| Message ID | 20260401064624.2548716-2-amanna@qti.qualcomm.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-selinux] refpolicy: backport fix from upstream (PR#1096) | expand |
Hi Joe & Yi Requesting to review the patch. Thanks Abhi -----Original Message----- From: Abhilasha Manna (Temp) <amanna@qti.qualcomm.com> Sent: Wednesday, April 1, 2026 12:16 PM To: yocto-patches@lists.yoctoproject.org Cc: Abhilasha Manna (Temp) <amanna@qti.qualcomm.com> Subject: [meta-selinux][PATCH] refpolicy: backport fix from upstream (PR#1096) Backport upstream SELinux refpolicy change from: https://github.com/SELinuxProject/refpolicy/pull/1096/changes/2aad2d57fa7e6873d3e59e6bc2848623713e46f0 This change is required to keep meta-selinux in sync with upstream refpolicy and to fix issues observed when building or running SELinux-enabled images. No functional changes beyond the upstream fix. Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> --- .../refpolicy/refpolicy-targeted_git.bb | 1 + ...l_read_transparent_hugepage_sysfs-in.patch | 103 ++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index de81d46..9d23e84 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb @@ -14,4 +14,5 @@ include refpolicy_${PV}.inc SRC_URI += " \ file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ + +file://0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch +\ " diff --git a/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch b/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch new file mode 100644 index 0000000..463fc17 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_t +++ ransparent_hugepage_sysfs-in.patch @@ -0,0 +1,103 @@ +From fbf9e9a5c3086b53f46f9f07378af5466d7a6ee9 Mon Sep 17 00:00:00 2001 +From: Abhilasha Manna <amanna@qti.qualcomm.com> +Date: Wed, 25 Mar 2026 14:49:46 +0530 +Subject: [PATCH] kernel: add kernel_read_transparent_hugepage_sysfs +interface + +Add a new interface kernel_read_transparent_hugepage_sysfs() to allow +specific domains to read sysfs files under the transparent hugepage +path (/sys/kernel/mm/transparent_hugepage). + +Introduce sysfs_transparent_hugepage_t as a dedicated type for the +transparent hugepage sysfs path, replacing the use of the generic +sysfs_t. + +Upstream-Status: Inappropriate [meta-qcom specific] + +Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> +--- + policy/modules/kernel/domain.te | 3 +++ +policy/modules/kernel/kernel.if | 37 +++++++++++++++++++++++++++++++++ +policy/modules/kernel/kernel.te | 8 +++++++ + 3 files changed, 48 insertions(+) + +diff --git a/policy/modules/kernel/domain.te +b/policy/modules/kernel/domain.te index 0f38015b6..7c7fe8f32 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -120,6 +120,9 @@ allow domain self:lockdown { confidentiality +integrity }; # glibc get_nprocs requires read access to +/sys/devices/system/cpu/online + dev_read_cpu_online(domain) + ++# read and search access to sys/kernel/mm/transparent_hugepage ++kernel_read_transparent_hugepage_sysfs(domain) ++ + # Use trusted objects in /dev + dev_rw_null(domain) + dev_rw_zero(domain) +diff --git a/policy/modules/kernel/kernel.if +b/policy/modules/kernel/kernel.if index 01a06eb37..84d76dc3a 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -4108,3 +4108,40 @@ +interface(`kernel_ib_manage_subnet_unlabeled_endports',` + + allow $1 unlabeled_t:infiniband_endport manage_subnet; + ') ++ ++######################################## ++## <summary> ++## Search the transparent hugepage sysfs directory. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`kernel_search_transparent_hugepage_sysfs',` ++ gen_require(` ++ type sysfs_transparent_hugepage_t; ++ ') ++ ++ allow $1 sysfs_transparent_hugepage_t:dir search; ++') ++ ++######################################## ++## <summary> ++## Read transparent hugepage sysfs files. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`kernel_read_transparent_hugepage_sysfs',` ++ gen_require(` ++ type sysfs_transparent_hugepage_t; ++ ') ++ ++ allow $1 sysfs_transparent_hugepage_t:file read_file_perms; ++ kernel_search_transparent_hugepage_sysfs($1) ++') +diff --git a/policy/modules/kernel/kernel.te +b/policy/modules/kernel/kernel.te index 26578a26d..57aa13fb0 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -69,6 +69,14 @@ type kvmfs_t; + fs_type(kvmfs_t) + genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) + ++# ++#transparent_hugepage ++# ++ ++type sysfs_transparent_hugepage_t; ++files_type(sysfs_transparent_hugepage_t) ++genfscon sysfs /kernel/mm/transparent_hugepage ++gen_context(system_u:object_r:sysfs_transparent_hugepage_t,s0) ++ + # + # Procfs types + # +-- +2.43.0 + -- 2.43.0
