From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 554AA1381F3 for ; Fri, 7 Dec 2012 17:13:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EFE6621C00D; Fri, 7 Dec 2012 17:13:50 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6E09121C00D for ; Fri, 7 Dec 2012 17:13:50 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 475EF33DBC4 for ; Fri, 7 Dec 2012 17:13:49 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id DA762E5436 for ; Fri, 7 Dec 2012 17:13:47 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1354900087.2e16631015dfd8b665ddf661e490e30b52ef4d6b.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/domain.if policy/modules/system/userdomain.if X-VCS-Directories: policy/modules/system/ policy/modules/kernel/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 2e16631015dfd8b665ddf661e490e30b52ef4d6b X-VCS-Branch: master Date: Fri, 7 Dec 2012 17:13:47 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 8bf70dfa-ed28-47b7-8505-839e96175238 X-Archives-Hash: 7a4d1b10e8db64b2cfde138bf0ee0706 commit: 2e16631015dfd8b665ddf661e490e30b52ef4d6b Author: Sven Vermeulen siphos be> AuthorDate: Fri Dec 7 17:08:07 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Dec 7 17:08:07 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e166310 Dontaudit getsched on all domains The htop utility will attempt to get the scheduling information of all processes. This information however does not seem to be needed for its information (no difference in output when allowed or not). See also bug #444962 --- policy/modules/kernel/domain.if | 20 ++++++++++++++++++++ policy/modules/system/userdomain.if | 4 ++++ 2 files changed, 24 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 6a1e4d1..b900767 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -1531,3 +1531,23 @@ interface(`domain_unconfined',` typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; ') + +# Gentoo specific stuff, but I cannot use ifdef distro_gentoo in if files + +######################################## +## +## Do not audit getting the scheduler information of all domains. +## +## +## +## Domain to not audit. +## +## +# +interface(`domain_dontaudit_getsched_all_domains',` + gen_require(` + attribute domain; + ') + + dontaudit $1 domain:process getsched; +') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index d8d000b..d1bc7ed 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1061,6 +1061,10 @@ template(`userdom_unpriv_user_template', ` optional_policy(` setroubleshoot_stream_connect($1_t) ') + + ifdef(`distro_gentoo',` + domain_dontaudit_getsched_all_domains($1_t) + ') ') #######################################