diff mbox series

[meta-selinux] refpolicy: backport fix from upstream (PR#1096)

Message ID 20260401064624.2548716-2-amanna@qti.qualcomm.com
State New
Headers show
Series [meta-selinux] refpolicy: backport fix from upstream (PR#1096) | expand

Commit Message

Abhilasha Manna April 1, 2026, 6:46 a.m. UTC 
Backport upstream SELinux refpolicy change from:

   https://github.com/SELinuxProject/refpolicy/pull/1096/changes/2aad2d57fa7e6873d3e59e6bc2848623713e46f0

This change is required to keep meta-selinux in sync with
upstream refpolicy and to fix issues observed when building
or running SELinux-enabled images.

No functional changes beyond the upstream fix.

Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com>
---
 .../refpolicy/refpolicy-targeted_git.bb       |   1 +
 ...l_read_transparent_hugepage_sysfs-in.patch | 103 ++++++++++++++++++
 2 files changed, 104 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch
diff mbox series

Patch

diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb
index de81d46..9d23e84 100644
--- a/recipes-security/refpolicy/refpolicy-targeted_git.bb
+++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb
@@ -14,4 +14,5 @@  include refpolicy_${PV}.inc
 
 SRC_URI += " \
         file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \
+		file://0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch \
         "
diff --git a/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch b/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch
new file mode 100644
index 0000000..463fc17
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0079-kernel-add-kernel_read_transparent_hugepage_sysfs-in.patch
@@ -0,0 +1,103 @@ 
+From fbf9e9a5c3086b53f46f9f07378af5466d7a6ee9 Mon Sep 17 00:00:00 2001
+From: Abhilasha Manna <amanna@qti.qualcomm.com>
+Date: Wed, 25 Mar 2026 14:49:46 +0530
+Subject: [PATCH] kernel: add kernel_read_transparent_hugepage_sysfs interface
+
+Add a new interface kernel_read_transparent_hugepage_sysfs() to allow
+specific domains to read sysfs files under the transparent hugepage
+path (/sys/kernel/mm/transparent_hugepage).
+
+Introduce sysfs_transparent_hugepage_t as a dedicated type for the
+transparent hugepage sysfs path, replacing the use of the generic
+sysfs_t.
+
+Upstream-Status: Inappropriate [meta-qcom specific]
+
+Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com>
+---
+ policy/modules/kernel/domain.te |  3 +++
+ policy/modules/kernel/kernel.if | 37 +++++++++++++++++++++++++++++++++
+ policy/modules/kernel/kernel.te |  8 +++++++
+ 3 files changed, 48 insertions(+)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 0f38015b6..7c7fe8f32 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -120,6 +120,9 @@ allow domain self:lockdown { confidentiality integrity };
+ # glibc get_nprocs requires read access to /sys/devices/system/cpu/online
+ dev_read_cpu_online(domain)
+ 
++# read and search access to sys/kernel/mm/transparent_hugepage
++kernel_read_transparent_hugepage_sysfs(domain)
++
+ # Use trusted objects in /dev
+ dev_rw_null(domain)
+ dev_rw_zero(domain)
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 01a06eb37..84d76dc3a 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -4108,3 +4108,40 @@ interface(`kernel_ib_manage_subnet_unlabeled_endports',`
+ 
+ 	allow $1 unlabeled_t:infiniband_endport manage_subnet;
+ ')
++
++########################################
++## <summary>
++##      Search the transparent hugepage sysfs directory.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`kernel_search_transparent_hugepage_sysfs',`
++        gen_require(`
++                type sysfs_transparent_hugepage_t;
++        ')
++
++        allow $1 sysfs_transparent_hugepage_t:dir search;
++')
++
++########################################
++## <summary>
++##      Read transparent hugepage sysfs files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`kernel_read_transparent_hugepage_sysfs',`
++        gen_require(`
++                type sysfs_transparent_hugepage_t;
++        ')
++
++        allow $1 sysfs_transparent_hugepage_t:file read_file_perms;
++        kernel_search_transparent_hugepage_sysfs($1)
++')
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 26578a26d..57aa13fb0 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -69,6 +69,14 @@ type kvmfs_t;
+ fs_type(kvmfs_t)
+ genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
+ 
++#
++#transparent_hugepage
++#
++
++type sysfs_transparent_hugepage_t;
++files_type(sysfs_transparent_hugepage_t)
++genfscon sysfs /kernel/mm/transparent_hugepage gen_context(system_u:object_r:sysfs_transparent_hugepage_t,s0)
++
+ #
+ # Procfs types
+ #
+-- 
+2.43.0
+