fix: 修复无法kill信号给deepin_unkillable_t.

Change-Id: I3df4d120dbceda0c568d7d14ebfa0f30aef1049a
deepin-community · Jan 21, 2025 · 397e1e5 · 397e1e5
1 parent 003398c
commit 397e1e5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 8 deletions.
diff --git a/debian/changelog b/debian/changelog
@@ -1,7 +1,12 @@
+refpolicy (2:2.20240723-2deepin8) unstable; urgency=medium
+
+  * fix:修复无法kill信号给deepin_unkillable_t.
+
+ -- zhangya <[email protected]>  Tue, 21 Jan 2025 17:47:49 +0800
+
 refpolicy (2:2.20240723-2deepin8) unstable; urgency=medium
 
   * fix:修复immutable标签在开启网络管控后不可访问网络的问题.
-  *
 
  -- xiongyingrong <[email protected]>  Wed, 08 Jan 2025 14:17:49 +0800
 

diff --git a/debian/patches/initialize-usids-of-usec-policy.patch b/debian/patches/initialize-usids-of-usec-policy.patch
@@ -598,7 +598,7 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
 
  allow deepin_executable_file_type self:file { exec_file_perms link execmod };
 
-@@ -860,10 +867,32 @@ allow deepin_home_sec_t self:filesystem
+@@ -860,10 +867,33 @@ allow deepin_home_sec_t self:filesystem
  allow deepin_executable_file_type deepin_home_sec_t:file ~{ relabelfrom relabelto };
  allow deepin_executable_file_type deepin_home_sec_t:dir list_dir_perms;
 
@@ -629,15 +629,16 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
 +# 系统核心进程防杀标签
 +ifdef(`enable_usec',`
 +	require {
-+		type deepin_perm_manager_sidtwo_t;
++		attribute deepin_executable_file_type;
 +	}
 +
 +	type deepin_unkillable_t;
-+	corecmd_executable_file(deepin_unkillable_t)
-+	allow deepin_unkillable_t deepin_unkillable_t:process { sigkill sigstop };
-+	allow deepin_unkillable_t deepin_unkillable_t:service { stop reload disable };
-+	allow deepin_perm_manager_sidtwo_t deepin_unkillable_t:process { sigkill sigstop };
-+	allow deepin_perm_manager_sidtwo_t deepin_unkillable_t:service { stop reload disable };
++	deepin_app_domain_set(deepin_unkillable_t);
++	allow deepin_unkillable_t self:service *;
++	allow deepin_executable_file_type deepin_unkillable_t:process ~{ setcurrent setexec sigkill sigstop };
++	allow deepin_executable_file_type deepin_unkillable_t:service ~{ stop reload disable };
++	allow deepin_usec_t deepin_unkillable_t:process ~{ setcurrent setexec sigkill sigstop };
++	allow deepin_usec_t deepin_unkillable_t:service ~{ stop reload disable };
 +')
 \ No newline at end of file
 Index: refpolicy/support/Makefile.devel