From 560aa9dc4700cdfb3d6935b84d103ca7386b3b85 Mon Sep 17 00:00:00 2001
From: zhangya <zhangya@uniontech.com>
Date: Tue, 21 Jan 2025 17:59:12 +0800
Subject: [PATCH] =?UTF-8?q?fix:=E6=A0=B8=E5=BF=83=E8=BF=9B=E7=A8=8B?=
 =?UTF-8?q?=E9=98=B2=E6=9D=80=20=E4=BF=AE=E5=A4=8D=E6=97=A0=E6=B3=95kill?=
 =?UTF-8?q?=20SIGHUP=E4=BF=A1=E5=8F=B7=E7=BB=99deepin=5Funkillable=5Ft?=
 =?UTF-8?q?=E8=BF=9B=E7=A8=8B.=20=20=20=20=20=E7=BB=99systemd=E8=B5=8B?=
 =?UTF-8?q?=E4=BA=88=E6=9B=B4=E5=A4=9Ausec=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I3df4d120dbceda0c568d7d14ebfa0f30aef1049a
---
 debian/changelog                              |  7 ++++++-
 .../initialize-usids-of-usec-policy.patch     | 21 ++++++++++---------
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index fa6af65..87d1aa9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,12 @@
+refpolicy (2:2.20240723-2deepin9) unstable; urgency=medium
+
+  * fix:核心进程防杀 修复无法kill SIGHUP信号给deepin_unkillable_t进程.
+
+ -- zhangya <zhangya@uniontech.com>  Tue, 21 Jan 2025 17:47:49 +0800
+
 refpolicy (2:2.20240723-2deepin8) unstable; urgency=medium
 
   * fix:修复immutable标签在开启网络管控后不可访问网络的问题.
-  *
 
  -- xiongyingrong <xiongyingrong@uniontech.com>  Wed, 08 Jan 2025 14:17:49 +0800
 
diff --git a/debian/patches/initialize-usids-of-usec-policy.patch b/debian/patches/initialize-usids-of-usec-policy.patch
index 36b55fb..afe6275 100644
--- a/debian/patches/initialize-usids-of-usec-policy.patch
+++ b/debian/patches/initialize-usids-of-usec-policy.patch
@@ -530,7 +530,7 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
 ===================================================================
 --- refpolicy.orig/policy/modules/services/deepin_perm_control.te
 +++ refpolicy/policy/modules/services/deepin_perm_control.te
-@@ -141,9 +141,6 @@ require {
+@@ -141,10 +141,8 @@ require {
  	type deepin_elf_verify_t;
  }
  
@@ -538,9 +538,11 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
 -type deepin_usec_t;
 -deepin_app_domain_set(deepin_usec_t)
  deepin_app_domain_set(kernel_t)
++deepin_app_domain_set(init_t)
  
  # for app to read selinux config
-@@ -246,25 +243,35 @@ type deepin_perm_manager_test_exec_t;
+ selinux_read_policy(deepin_app_domain)
+@@ -246,25 +244,35 @@ type deepin_perm_manager_test_exec_t;
  domain_entry_file(sysadm_t, deepin_perm_manager_test_exec_t)
  domtrans_pattern(deepin_perm_manager_t, deepin_perm_manager_test_exec_t, sysadm_t)
  
@@ -589,7 +591,7 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
  	allow sysadm_t deepin_perm_manager_unit_t:service *;
  	allow sysadm_sudo_t deepin_perm_manager_unit_t:service *;
  	deepin_perm_manager_domtrans(sysadm_t)
-@@ -391,7 +398,7 @@ allow deepin_executable_file_type deepin
+@@ -391,7 +399,7 @@ allow deepin_executable_file_type deepin
  allow deepin_executable_file_type deepin_executable_file_type:socket_class_set ~{ relabelfrom relabelto };
  allow deepin_executable_file_type deepin_executable_file_type:dir_file_class_set { mounton lock };
  allow deepin_executable_file_type deepin_executable_file_type:filesystem { mount remount };
@@ -598,7 +600,7 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
  
  allow deepin_executable_file_type self:file { exec_file_perms link execmod };
  
-@@ -860,10 +867,32 @@ allow deepin_home_sec_t self:filesystem
+@@ -860,10 +868,31 @@ allow deepin_home_sec_t self:filesystem
  allow deepin_executable_file_type deepin_home_sec_t:file ~{ relabelfrom relabelto };
  allow deepin_executable_file_type deepin_home_sec_t:dir list_dir_perms;
  
@@ -629,15 +631,14 @@ Index: refpolicy/policy/modules/services/deepin_perm_control.te
 +# 系统核心进程防杀标签
 +ifdef(`enable_usec',`
 +	require {
-+		type deepin_perm_manager_sidtwo_t;
++		attribute deepin_executable_file_type;
 +	}
 +
 +	type deepin_unkillable_t;
-+	corecmd_executable_file(deepin_unkillable_t)
-+	allow deepin_unkillable_t deepin_unkillable_t:process { sigkill sigstop };
-+	allow deepin_unkillable_t deepin_unkillable_t:service { stop reload disable };
-+	allow deepin_perm_manager_sidtwo_t deepin_unkillable_t:process { sigkill sigstop };
-+	allow deepin_perm_manager_sidtwo_t deepin_unkillable_t:service { stop reload disable };
++	deepin_app_domain_set(deepin_unkillable_t);
++	allow deepin_unkillable_t self:service *;
++	allow deepin_usec_t deepin_unkillable_t:process ~{ setcurrent setexec sigkill sigstop };
++	allow deepin_usec_t deepin_unkillable_t:service ~{ stop reload disable };
 +')
 \ No newline at end of file
 Index: refpolicy/support/Makefile.devel