refpolicy: Define getrlimit permission for class process

This permission was added to the kernel in commit 791ec491c372 ("prlimit,security,selinux: add a security hook for prlimit") circa Linux 4.12 in order to control the ability to get the resource limits of another process. It is only checked when acting on another process, so getrlimit permission is not required for use of getrlimit(2). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2017-05-17 11:33:46 -0400
committer: Sven Vermeulen <swift@gentoo.org> 2017-05-18 19:00:58 +0200
commit: 132d5b9d536f0e178aa10b7544b93f6f129f65c9 (patch)
tree: 0ff9be9e597419aaa22080e173942f5bdda600be /policy/flask/access_vectors
parent: Module version bump for systemd fix from Krzysztof Nowicki. (diff)
download: hardened-refpolicy-132d5b9d536f0e178aa10b7544b93f6f129f65c9.tar.gz
hardened-refpolicy-132d5b9d536f0e178aa10b7544b93f6f129f65c9.tar.bz2
hardened-refpolicy-132d5b9d536f0e178aa10b7544b93f6f129f65c9.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 69f69af80..6204e687f 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -383,6 +383,7 @@ class process
 	execheap
 	setkeycreate
 	setsockcreate
+	getrlimit
 }
author	Stephen Smalley <sds@tycho.nsa.gov>	2017-05-17 11:33:46 -0400
committer	Sven Vermeulen <swift@gentoo.org>	2017-05-18 19:00:58 +0200
commit	132d5b9d536f0e178aa10b7544b93f6f129f65c9 (patch)
tree	0ff9be9e597419aaa22080e173942f5bdda600be /policy/flask/access_vectors
parent	Module version bump for systemd fix from Krzysztof Nowicki. (diff)
download	hardened-refpolicy-132d5b9d536f0e178aa10b7544b93f6f129f65c9.tar.gz hardened-refpolicy-132d5b9d536f0e178aa10b7544b93f6f129f65c9.tar.bz2 hardened-refpolicy-132d5b9d536f0e178aa10b7544b93f6f129f65c9.zip