From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 55A5B1581D3 for ; Tue, 14 May 2024 19:42:58 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2EB26E2A0C; Tue, 14 May 2024 19:42:57 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 17386E2A0C for ; Tue, 14 May 2024 19:42:57 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4146B340775 for ; Tue, 14 May 2024 19:42:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id A67141AC8 for ; Tue, 14 May 2024 19:42:54 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1715708458.9e64cef53a9a17bce38b43e1a8476b4132c186ea.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/init.if X-VCS-Directories: policy/modules/system/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 9e64cef53a9a17bce38b43e1a8476b4132c186ea X-VCS-Branch: master Date: Tue, 14 May 2024 19:42:54 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 6a6bfe19-b5bb-47f1-9e38-69eaf92faadd X-Archives-Hash: 17a9c900be3a7522e992ad0c58baa842 commit: 9e64cef53a9a17bce38b43e1a8476b4132c186ea Author: Matt Sheets linux microsoft com> AuthorDate: Sat Apr 27 00:09:53 2024 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:58 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e64cef5 Allow systemd to pass down sig mask IgnoreSIGPIPE is a feature that requires systemd to passdown the signal mask down to the fork process. To allow this the siginh permission must be allowed for all process domains that can be forked by systemd. Signed-off-by: Matt Sheets linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/init.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 597fd169a..24be1a7a7 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -189,6 +189,7 @@ interface(`init_domain',` allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow init_t $1:process siginh; allow init_t $1:process2 { nnp_transition nosuid_transition }; # StandardInputText uses a memfd rw shm segment.