From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BD55E1581D3 for ; Tue, 14 May 2024 19:43:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1A4BEE2A2C; Tue, 14 May 2024 19:43:00 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 03B72E2A2C for ; Tue, 14 May 2024 19:43:00 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4DDEC340BEF for ; Tue, 14 May 2024 19:42:59 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C20841AD6 for ; Tue, 14 May 2024 19:42:55 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1715708505.8c2f46403362398b17348da14c551acad1cdc0b4.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/matrixd.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 8c2f46403362398b17348da14c551acad1cdc0b4 X-VCS-Branch: master Date: Tue, 14 May 2024 19:42:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 6ae42209-e436-4607-a8f5-2ad49261be41 X-Archives-Hash: d9942fc396aeabd94b15cbe5dbff3d3b commit: 8c2f46403362398b17348da14c551acad1cdc0b4 Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:33:13 2024 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:45 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c2f4640 matrixd: add tunable for binding to all unreserved ports This is to support using Synapse workers which require binding to multiple TCP ports in lieu of manually labeling unreserved ports for use. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/matrixd.te | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index c396a3d7c..5f092f31c 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true) ## gen_tunable(matrix_postgresql_connect, false) +## +##

+## Determine whether Matrixd is allowed to bind all +## TCP ports. This is intended for more complex Matrix +## server configurations (e.g. Synapse workers) and may +## be used in lieu of manually labeling each port. +##

+##
+gen_tunable(matrix_bind_all_unreserved_tcp_ports, false) + type matrixd_t; type matrixd_exec_t; init_daemon_domain(matrixd_t, matrixd_exec_t) @@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',` postgresql_tcp_connect(matrixd_t) ') +tunable_policy(`matrix_bind_all_unreserved_tcp_ports',` + corenet_tcp_bind_all_unreserved_ports(matrixd_t) +') + optional_policy(` apache_search_config(matrixd_t) ') - +