packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-kernel-to-manage-its-own-BPF-objects.patch
qsw33 703c655d68 merge patch
2023-08-24 11:33:18 +08:00

28 lines
1.1 KiB
Diff
Raw Blame History

From f33bc79e172068ca4cb47281b8fcfc9f47840b61 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 22 May 2023 14:30:26 +0200
Subject: [PATCH] Allow kernel to manage its own BPF objects
Kernel threads may end up calling __sys_bpf(), which does the usual BPF
access checks, so make sure kernel_t is allowed to at least operate on
its own BPF fds.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2186595
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/kernel/kernel.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b86852812b..e0fcd2dff9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -271,6 +271,7 @@ allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_fifo_file_perms;
allow kernel_t self:sock_file read_sock_file_perms;
allow kernel_t self:fd use;
+allow kernel_t self:bpf { map_create map_read map_write prog_load prog_run };
allow kernel_t debugfs_t:dir search_dir_perms;
Reference in New Issue View Git Blame Copy Permalink