commit: 132d5b9d536f0e178aa10b7544b93f6f129f65c9
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed May 17 15:33:46 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:58 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=132d5b9d
refpolicy: Define getrlimit permission for class process
This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process. It is only checked when acting on another
process, so getrlimit permission is not required for use of getrlimit(2).
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>
policy/flask/access_vectors | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 69f69af8..6204e687 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -383,6 +383,7 @@ class process
execheap
setkeycreate
setsockcreate
+ getrlimit
}
