commit: 12977dbcd922fd1bc6175ed523033d08133e7718
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Dec 31 19:47:00 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=12977dbc
container, podman: add policy for conmon
Make conmon run in a separate domain and allow podman types to
transition to it.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/container.if | 406 +++++++++++++++++++++++++++++++++++
policy/modules/services/podman.fc | 1 +
policy/modules/services/podman.if | 98 +++++++++
policy/modules/services/podman.te | 162 +++++++++++++-
4 files changed, 665 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index 92b5a2f7..1c1950c7 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -356,6 +356,52 @@ interface(`container_engine_executable_file',`
application_executable_file($1)
')
+########################################
+## <summary>
+## Execute a generic container engine
+## executable with an automatic transition
+## to a private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`container_generic_engine_domtrans',`
+ gen_require(`
+ type container_engine_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, container_engine_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Allow the generic container engine
+## executables to be an entrypoint
+## for the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_engine_executable_entrypoint',`
+ gen_require(`
+ type container_engine_exec_t;
+ ')
+
+ allow $1 container_engine_exec_t:file entrypoint;
+')
+
########################################
## <summary>
## Send and receive messages from
@@ -377,6 +423,115 @@ interface(`container_engine_dbus_chat',`
allow container_engine_domain $1:dbus send_msg;
')
+########################################
+## <summary>
+## Allow the specified domain to manage
+## container engine temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_engine_tmp_files',`
+ gen_require(`
+ type container_engine_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 container_engine_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## container engine temporary named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_engine_tmp_sock_files',`
+ gen_require(`
+ type container_engine_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 container_engine_tmp_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to create
+## objects in generic temporary directories
+## with an automatic type transition to
+## the container engine temporary file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`container_engine_tmp_filetrans',`
+ gen_require(`
+ type container_engine_tmp_t;
+ ')
+
+ files_tmp_filetrans($1, container_engine_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid)
+## of all system containers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_read_system_container_state',`
+ gen_require(`
+ attribute container_system_domain;
+ ')
+
+ ps_process_pattern($1, container_system_domain)
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid)
+## of all user containers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_read_user_container_state',`
+ gen_require(`
+ attribute container_user_domain;
+ ')
+
+ ps_process_pattern($1, container_user_domain)
+')
+
########################################
## <summary>
## All of the permissions necessary
@@ -611,6 +766,25 @@ interface(`container_manage_sock_files',`
manage_sock_files_pattern($1, container_file_t, container_file_t)
')
+########################################
+## <summary>
+## Allow the specified domain to read
+## and write container chr files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_rw_chr_files',`
+ gen_require(`
+ type container_file_t;
+ ')
+
+ allow $1 container_file_t:chr_file rw_chr_file_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to read
@@ -701,6 +875,65 @@ interface(`container_config_home_filetrans',`
xdg_config_filetrans($1, container_conf_home_t, $2, $3)
')
+########################################
+## <summary>
+## Allow the specified domain to
+## manage container data home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_home_data_files',`
+ gen_require(`
+ type container_data_home_t;
+ ')
+
+ manage_files_pattern($1, container_data_home_t, container_data_home_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to
+## manage container data home named
+## pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_home_data_fifo_files',`
+ gen_require(`
+ type container_data_home_t;
+ ')
+
+ manage_fifo_files_pattern($1, container_data_home_t,
container_data_home_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to
+## manage container data home named
+## sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_home_data_sock_files',`
+ gen_require(`
+ type container_data_home_t;
+ ')
+
+ manage_sock_files_pattern($1, container_data_home_t,
container_data_home_t)
+')
+
########################################
## <summary>
## Allow the specified domain to
@@ -760,6 +993,179 @@ interface(`container_getattr_fs',`
allow $1 container_file_t:filesystem getattr;
')
+########################################
+## <summary>
+## Allow the specified domain to search
+## runtime container directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_search_runtime',`
+ gen_require(`
+ type container_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ allow $1 container_runtime_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## runtime container files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_runtime_files',`
+ gen_require(`
+ type container_runtime_t;
+ ')
+
+ manage_files_pattern($1, container_runtime_t, container_runtime_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## runtime container named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_runtime_fifo_files',`
+ gen_require(`
+ type container_runtime_t;
+ ')
+
+ manage_fifo_files_pattern($1, container_runtime_t, container_runtime_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## runtime container named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_runtime_sock_files',`
+ gen_require(`
+ type container_runtime_t;
+ ')
+
+ manage_sock_files_pattern($1, container_runtime_t, container_runtime_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## user runtime container files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_user_runtime_files',`
+ gen_require(`
+ type container_user_runtime_t;
+ ')
+
+ manage_files_pattern($1, container_user_runtime_t,
container_user_runtime_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to search
+## container directories in /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_search_var_lib',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 container_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## container files in /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_var_lib_files',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ manage_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## container named pipes in /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_var_lib_fifo_files',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ manage_fifo_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## container named sockets in /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_var_lib_sock_files',`
+ gen_require(`
+ type container_var_lib_t;
+ ')
+
+ manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/services/podman.fc
b/policy/modules/services/podman.fc
index fbf11fed..ece2d0dc 100644
--- a/policy/modules/services/podman.fc
+++ b/policy/modules/services/podman.fc
@@ -1 +1,2 @@
/usr/bin/podman -- gen_context(system_u:object_r:podman_exec_t,s0)
+/usr/bin/conmon --
gen_context(system_u:object_r:podman_conmon_exec_t,s0)
diff --git a/policy/modules/services/podman.if
b/policy/modules/services/podman.if
index a57ca9dc..3d03884e 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -94,6 +94,100 @@ interface(`podman_run_user',`
podman_domtrans_user($1)
')
+########################################
+## <summary>
+## Execute conmon in the conmon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`podman_domtrans_conmon',`
+ gen_require(`
+ type podman_conmon_t, podman_conmon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t)
+')
+
+########################################
+## <summary>
+## Execute conmon in the conmon domain,
+## and allow the specified role the
+## conmon domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the conmon domain.
