cleanup mmap_low merge with upstream
This commit is contained in:
Dan Walsh
parent
cbadf720ba
commit
3a2e888584
@ -103,10 +103,3 @@ gen_tunable(user_tcp_server,false)
|
||||
## </desc>
|
||||
gen_tunable(allow_console_login,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow certain domains to map low memory in the kernel
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(mmap_low_allowed, false)
|
||||
|
||||
|
||||
@ -31,10 +31,7 @@ dev_rw_sysfs(vbetool_t)
|
||||
dev_rw_xserver_misc(vbetool_t)
|
||||
dev_rw_mtrr(vbetool_t)
|
||||
|
||||
domain_mmap_low_type(vbetool_t)
|
||||
tunable_policy(`mmap_low_allowed',`
|
||||
allow vbetool_t self:memprotect mmap_zero;
|
||||
')
|
||||
domain_mmap_low(vbetool_t)
|
||||
|
||||
mls_file_read_all_levels(vbetool_t)
|
||||
mls_file_write_all_levels(vbetool_t)
|
||||
|
||||
@ -107,10 +107,7 @@ template(`wine_role_template',`
|
||||
userdom_unpriv_usertype($1, $1_wine_t)
|
||||
userdom_manage_tmpfs_role($2, $1_wine_t)
|
||||
|
||||
domain_mmap_low_type($1_wine_t)
|
||||
tunable_policy(`mmap_low_allowed',`
|
||||
allow $1_wine_t self:memprotect mmap_zero;
|
||||
')
|
||||
domain_mmap_low($1_wine_t)
|
||||
|
||||
tunable_policy(`wine_mmap_zero_ignore',`
|
||||
dontaudit $1_wine_t self:memprotect mmap_zero;
|
||||
|
||||
@ -44,10 +44,7 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
|
||||
manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
|
||||
files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
|
||||
|
||||
domain_mmap_low_type(wine_t)
|
||||
tunable_policy(`mmap_low_allowed',`
|
||||
allow wine_t self:memprotect mmap_zero;
|
||||
')
|
||||
domain_mmap_low(wine_t)
|
||||
tunable_policy(`wine_mmap_zero_ignore',`
|
||||
dontaudit wine_t self:memprotect mmap_zero;
|
||||
')
|
||||
|
||||
@ -51,10 +51,6 @@ interface(`unconfined_domain_noaudit',`
|
||||
|
||||
ubac_process_exempt($1)
|
||||
|
||||
tunable_policy(`mmap_low_allowed',`
|
||||
allow $1 self:memprotect mmap_zero;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execheap',`
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1 self:process execheap;
|
||||
@ -68,8 +64,8 @@ interface(`unconfined_domain_noaudit',`
|
||||
|
||||
tunable_policy(`allow_execstack',`
|
||||
# Allow making the stack executable via mprotect;
|
||||
# execstack implies execmem; Bugzilla #211271
|
||||
allow $1 self:process { execmem execstack };
|
||||
# execstack implies execmem;
|
||||
allow $1 self:process { execstack execmem };
|
||||
# auditallow $1 self:process execstack;
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user