policy(`user_udp_server',`
+ corenet_udp_bind_generic_node($1_t)
+ corenet_udp_bind_generic_port($1_t)
+ ')
+
optional_policy(`
netutils_run_ping_cond($1_t, $1_r)
netutils_run_traceroute_cond($1_t, $1_r)


2016-08-02 23:46:24

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] user_udp_server tunable

On 07/31/16 05:16, Russell Coker wrote:
> The following patch adds a tunable user_udp_server for the user domains to
> run UDP services.

Merged.



> diff -ruN /home/rjc/src/pol-git/policy/global_tunables ./policy/global_tunables
> --- /home/rjc/src/pol-git/policy/global_tunables 2016-07-28 20:33:39.955961513 +1000
> +++ ./policy/global_tunables 2016-07-31 19:11:45.577569083 +1000
> @@ -111,3 +111,11 @@
> ## </p>
> ## </desc>
> gen_tunable(user_tcp_server,false)
> +
> +## <desc>
> +## <p>
> +## Allow users to run UDP servers (bind to ports and accept connection from
> +## the same domain and outside users)
> +## </p>
> +## </desc>
> +gen_tunable(user_udp_server,false)
> diff -ruN /home/rjc/src/pol-git/policy/modules/system/userdomain.if ./policy/modules/system/userdomain.if
> --- /home/rjc/src/pol-git/policy/modules/system/userdomain.if 2016-07-28 20:33:39.971961928 +1000
> +++ ./policy/modules/system/userdomain.if 2016-07-31 19:11:45.577569083 +1000
> @@ -1041,6 +1041,13 @@
> corenet_tcp_bind_generic_port($1_t)
> ')
>
> + # Allow users to run UDP servers (bind to ports and accept connection from
> + # the same domain and outside users)
> + tunable_policy(`user_udp_server',`
> + corenet_udp_bind_generic_node($1_t)
> + corenet_udp_bind_generic_port($1_t)
> + ')
> +
> optional_policy(`
> netutils_run_ping_cond($1_t, $1_r)
> netutils_run_traceroute_cond($1_t, $1_r)


--
Chris PeBenito