From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 3A22C138247 for ; Sat, 30 Nov 2013 15:05:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C72D6E09FA; Sat, 30 Nov 2013 15:05:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 56171E09EF for ; Sat, 30 Nov 2013 15:05:12 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7136833F227 for ; Sat, 30 Nov 2013 15:05:11 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 23311E5534 for ; Sat, 30 Nov 2013 15:05:10 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1385823575.4fb568ad47d81809ce9b3820fbfa8489d7a2f47c.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/portage.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 4fb568ad47d81809ce9b3820fbfa8489d7a2f47c X-VCS-Branch: master Date: Sat, 30 Nov 2013 15:05:10 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: fd13a698-efe0-44e1-be3b-52992df40302 X-Archives-Hash: 246e12afae766081338f1d37cc22ebed commit: 4fb568ad47d81809ce9b3820fbfa8489d7a2f47c Author: Sven Vermeulen siphos be> AuthorDate: Sat Nov 30 14:59:35 2013 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sat Nov 30 14:59:35 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4fb568ad Add permissions for new portage features Portage 2.2 introduces the new features "cgroup", "ipc-sandbox" and "network-sandbox" for better sandboxing of the build phase. Signed-off-by: Luis Ressel aixah.de> --- policy/modules/contrib/portage.te | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te index 5230679..5a161e5 100644 --- a/policy/modules/contrib/portage.te +++ b/policy/modules/contrib/portage.te @@ -393,6 +393,10 @@ ifdef(`distro_gentoo',` # # Portage local policy # + + # Support ipc-sandbox and network-sandbox FEATURES + allow portage_t self:capability { net_admin sys_admin }; + allow portage_t self:capability2 block_suspend; # Support self-update of Portage @@ -410,6 +414,10 @@ ifdef(`distro_gentoo',` auth_use_nsswitch(portage_t) + # Support cgroup FEATURES + fs_mount_cgroup(portage_t) + fs_mounton_cgroup(portage_t) + libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~") # Support self-update of Portage libs_relabel_lib_dirs(portage_t)