dbus, init: add interface for pidfd usage

Commit 4e7511f4a previously added access for init to use DBUS system bus file descriptors while the intended access was for pidfds. Add an interface for pidfd usage so that when pidfds are eventually handled separately from regular fds, this interface can be adjusted. Signed-off-by: Kenton Groombridge <[email protected]>
0xC0ncord · Jun 27, 2024 · e25e96e · e25e96e
1 parent 99ea957
commit e25e96e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
@@ -632,6 +632,25 @@ interface(`dbus_use_system_bus_fds',`
 	allow $1 system_dbusd_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Use PIDFD file descriptors from the
+##	DBUS system bus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_use_system_bus_pidfds',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	allow $1 system_dbusd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read and

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -610,7 +610,7 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		dbus_connect_system_bus(init_t)
-		dbus_use_system_bus_fds(init_t)
+		dbus_use_system_bus_pidfds(init_t)
 	')
 
 	optional_policy(`