From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-644108-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
by finch.gentoo.org (Postfix) with ESMTP id 3A22C138247
for <garchives@archives.gentoo.org>; Sat, 30 Nov 2013 15:05:13 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id C72D6E09FA;
Sat, 30 Nov 2013 15:05:12 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id 56171E09EF
for <gentoo-commits@lists.gentoo.org>; Sat, 30 Nov 2013 15:05:12 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 7136833F227
for <gentoo-commits@lists.gentoo.org>; Sat, 30 Nov 2013 15:05:11 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
by hornbill.gentoo.org (Postfix) with ESMTP id 23311E5534
for <gentoo-commits@lists.gentoo.org>; Sat, 30 Nov 2013 15:05:10 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1385823575.4fb568ad47d81809ce9b3820fbfa8489d7a2f47c.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/portage.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 4fb568ad47d81809ce9b3820fbfa8489d7a2f47c
X-VCS-Branch: master
Date: Sat, 30 Nov 2013 15:05:10 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: fd13a698-efe0-44e1-be3b-52992df40302
X-Archives-Hash: 246e12afae766081338f1d37cc22ebed
commit: 4fb568ad47d81809ce9b3820fbfa8489d7a2f47c
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 30 14:59:35 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 30 14:59:35 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4fb568ad
Add permissions for new portage features
Portage 2.2 introduces the new features "cgroup", "ipc-sandbox" and
"network-sandbox" for better sandboxing of the build phase.
Signed-off-by: Luis Ressel <aranea <AT> aixah.de>
---
policy/modules/contrib/portage.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 5230679..5a161e5 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -393,6 +393,10 @@ ifdef(`distro_gentoo',`
#
# Portage local policy
#
+
+ # Support ipc-sandbox and network-sandbox FEATURES
+ allow portage_t self:capability { net_admin sys_admin };
+
allow portage_t self:capability2 block_suspend;
# Support self-update of Portage
@@ -410,6 +414,10 @@ ifdef(`distro_gentoo',`
auth_use_nsswitch(portage_t)
+ # Support cgroup FEATURES
+ fs_mount_cgroup(portage_t)
+ fs_mounton_cgroup(portage_t)
+
libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~")
# Support self-update of Portage
libs_relabel_lib_dirs(portage_t)