aboutgitcodebugslistschat
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/apparmor/abstractions/passt11
-rw-r--r--contrib/apparmor/abstractions/pasta2
-rw-r--r--contrib/apparmor/usr.bin.passt2
-rw-r--r--contrib/apparmor/usr.bin.passt-repair2
-rw-r--r--contrib/apparmor/usr.bin.pasta2
-rw-r--r--contrib/fedora/passt.spec2
-rw-r--r--contrib/selinux/pasta.te4
7 files changed, 18 insertions, 7 deletions
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt
index 43fd63f..85bd1ee 100644
--- a/contrib/apparmor/abstractions/passt
+++ b/contrib/apparmor/abstractions/passt
@@ -11,7 +11,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
- abi <abi/3.0>,
+ abi <abi/4.0>,
include <abstractions/base>
@@ -24,6 +24,7 @@
capability setpcap,
capability net_admin,
capability sys_ptrace,
+ userns,
/ r, # isolate_prefork(), isolation.c
mount options=(rw, runbindable) -> /,
@@ -36,6 +37,14 @@
@{PROC}/sys/net/ipv4/ip_local_port_range r, # fwd_probe_ephemeral()
+ @{PROC}/sys/net/ipv4/tcp_syn_retries r, # tcp_get_rto_params(), tcp.c
+ @{PROC}/sys/net/ipv4/tcp_syn_linear_timeouts r,
+ @{PROC}/sys/net/ipv4/tcp_rto_max_ms r,
+
+ # udp_get_timeout_params(), udp.c
+ @{PROC}/sys/net/netfilter/nf_conntrack_udp_timeout r,
+ @{PROC}/sys/net/netfilter/nf_conntrack_udp_timeout_stream r,
+
network netlink raw, # nl_sock_init_do(), netlink.c
network inet stream, # tcp.c
diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta
index 9f73bee..251d4a2 100644
--- a/contrib/apparmor/abstractions/pasta
+++ b/contrib/apparmor/abstractions/pasta
@@ -11,7 +11,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
- abi <abi/3.0>,
+ abi <abi/4.0>,
include <abstractions/passt>
diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt
index 62a4514..c123a86 100644
--- a/contrib/apparmor/usr.bin.passt
+++ b/contrib/apparmor/usr.bin.passt
@@ -11,7 +11,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-abi <abi/3.0>,
+abi <abi/4.0>,
include <tunables/global>
diff --git a/contrib/apparmor/usr.bin.passt-repair b/contrib/apparmor/usr.bin.passt-repair
index 901189d..23ff1ce 100644
--- a/contrib/apparmor/usr.bin.passt-repair
+++ b/contrib/apparmor/usr.bin.passt-repair
@@ -11,7 +11,7 @@
# Copyright (c) 2025 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-abi <abi/3.0>,
+abi <abi/4.0>,
#include <tunables/global>
diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta
index 2483968..56b5024 100644
--- a/contrib/apparmor/usr.bin.pasta
+++ b/contrib/apparmor/usr.bin.pasta
@@ -11,7 +11,7 @@
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
-abi <abi/3.0>,
+abi <abi/4.0>,
include <tunables/global>
diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
index bcbe1f7..38b06b0 100644
--- a/contrib/fedora/passt.spec
+++ b/contrib/fedora/passt.spec
@@ -37,7 +37,7 @@ requiring any capabilities or privileges.
%package selinux
BuildArch: noarch
Summary: SELinux support for passt and pasta
-%if 0%{?fedora} >= 43
+%if 0%{?fedora} > 43
BuildRequires: selinux-policy-devel
%selinux_requires_min
%else
diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te
index 95fe42a..fb51416 100644
--- a/contrib/selinux/pasta.te
+++ b/contrib/selinux/pasta.te
@@ -149,7 +149,7 @@ allow pasta_t root_t:dir mounton;
manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
files_pid_filetrans(pasta_t, pasta_pid_t, file)
-allow pasta_t user_tmp_t:dir { add_name remove_name search write };
+allow pasta_t user_tmp_t:dir { add_name open read remove_name search watch write };
allow pasta_t user_tmp_t:fifo_file append;
allow pasta_t user_tmp_t:file { create open write };
allow pasta_t user_tmp_t:sock_file { create unlink };
@@ -249,7 +249,9 @@ type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "netns";
type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
type_transition container_runtime_t container_var_run_t : dir ifconfig_var_run_t "rootless-netns";
+allow pasta_t container_var_run_t:dir { add_name open rmdir write };
allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
+allow pasta_t container_var_run_t:file { create open write };
allow pasta_t ifconfig_var_run_t:file { create open write };
allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-10 11:32:32 +0000