Hi Abhi On 4/2/26 14:02, Abhilasha Manna (Temp) wrote: > Hi Joe & Yi > > Requesting to review the patch. Given the recent requests to merge backported patches, I will upgrade refpolicy to latest git revision. //YI > > Thanks > Abhi > > -----Original Message----- > From: Abhilasha Manna (Temp) <amanna@qti.qualcomm.com> > Sent: Wednesday, April 1, 2026 12:16 PM > To: yocto-patches@lists.yoctoproject.org > Cc: Abhilasha Manna (Temp) <amanna@qti.qualcomm.com> > Subject: [meta-selinux][PATCH] refpolicy: backport fix from upstream (PR#1096) > > Backport upstream SELinux refpolicy change from: > > https://github.com/SELinuxProject/refpolicy/pull/1096/changes/2aad2d57fa7e6873d3e59e6bc2848623713e46f0 > > This change is required to keep meta-selinux in sync with upstream refpolicy and to fix issues observed when building or running SELinux-enabled images. > > No functional changes beyond the upstream fix. > > Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> > --- > .../refpolicy/refpolicy-targeted_git.bb | 1 + > ...l_read_transparent_hugepage_sysfs-in.patch | 103 ++++++++++++++++++ > 2 files changed, 104 insertions(+) > create mode 100644 recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch > > diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb > index de81d46..9d23e84 100644 > --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb > +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb > @@ -14,4 +14,5 @@ include refpolicy_${PV}.inc > > SRC_URI += " \ > file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ > + > +file://0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch > +\ > " > diff --git a/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch b/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch > new file mode 100644 > index 0000000..463fc17 > --- /dev/null > +++ b/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_t > +++ ransparent_hugepage_sysfs-in.patch > @@ -0,0 +1,103 @@ > +From fbf9e9a5c3086b53f46f9f07378af5466d7a6ee9 Mon Sep 17 00:00:00 2001 > +From: Abhilasha Manna <amanna@qti.qualcomm.com> > +Date: Wed, 25 Mar 2026 14:49:46 +0530 > +Subject: [PATCH] kernel: add kernel_read_transparent_hugepage_sysfs > +interface > + > +Add a new interface kernel_read_transparent_hugepage_sysfs() to allow > +specific domains to read sysfs files under the transparent hugepage > +path (/sys/kernel/mm/transparent_hugepage). > + > +Introduce sysfs_transparent_hugepage_t as a dedicated type for the > +transparent hugepage sysfs path, replacing the use of the generic > +sysfs_t. > + > +Upstream-Status: Inappropriate [meta-qcom specific] > + > +Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> > +--- > + policy/modules/kernel/domain.te | 3 +++ > +policy/modules/kernel/kernel.if | 37 +++++++++++++++++++++++++++++++++ > +policy/modules/kernel/kernel.te | 8 +++++++ > + 3 files changed, 48 insertions(+) > + > +diff --git a/policy/modules/kernel/domain.te > +b/policy/modules/kernel/domain.te index 0f38015b6..7c7fe8f32 100644 > +--- a/policy/modules/kernel/domain.te > ++++ b/policy/modules/kernel/domain.te > +@@ -120,6 +120,9 @@ allow domain self:lockdown { confidentiality > +integrity }; # glibc get_nprocs requires read access to > +/sys/devices/system/cpu/online > + dev_read_cpu_online(domain) > + > ++# read and search access to sys/kernel/mm/transparent_hugepage > ++kernel_read_transparent_hugepage_sysfs(domain) > ++ > + # Use trusted objects in /dev > + dev_rw_null(domain) > + dev_rw_zero(domain) > +diff --git a/policy/modules/kernel/kernel.if > +b/policy/modules/kernel/kernel.if index 01a06eb37..84d76dc3a 100644 > +--- a/policy/modules/kernel/kernel.if > ++++ b/policy/modules/kernel/kernel.if > +@@ -4108,3 +4108,40 @@ > +interface(`kernel_ib_manage_subnet_unlabeled_endports',` > + > + allow $1 unlabeled_t:infiniband_endport manage_subnet; > + ') > ++ > ++######################################## > ++## <summary> > ++## Search the transparent hugepage sysfs directory. > ++## </summary> > ++## <param name="domain"> > ++## <summary> > ++## Domain allowed access. > ++## </summary> > ++## </param> > ++# > ++interface(`kernel_search_transparent_hugepage_sysfs',` > ++ gen_require(` > ++ type sysfs_transparent_hugepage_t; > ++ ') > ++ > ++ allow $1 sysfs_transparent_hugepage_t:dir search; > ++') > ++ > ++######################################## > ++## <summary> > ++## Read transparent hugepage sysfs files. > ++## </summary> > ++## <param name="domain"> > ++## <summary> > ++## Domain allowed access. > ++## </summary> > ++## </param> > ++# > ++interface(`kernel_read_transparent_hugepage_sysfs',` > ++ gen_require(` > ++ type sysfs_transparent_hugepage_t; > ++ ') > ++ > ++ allow $1 sysfs_transparent_hugepage_t:file read_file_perms; > ++ kernel_search_transparent_hugepage_sysfs($1) > ++') > +diff --git a/policy/modules/kernel/kernel.te > +b/policy/modules/kernel/kernel.te index 26578a26d..57aa13fb0 100644 > +--- a/policy/modules/kernel/kernel.te > ++++ b/policy/modules/kernel/kernel.te > +@@ -69,6 +69,14 @@ type kvmfs_t; > + fs_type(kvmfs_t) > + genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) > + > ++# > ++#transparent_hugepage > ++# > ++ > ++type sysfs_transparent_hugepage_t; > ++files_type(sysfs_transparent_hugepage_t) > ++genfscon sysfs /kernel/mm/transparent_hugepage > ++gen_context(system_u:object_r:sysfs_transparent_hugepage_t,s0) > ++ > + # > + # Procfs types > + # > +-- > +2.43.0 > + > -- > 2.43.0 >
