Commit 76a27155 authored by Daniel Black's avatar Daniel Black

MDEV-33301 memlock with systemd still not working

.. even with MDEV-9095 fix

CapabilityBounding sets require filesystem setcap attributes
for the executable to gain privileges during execution.

A side effect of this however is the getauxvec(AT_SECURE) gets
set, and the secure_getenv from OpenSSL internals on
OPENSSL_CONF environment variable will get ignored (openssl gh issue
21770).

According to capabilities(7), Ambient capabilities don't trigger
ld.so triggering the secure execution mode.

Include SELinux and Apparmor capabilities for ipc_lock
parent ee2ed1a0
...@@ -51,7 +51,7 @@ Group=mysql ...@@ -51,7 +51,7 @@ Group=mysql
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
# does nothing for non-root, not needed if /etc/shadow is u+r # does nothing for non-root, not needed if /etc/shadow is u+r
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE AmbientCapabilities=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
# PrivateDevices=true implies NoNewPrivileges=true and # PrivateDevices=true implies NoNewPrivileges=true and
# SUID auth_pam_tool suddenly doesn't do setuid anymore # SUID auth_pam_tool suddenly doesn't do setuid anymore
......
...@@ -181,7 +181,7 @@ PrivateNetwork=false ...@@ -181,7 +181,7 @@ PrivateNetwork=false
# CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0 # CAP_DAC_OVERRIDE To allow auth_pam_tool (which is SUID root) to read /etc/shadow when it's chmod 0
# does nothing for non-root, not needed if /etc/shadow is u+r # does nothing for non-root, not needed if /etc/shadow is u+r
# CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason # CAP_AUDIT_WRITE auth_pam_tool needs it on Debian for whatever reason
CapabilityBoundingSet=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE AmbientCapabilities=CAP_IPC_LOCK CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
# PrivateDevices=true implies NoNewPrivileges=true and # PrivateDevices=true implies NoNewPrivileges=true and
# SUID auth_pam_tool suddenly doesn't do setuid anymore # SUID auth_pam_tool suddenly doesn't do setuid anymore
......
...@@ -14,6 +14,7 @@ ...@@ -14,6 +14,7 @@
capability chown, capability chown,
capability dac_override, capability dac_override,
capability ipc_lock,
capability setgid, capability setgid,
capability setuid, capability setuid,
capability sys_rawio, capability sys_rawio,
......
...@@ -25,7 +25,7 @@ require { ...@@ -25,7 +25,7 @@ require {
class lnk_file read; class lnk_file read;
class process { getattr signull }; class process { getattr signull };
class unix_stream_socket connectto; class unix_stream_socket connectto;
class capability { sys_resource sys_nice }; class capability { ipc_lock sys_resource sys_nice };
class tcp_socket { name_bind name_connect }; class tcp_socket { name_bind name_connect };
class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink }; class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
class sock_file { create unlink getattr }; class sock_file { create unlink getattr };
...@@ -87,6 +87,8 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl }; ...@@ -87,6 +87,8 @@ allow mysqld_t bin_t:file { getattr read execute open execute_no_trans ioctl };
# MariaDB additions # MariaDB additions
allow mysqld_t self:process setpgid; allow mysqld_t self:process setpgid;
allow mysqld_t self:capability { ipc_lock };
# This rule allows port tcp/4444 # This rule allows port tcp/4444
allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect }; allow mysqld_t kerberos_port_t:tcp_socket { name_bind name_connect };
# This rule allows port tcp/4567 (tram_port_t may not be available on # This rule allows port tcp/4567 (tram_port_t may not be available on
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment