Allow users to ptrace and send any signal to their bluetooth helper agent.

Allow users to prtrace and send any signal to their cron job. Allow users to prtrace and send any signal to their cron job. Allow users to prtrace and send any signal to their cron job. Allow users to ps, ptrace and send any signal to their session bus.
2010-09-17 10:16:23 +02:00 · 2010-09-17 10:16:23 +02:00 · dd0d453cdf
commit dd0d453cdf
parent 2d6615cf20
3 changed files with 7 additions and 5 deletions
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@ -27,7 +27,7 @@ interface(`bluetooth_role',`

 	# allow ps to show cdrecord and allow the user to kill it
 	ps_process_pattern($2, bluetooth_helper_t)
-	allow $2 bluetooth_helper_t:process signal;
+	allow $2 bluetooth_helper_t:process { ptrace signal_perms };

 	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
 	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@ -138,7 +138,7 @@ interface(`cron_role',`

 	# crontab shows up in user ps
 	ps_process_pattern($2, crontab_t)
-	allow $2 crontab_t:process signal;
+	allow $2 crontab_t:process { ptrace signal_perms };

 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(crontab_t, $2)
@ -180,6 +180,7 @@ interface(`cron_unconfined_role',`

 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
+	allow $2 unconfined_cronjob_t:process { ptrace signal_perms };

 	optional_policy(`
 		gen_require(`
@ -225,7 +226,7 @@ interface(`cron_admin_role',`

 	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
+	allow $2 admin_crontab_t:process { ptrace signal_perms };

 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(admin_crontab_t, $2)
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@ -90,14 +90,15 @@ template(`dbus_role_template',`
 	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })

 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+	ps_process_pattern($3, $1_dbusd_t)
+	allow $3 $1_dbusd_t:process { ptrace signal_perms };

 	# cjp: this seems very broken
 	corecmd_bin_domtrans($1_dbusd_t, $1_t)
 	allow $1_dbusd_t $3:process sigkill;
 	allow $3 $1_dbusd_t:fd use;
 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-	allow $3 $1_dbusd_t:process sigchld;

 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctls($1_dbusd_t)