Allow users to ptrace and send any signal to their bluetooth helper agent.

Allow users to prtrace and send any signal to their cron job.

Allow users to prtrace and send any signal to their cron job.

Allow users to prtrace and send any signal to their cron job.

Allow users to ps, ptrace and send any signal to their session bus.
This commit is contained in:
Dominick Grift 2010-09-17 10:16:23 +02:00
parent 2d6615cf20
commit dd0d453cdf
3 changed files with 7 additions and 5 deletions

View File

@ -27,7 +27,7 @@ interface(`bluetooth_role',`
# allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
allow $2 bluetooth_helper_t:process signal;
allow $2 bluetooth_helper_t:process { ptrace signal_perms };
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)

View File

@ -138,7 +138,7 @@ interface(`cron_role',`
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
allow $2 crontab_t:process signal;
allow $2 crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
@ -180,6 +180,7 @@ interface(`cron_unconfined_role',`
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
optional_policy(`
gen_require(`
@ -225,7 +226,7 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
allow $2 admin_crontab_t:process signal;
allow $2 admin_crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)

View File

@ -90,14 +90,15 @@ template(`dbus_role_template',`
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
allow $3 $1_dbusd_t:process { signull sigkill signal };
ps_process_pattern($3, $1_dbusd_t)
allow $3 $1_dbusd_t:process { ptrace signal_perms };
# cjp: this seems very broken
corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
allow $3 $1_dbusd_t:process sigchld;
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)