rpms/linuxptp
6
0
Fork 0
Code Issues Pull Requests Releases Activity

add support for dropping root privileges (RHEL-12183)

Browse Source 
Resolves: RHEL-12183
This commit is contained in:
Miroslav Lichvar 2025-09-30 10:51:19 +02:00
parent d8990e86aa
commit 39ec3fd0a0
5 changed files with 1115 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1097
linuxptp-droproot.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2
linuxptp.spec
View File

@ -47,6 +47,8 @@ Patch10: linuxptp-rtnlinit.patch
Patch11: linuxptp-unirecover.patch
# handle missing pulses in ts2phc
Patch13: linuxptp-ppsmiss.patch
# add support for dropping root privileges
Patch14: linuxptp-droproot.patch
BuildRequires: gcc gcc-c++ gnutls-devel make systemd

9
linuxptp.te
View File

@ -110,7 +110,7 @@ optional_policy(`
# phc2sys local policy
#
allow phc2sys_t self:capability sys_time;
allow phc2sys_t self:capability { chown dac_override sys_time };
allow phc2sys_t self:fifo_file rw_fifo_file_perms;
allow phc2sys_t self:unix_stream_socket create_stream_socket_perms;
allow phc2sys_t self:shm create_shm_perms;
@ -161,12 +161,15 @@ allow ptp4l_t self:packet_socket create_socket_perms;
allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
allow ptp4l_t self:shm create_shm_perms;
allow ptp4l_t self:udp_socket create_socket_perms;
allow ptp4l_t self:capability { net_admin net_raw sys_admin sys_time };
allow ptp4l_t self:capability { dac_override net_admin net_raw setuid setgid sys_admin sys_time };
allow ptp4l_t self:capability2 { bpf wake_alarm };
allow ptp4l_t self:process { setcap };
allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
allow ptp4l_t phc2sys_t:unix_dgram_socket sendto;
create_lnk_files_pattern(ptp4l_t, var_run_t, var_run_t)
manage_dirs_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
manage_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t)
@ -176,6 +179,8 @@ manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t)
fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file })
auth_use_nsswitch(ptp4l_t)
corenet_udp_bind_generic_node(ptp4l_t)
corenet_udp_bind_ptp_event_port(ptp4l_t)
corenet_udp_bind_reserved_port(ptp4l_t)

2
phc2sys.service
View File

@ -7,7 +7,7 @@ Type=simple
EnvironmentFile=-/etc/sysconfig/phc2sys
ExecStart=/usr/sbin/phc2sys $OPTIONS
CapabilityBoundingSet=CAP_SYS_TIME
CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_SYS_TIME
DeviceAllow=char-pps rw
DeviceAllow=char-ptp rw
DevicePolicy=closed

11
ptp4l.service
View File

@ -6,10 +6,15 @@ Wants=network-online.target
[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/ptp4l
ExecStart=/usr/sbin/ptp4l $OPTIONS
ExecStart=!/usr/sbin/ptp4l $OPTIONS
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_TIME
User=linuxptp
RuntimeDirectory=ptp
RuntimeDirectoryMode=0750
RuntimeDirectoryPreserve=yes
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SYS_ADMIN CAP_SYS_TIME
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID
DeviceAllow=char-pps rw
DeviceAllow=char-ptp rw
DevicePolicy=closed