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index de81d46..9d23e84 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb @@ -14,4 +14,5 @@ include refpolicy_${PV}.inc SRC_URI += " \ file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ + file://0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch \ " diff --git a/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch b/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch new file mode 100644 index 0000000..463fc17 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch @@ -0,0 +1,103 @@ +From fbf9e9a5c3086b53f46f9f07378af5466d7a6ee9 Mon Sep 17 00:00:00 2001 +From: Abhilasha Manna <amanna@qti.qualcomm.com> +Date: Wed, 25 Mar 2026 14:49:46 +0530 +Subject: [PATCH] kernel: add kernel_read_transparent_hugepage_sysfs interface + +Add a new interface kernel_read_transparent_hugepage_sysfs() to allow +specific domains to read sysfs files under the transparent hugepage +path (/sys/kernel/mm/transparent_hugepage). + +Introduce sysfs_transparent_hugepage_t as a dedicated type for the +transparent hugepage sysfs path, replacing the use of the generic +sysfs_t. + +Upstream-Status: Inappropriate [meta-qcom specific] + +Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> +--- + policy/modules/kernel/domain.te | 3 +++ + policy/modules/kernel/kernel.if | 37 +++++++++++++++++++++++++++++++++ + policy/modules/kernel/kernel.te | 8 +++++++ + 3 files changed, 48 insertions(+) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index 0f38015b6..7c7fe8f32 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -120,6 +120,9 @@ allow domain self:lockdown { confidentiality integrity }; + # glibc get_nprocs requires read access to /sys/devices/system/cpu/online + dev_read_cpu_online(domain) + ++# read and search access to sys/kernel/mm/transparent_hugepage ++kernel_read_transparent_hugepage_sysfs(domain) ++ + # Use trusted objects in /dev + dev_rw_null(domain) + dev_rw_zero(domain) +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 01a06eb37..84d76dc3a 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -4108,3 +4108,40 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',` + + allow $1 unlabeled_t:infiniband_endport manage_subnet; + ') ++ ++######################################## ++## <summary> ++## Search the transparent hugepage sysfs directory. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`kernel_search_transparent_hugepage_sysfs',` ++ gen_require(` ++ type sysfs_transparent_hugepage_t; ++ ') ++ ++ allow $1 sysfs_transparent_hugepage_t:dir search; ++') ++ ++######################################## ++## <summary> ++## Read transparent hugepage sysfs files. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`kernel_read_transparent_hugepage_sysfs',` ++ gen_require(` ++ type sysfs_transparent_hugepage_t; ++ ') ++ ++ allow $1 sysfs_transparent_hugepage_t:file read_file_perms; ++ kernel_search_transparent_hugepage_sysfs($1) ++') +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 26578a26d..57aa13fb0 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -69,6 +69,14 @@ type kvmfs_t; + fs_type(kvmfs_t) + genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) + ++# ++#transparent_hugepage ++# ++ ++type sysfs_transparent_hugepage_t; ++files_type(sysfs_transparent_hugepage_t) ++genfscon sysfs /kernel/mm/transparent_hugepage gen_context(system_u:object_r:sysfs_transparent_hugepage_t,s0) ++ + # + # Procfs types + # +-- +2.43.0 +
Backport upstream SELinux refpolicy change from: https://github.com/SELinuxProject/refpolicy/pull/1096/changes/2aad2d57fa7e6873d3e59e6bc2848623713e46f0 This change is required to keep meta-selinux in sync with upstream refpolicy and to fix issues observed when building or running SELinux-enabled images. No functional changes beyond the upstream fix. Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> --- .../refpolicy/refpolicy-targeted_git.bb | 1 + ...l_read_transparent_hugepage_sysfs-in.patch | 103 ++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch