commit: aeb656ea428466c9609468be4ac76243e84f73f1
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov 7 01:53:34 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aeb656ea
policykit, systemd: allow policykit to watch systemd logins and sessions
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/policykit.te | 2 ++
policy/modules/system/systemd.if | 38 ++++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+)
diff --git a/policy/modules/services/policykit.te
b/policy/modules/services/policykit.te
index 721534a0..a76f8697 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -137,9 +137,11 @@ optional_policy(`
# for /run/systemd/seats/seat*
systemd_read_logind_sessions_files(policykit_t)
+ systemd_watch_logind_sessions_dirs(policykit_t)
# for /run/systemd/users/*
systemd_read_logind_runtime_files(policykit_t)
+ systemd_watch_logind_runtime_dirs(policykit_t)
')
########################################
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a493f7dc..38adf050 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -763,6 +763,25 @@ interface(`systemd_write_logind_pid_pipes',`
systemd_write_logind_runtime_pipes($1)
')
+######################################
+## <summary>
+## Watch systemd-logind runtime dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_logind_runtime_dirs',`
+ gen_require(`
+ type systemd_logind_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ allow $1 systemd_logind_runtime_t:dir watch;
+')
+
######################################
## <summary>
## Read systemd-logind runtime files.
@@ -841,6 +860,25 @@ interface(`systemd_use_logind_fds',`
allow $1 systemd_logind_t:fd use;
')
+######################################
+## <summary>
+## Watch logind sessions dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_watch_logind_sessions_dirs',`
+ gen_require(`
+ type systemd_sessions_runtime_t;
+ ')
+
+ init_search_run($1)
+ allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
######################################
## <summary>
## Read logind sessions files.