+## </summary>
+## </param>
+#
+interface(`podman_run_conmon',`
+ gen_require(`
+ type podman_conmon_t;
+ ')
+
+ role $2 types podman_conmon_t;
+
+ podman_domtrans_conmon($1)
+')
+
+########################################
+## <summary>
+## Execute conmon in the conmon user
+## domain (rootless podman).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`podman_domtrans_conmon_user',`
+ gen_require(`
+ type podman_conmon_user_t, podman_conmon_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t)
+')
+
+########################################
+## <summary>
+## Execute conmon in the conmon user
+## domain, and allow the specified role
+## the conmon user domain (rootless
+## podman).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the conmon domain.
+## </summary>
+## </param>
+#
+interface(`podman_run_conmon_user',`
+ gen_require(`
+ type podman_conmon_user_t;
+ ')
+
+ role $2 types podman_conmon_user_t;
+
+ podman_domtrans_conmon_user($1)
+')
+
########################################
## <summary>
## Role access for rootless podman.
@@ -124,9 +218,11 @@ interface(`podman_run_user',`
template(`podman_user_role',`
gen_require(`
type podman_user_t;
+ type podman_conmon_user_t;
')
podman_run_user($3, $4)
+ podman_run_conmon_user($3, $4)
optional_policy(`
dbus_spec_session_bus_client($1, podman_user_t)
@@ -134,6 +230,7 @@ template(`podman_user_role',`
optional_policy(`
systemd_user_app_status($1, podman_user_t)
+ systemd_user_app_status($1, podman_conmon_user_t)
')
')
@@ -157,4 +254,5 @@ template(`podman_user_role',`
#
interface(`podman_admin',`
podman_run($1, $2)
+ podman_run_conmon($1, $2)
')
diff --git a/policy/modules/services/podman.te
b/policy/modules/services/podman.te
index 2bdd2f27..6efd2cd1 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -17,14 +17,30 @@ ifdef(`enable_mls',`
mls_trusted_object(podman_t)
container_engine_domain_template(podman_user)
+container_user_engine(podman_user_t)
application_domain(podman_user_t, podman_exec_t)
mls_trusted_object(podman_user_t)
+type podman_conmon_t;
+type podman_conmon_exec_t;
+application_domain(podman_conmon_t, podman_conmon_exec_t)
+
+type podman_conmon_user_t;
+application_domain(podman_conmon_user_t, podman_conmon_exec_t)
+
########################################
#
# Podman local policy
#
+allow podman_t podman_conmon_t:process { setsched signull };
+allow podman_t podman_conmon_t:fifo_file setattr;
+allow podman_t podman_conmon_t:unix_stream_socket { connectto
rw_stream_socket_perms };
+
+container_engine_executable_entrypoint(podman_t)
+
+domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
+
logging_send_syslog_msg(podman_t)
userdom_list_user_home_content(podman_t)
@@ -38,11 +54,11 @@ userdom_relabel_generic_user_home_files(podman_t)
container_config_home_filetrans(podman_t, dir)
container_manage_home_config(podman_t)
+container_manage_sock_files(podman_t)
+
ifdef(`init_systemd',`
init_dbus_chat(podman_t)
init_setsched(podman_t)
- init_get_generic_units_status(podman_t)
- init_start_generic_units(podman_t)
init_start_system(podman_t)
init_stop_system(podman_t)
@@ -58,6 +74,14 @@ ifdef(`init_systemd',`
# Rootless Podman local policy
#
+allow podman_user_t podman_conmon_user_t:process signull;
+allow podman_user_t podman_conmon_user_t:fifo_file setattr;
+allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto
rw_stream_socket_perms };
+
+container_engine_executable_entrypoint(podman_user_t)
+
+domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t)
+
# required by slirp4netns
files_mounton_etc_dirs(podman_user_t)
# required by slirp4netns
@@ -110,3 +134,137 @@ ifdef(`init_systemd',`
systemd_list_journal_dirs(podman_user_t)
systemd_read_journal_files(podman_user_t)
')
+
+########################################
+#
+# conmon local policy
+#
+
+allow podman_conmon_t self:process signal;
+allow podman_conmon_t self:capability { dac_override dac_read_search
sys_ptrace sys_resource };
+allow podman_conmon_t self:cap_userns sys_ptrace;
+allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr };
+allow podman_conmon_t self:unix_dgram_socket create_socket_perms;
+dontaudit podman_conmon_t self:capability net_admin;
+
