[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Sat, 09 Apr 2022 12:28:57 -0700 

commit:     01b153cb47331dc2ba354100c74acb4e37393fc1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 18:44:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01b153cb

container, podman: allow containers to interact with conmon

Allow containers to use inherited conmon file descriptors and read and
write unnamed conmon pipes.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te |  5 +++++
 policy/modules/services/podman.if    | 41 ++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/policy/modules/services/container.te 
b/policy/modules/services/container.te
index d5f79b15..3d623229 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -248,6 +248,11 @@ tunable_policy(`container_use_samba',`
        fs_exec_cifs_files(container_domain)
 ')
 
+optional_policy(`
+       podman_rw_conmon_pipes(container_domain)
+       podman_use_conmon_fds(container_domain)
+')
+
 optional_policy(`
        udev_read_runtime_files(container_domain)
 ')

diff --git a/policy/modules/services/podman.if 
b/policy/modules/services/podman.if
index 3d03884e..7523e33d 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -188,6 +188,47 @@ interface(`podman_run_conmon_user',`
        podman_domtrans_conmon_user($1)
 ')
 
+########################################
+## <summary>
+##     Read and write conmon unnamed pipes.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`podman_rw_conmon_pipes',`
+       gen_require(`
+               type podman_conmon_t;
+               type podman_conmon_user_t;
+       ')
+
+       allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
+       allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##     Allow the specified domain to inherit
+##     file descriptors from conmon.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`podman_use_conmon_fds',`
+       gen_require(`
+               type podman_conmon_t;
+               type podman_conmon_user_t;
+       ')
+
+       allow $1 podman_conmon_t:fd use;
+       allow $1 podman_conmon_user_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##     Role access for rootless podman.

Reply via email to