diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-05-06 16:14:04 -0400 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:41:39 -0400 |
commit | 30142b2d3d2fbe3e30c81bd7463e8bb8e4f1752d (patch) | |
tree | 23245d3e48e0dacac0c781fa8c68be970fe884b2 | |
parent | userdom: allow users to read user home dir symlinks (diff) | |
download | hardened-refpolicy-30142b2d3d2fbe3e30c81bd7463e8bb8e4f1752d.tar.gz hardened-refpolicy-30142b2d3d2fbe3e30c81bd7463e8bb8e4f1752d.tar.bz2 hardened-refpolicy-30142b2d3d2fbe3e30c81bd7463e8bb8e4f1752d.zip |
postgres: add a standalone execmem tunable
Add a separate tunable to allow Postgres to use execmem. This is to
support JIT in the Postgres server without enabling it for the entire
system.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/services/postgresql.te | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 810fb0ed..7eec1b66 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -20,6 +20,13 @@ gen_require(` ## <desc> ## <p> +## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT). +## </p> +## </desc> +gen_tunable(psql_allow_execmem, false) + +## <desc> +## <p> ## Allow unprived users to execute DDL statement ## </p> ## </desc> @@ -363,7 +370,7 @@ optional_policy(` mta_getattr_spool(postgresql_t) ') -tunable_policy(`allow_execmem',` +tunable_policy(`allow_execmem || psql_allow_execmem',` allow postgresql_t self:process execmem; ') |