+# conmon will execute crun/runc to create the container
+container_generic_engine_domtrans(podman_conmon_t, podman_t)
+podman_domtrans(podman_conmon_t)
+
+allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms;
+allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms;
+allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms;
+ps_process_pattern(podman_conmon_t, podman_t)
+
+domain_use_interactive_fds(podman_conmon_t)
+
+fs_getattr_cgroup(podman_conmon_t)
+fs_search_cgroup_dirs(podman_conmon_t)
+fs_read_cgroup_files(podman_conmon_t)
+fs_watch_cgroup_files(podman_conmon_t)
+
+fs_getattr_tmpfs(podman_conmon_t)
+fs_getattr_xattr_fs(podman_conmon_t)
+
+logging_send_syslog_msg(podman_conmon_t)
+
+miscfiles_read_localization(podman_conmon_t)
+
+userdom_use_user_ptys(podman_conmon_t)
+
+container_read_system_container_state(podman_conmon_t)
+
+# to send/receive data from container ttys
+container_rw_chr_files(podman_conmon_t)
+
+container_manage_runtime_files(podman_conmon_t)
+container_manage_runtime_fifo_files(podman_conmon_t)
+container_manage_runtime_sock_files(podman_conmon_t)
+
+container_search_var_lib(podman_conmon_t)
+container_manage_var_lib_files(podman_conmon_t)
+container_manage_var_lib_fifo_files(podman_conmon_t)
+container_manage_var_lib_sock_files(podman_conmon_t)
+
+container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
+container_manage_engine_tmp_files(podman_conmon_t)
+container_manage_engine_tmp_sock_files(podman_conmon_t)
+
+ifdef(`init_systemd',`
+ init_get_generic_units_status(podman_conmon_t)
+ init_start_generic_units(podman_conmon_t)
+ init_start_system(podman_conmon_t)
+ init_stop_system(podman_conmon_t)
+
+ # conmon can read logs from containers which are
+ # sent to the system journal
+ logging_search_logs(podman_conmon_t)
+ systemd_list_journal_dirs(podman_conmon_t)
+ systemd_read_journal_files(podman_conmon_t)
+')
+
+optional_policy(`
+ iptables_domtrans(podman_conmon_t)
+')
+
+########################################
+#
+# Rootless conmon local policy
+#
+
+allow podman_conmon_user_t self:process signal;
+allow podman_conmon_user_t self:cap_userns sys_ptrace;
+allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr };
+allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms;
+
+ps_process_pattern(podman_conmon_user_t, podman_user_t)
+allow podman_conmon_user_t podman_user_t:process signal;
+allow podman_conmon_user_t podman_user_t:unix_stream_socket
rw_stream_socket_perms;
+allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms;
+
+# conmon will execute crun/runc to create the container
+container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t)
+podman_domtrans_user(podman_conmon_user_t)
+
+domain_use_interactive_fds(podman_conmon_user_t)
+
+fs_getattr_cgroup(podman_conmon_user_t)
+fs_search_cgroup_dirs(podman_conmon_user_t)
+fs_read_cgroup_files(podman_conmon_user_t)
+fs_watch_cgroup_files(podman_conmon_user_t)
+
+fs_getattr_tmpfs(podman_conmon_user_t)
+fs_getattr_xattr_fs(podman_conmon_user_t)
+
+logging_send_syslog_msg(podman_conmon_user_t)
+
+miscfiles_read_localization(podman_conmon_user_t)
+
+userdom_use_user_ptys(podman_conmon_user_t)
+
+container_read_user_container_state(podman_conmon_user_t)
+
+# to send/receive data from container ttys
+container_rw_chr_files(podman_conmon_user_t)
+
+userdom_search_user_home_dirs(podman_conmon_user_t)
+xdg_search_data_dirs(podman_conmon_user_t)
+container_manage_home_data_files(podman_conmon_user_t)
+container_manage_home_data_fifo_files(podman_conmon_user_t)
+container_manage_home_data_sock_files(podman_conmon_user_t)
+
+userdom_search_user_runtime_root(podman_conmon_user_t)
+userdom_search_user_runtime(podman_conmon_user_t)
+container_manage_user_runtime_files(podman_conmon_user_t)
+
+container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })
+container_manage_engine_tmp_files(podman_conmon_user_t)
+container_manage_engine_tmp_sock_files(podman_conmon_user_t)
+
+ifdef(`init_systemd',`
+ # conmon can read logs from containers which are
+ # sent to the system journal
+ logging_search_logs(podman_conmon_user_t)
+ systemd_list_journal_dirs(podman_conmon_user_t)
+ systemd_read_journal_files(podman_conmon_user_t)
+')
