commit: 01b153cb47331dc2ba354100c74acb4e37393fc1 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Thu Mar 31 18:44:24 2022 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Apr 9 19:28:30 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01b153cb
container, podman: allow containers to interact with conmon Allow containers to use inherited conmon file descriptors and read and write unnamed conmon pipes. Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/services/container.te | 5 +++++ policy/modules/services/podman.if | 41 ++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index d5f79b15..3d623229 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -248,6 +248,11 @@ tunable_policy(`container_use_samba',` fs_exec_cifs_files(container_domain) ') +optional_policy(` + podman_rw_conmon_pipes(container_domain) + podman_use_conmon_fds(container_domain) +') + optional_policy(` udev_read_runtime_files(container_domain) ') diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if index 3d03884e..7523e33d 100644 --- a/policy/modules/services/podman.if +++ b/policy/modules/services/podman.if @@ -188,6 +188,47 @@ interface(`podman_run_conmon_user',` podman_domtrans_conmon_user($1) ') +######################################## +## <summary> +## Read and write conmon unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`podman_rw_conmon_pipes',` + gen_require(` + type podman_conmon_t; + type podman_conmon_user_t; + ') + + allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms; + allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## <summary> +## Allow the specified domain to inherit +## file descriptors from conmon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`podman_use_conmon_fds',` + gen_require(` + type podman_conmon_t; + type podman_conmon_user_t; + ') + + allow $1 podman_conmon_t:fd use; + allow $1 podman_conmon_user_t:fd use; +') + ######################################## ## <summary> ## Role access for rootless podman.