[yocto] [PATCH 1/1] refpolicy: allow dhclient to bind unreserved_port_t socket.

[rongqing.li at windriver.com]

From: Roy Li <rongqing.li at windriver.com>

once dhclient enables dns support, it binds anyone port which is not reserved.

Signed-off-by: Roy Li <rongqing.li at windriver.com>
---
 .../poky-policy-allows-dhclient-to-bind.patch      |   43 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    1 +
 2 files changed, 44 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch
new file mode 100644
index 0000000..7118e8e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-allows-dhclient-to-bind.patch
@@ -0,0 +1,43 @@
+From a9502eba0fef095ef6a2ff42bac020b25f7e384a Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li at windriver.com>
+Date: Mon, 10 Feb 2014 08:40:04 +0800
+Subject: [PATCH] allows dhclient to bind unreserved_port_t socket
+
+Upstream-Status: Pending
+
+Once dhclient enables dns supports, the functions dns_client_createx will
+be called, it will find anyone port which is unreserved and unused.
+
+Call backtrace:
+    bind ()
+    isc__socket_bind ()
+    open_socket ()
+    get_udpsocket ()
+    dispatch_createudp ()
+    dns_dispatch_getudp ()
+    getudpdispatch ()
+    dns_client_createx ()
+    dhcp_context_create ()
+    main ()
+
+Signed-off-by: Roy Li <rongqing.li at windriver.com>
+---
+ policy/modules/system/sysnetwork.te |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
+index 900b770..b554820 100644
+--- a/policy/modules/system/sysnetwork.te
++++ b/policy/modules/system/sysnetwork.te
+@@ -73,6 +73,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+ sysnet_manage_config(dhcpc_t)
+ files_etc_filetrans(dhcpc_t, net_conf_t, file)
+ 
++corenet_udp_bind_all_unreserved_ports(dhcpc_t)
++
+ # create temp files
+ manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+ manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
+-- 
+1.7.10.4
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 4b618b2..f93361a 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -50,6 +50,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
             file://poky-policy-fix-seutils-manage-config-files.patch \
             file://poky-policy-fix-setfiles-statvfs-get-file-count.patch \
             file://poky-policy-fix-dmesg-to-use-dev-kmsg.patch \
+            file://poky-policy-allows-dhclient-to-bind.patch \
            "
 
 # Backport from upstream
-- 
1.7.10.4