[yocto] [PATCH 1/1] refpolicy: allow dhclient to bind unreserved_port_t socket.
rongqing.li at windriver.com
rongqing.li at windriver.com
Sun Feb 9 18:28:20 PST 2014
From: Roy Li <rongqing.li at windriver.com>
once dhclient enables dns support, it binds anyone port which is not reserved.
Signed-off-by: Roy Li <rongqing.li at windriver.com>
---
.../poky-policy-allows-dhclient-to-bind.patch | 43 ++++++++++++++++++++
.../refpolicy/refpolicy_2.20130424.inc | 1 +
2 files changed, 44 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch
new file mode 100644
index 0000000..7118e8e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch
@@ -0,0 +1,43 @@
+From a9502eba0fef095ef6a2ff42bac020b25f7e384a Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li at windriver.com>
+Date: Mon, 10 Feb 2014 08:40:04 +0800
+Subject: [PATCH] allows dhclient to bind unreserved_port_t socket
+
+Upstream-Status: Pending
+
+Once dhclient enables dns supports, the functions dns_client_createx will
+be called, it will find anyone port which is unreserved and unused.
+
+Call backtrace:
+ bind ()
+ isc__socket_bind ()
+ open_socket ()
+ get_udpsocket ()
+ dispatch_createudp ()
+ dns_dispatch_getudp ()
+ getudpdispatch ()
+ dns_client_createx ()
+ dhcp_context_create ()
+ main ()
+
+Signed-off-by: Roy Li <rongqing.li at windriver.com>
+---
+ policy/modules/system/sysnetwork.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 900b770..b554820 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -73,6 +73,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+ sysnet_manage_config(dhcpc_t)
+ files_etc_filetrans(dhcpc_t, net_conf_t, file)
+
++corenet_udp_bind_all_unreserved_ports(dhcpc_t)
++
+ # create temp files
+ manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+ manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+--
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 4b618b2..f93361a 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -50,6 +50,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
file://poky-policy-fix-seutils-manage-config-files.patch \
file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
+ file://poky-policy-allows-dhclient-to-bind.patch \
"
# Backport from upstream
--
1.7.10.4
More information about the yocto
mailing list