commit: deb2d62e038340dcc03361b4fce83930d47f5bf7
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 22 16:55:16 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=deb2d62e
policy_capabilities: add ioctl_skip_cloexec
Add new future policy capability ioctl_skip_cloexec.
Drop estimate comments from genfs_seclabel_symlinks.
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/policy_capabilities | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 9e309fbf..b800997f 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -100,9 +100,17 @@ policycap cgroup_seclabel;
policycap nnp_nosuid_transition;
# Enable extended genfscon labeling for symlinks.
-# Requires libsepol 3.1 (estimated) and kernel 5.7 (estimated).
+# Requires libsepol 3.1 and kernel 5.7.
#
# Added checks:
# (none)
#
#policycap genfs_seclabel_symlinks;
+
+# Always allow FIOCLEX and FIONCLEX ioctl.
+# Requires libsepol 3.4 (estimated) and kernel 5.18 (estimated).
+#
+# Removed checks:
+# common file/socket: ioctl { 0x5450 0x5451 }
+#
+#policycap ioctl_skip_cloexec;
