fix:核心进程防杀修复无法kill SIGHUP信号给deepin_unkillable_t进程.

给systemd赋予更多usec权限 Change-Id: I3df4d120dbceda0c568d7d14ebfa0f30aef1049a
deepin-community · Jan 22, 2025 · 560aa9d · 560aa9d
1 parent 003398c
commit 560aa9d
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/debian/changelog b/debian/changelog
@@ -1,7 +1,12 @@
+refpolicy (2:2.20240723-2deepin9) unstable; urgency=medium
+
+  * fix:核心进程防杀 修复无法kill SIGHUP信号给deepin_unkillable_t进程.
+
+ -- zhangya <[email protected]>  Tue, 21 Jan 2025 17:47:49 +0800
+
 refpolicy (2:2.20240723-2deepin8) unstable; urgency=medium
 
   * fix:修复immutable标签在开启网络管控后不可访问网络的问题.
-  *
 
  -- xiongyingrong <[email protected]>  Wed, 08 Jan 2025 14:17:49 +0800
 

diff --git a/debian/patches/initialize-usids-of-usec-policy.patch b/debian/patches/initialize-usids-of-usec-policy.patch
@@ -530,17 +530,19 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
 ===================================================================
 --- refpolicy.orig/policy/modules/services/deepin_perm_control.te
 +++ refpolicy/policy/modules/services/deepin_perm_control.te
-@@ -141,9 +141,6 @@ require {
+@@ -141,10 +141,8 @@ require {
  	type deepin_elf_verify_t;
  }
 
 -# This is default usec label
 -type deepin_usec_t;
 -deepin_app_domain_set(deepin_usec_t)
  deepin_app_domain_set(kernel_t)
++deepin_app_domain_set(init_t)
 
  # for app to read selinux config
-@@ -246,25 +243,35 @@ type deepin_perm_manager_test_exec_t;
+ selinux_read_policy(deepin_app_domain)
+@@ -246,25 +244,35 @@ type deepin_perm_manager_test_exec_t;
  domain_entry_file(sysadm_t, deepin_perm_manager_test_exec_t)
  domtrans_pattern(deepin_perm_manager_t, deepin_perm_manager_test_exec_t, sysadm_t)
 
@@ -589,7 +591,7 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
  	allow sysadm_t deepin_perm_manager_unit_t:service *;
  	allow sysadm_sudo_t deepin_perm_manager_unit_t:service *;
  	deepin_perm_manager_domtrans(sysadm_t)
-@@ -391,7 +398,7 @@ allow deepin_executable_file_type deepin
+@@ -391,7 +399,7 @@ allow deepin_executable_file_type deepin
  allow deepin_executable_file_type deepin_executable_file_type:socket_class_set ~{ relabelfrom relabelto };
  allow deepin_executable_file_type deepin_executable_file_type:dir_file_class_set { mounton lock };
  allow deepin_executable_file_type deepin_executable_file_type:filesystem { mount remount };
@@ -598,7 +600,7 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
 
  allow deepin_executable_file_type self:file { exec_file_perms link execmod };
 
-@@ -860,10 +867,32 @@ allow deepin_home_sec_t self:filesystem
+@@ -860,10 +868,31 @@ allow deepin_home_sec_t self:filesystem
  allow deepin_executable_file_type deepin_home_sec_t:file ~{ relabelfrom relabelto };
  allow deepin_executable_file_type deepin_home_sec_t:dir list_dir_perms;
 
@@ -629,15 +631,14 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
 +# 系统核心进程防杀标签
 +ifdef(`enable_usec',`
 +	require {
-+		type deepin_perm_manager_sidtwo_t;
++		attribute deepin_executable_file_type;
 +	}
 +
 +	type deepin_unkillable_t;
-+	corecmd_executable_file(deepin_unkillable_t)
-+	allow deepin_unkillable_t deepin_unkillable_t:process { sigkill sigstop };
-+	allow deepin_unkillable_t deepin_unkillable_t:service { stop reload disable };
-+	allow deepin_perm_manager_sidtwo_t deepin_unkillable_t:process { sigkill sigstop };
-+	allow deepin_perm_manager_sidtwo_t deepin_unkillable_t:service { stop reload disable };
++	deepin_app_domain_set(deepin_unkillable_t);
++	allow deepin_unkillable_t self:service *;
++	allow deepin_usec_t deepin_unkillable_t:process ~{ setcurrent setexec sigkill sigstop };
++	allow deepin_usec_t deepin_unkillable_t:service ~{ stop reload disable };
 +')
 \ No newline at end of file
 Index: refpolicy/support/Makefile.devel