From 91a3eeac8fac333af4997f9fe5e5c7f454c7f336 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 17 May 2017 12:12:12 -0400
Subject: [PATCH] Define getrlimit permission for class process

This permission was added to the kernel in commit 791ec491c372
("prlimit,security,selinux: add a security hook for prlimit")
circa Linux 4.12 in order to control the ability to get the resource
limits of another process.  It is only checked when acting on another
process, so it is not required for getrlimit(2), only for prlimit(2)
on another process.

Test:  Policy builds

Change-Id: Ic0079a341e959f1c5a3d045974df4b756fd4ab67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 private/access_vectors | 1 +
 1 file changed, 1 insertion(+)

diff --git a/private/access_vectors b/private/access_vectors
index c4f13bb2c..0e2cf21e4 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -316,6 +316,7 @@ class process
 	execheap
 	setkeycreate
 	setsockcreate
+	getrlimit
 }
 
 
-- 
GitLab