commit: 2f03c3cca1ba622b2378892fadbce31ea5cfb317
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon May 16 15:28:49 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 18:41:55 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f03c3cc
podman: rework conmon rules
Use a template to generate conmon domains and add a common attribute for
them. This is so that domains who use conmon can execute it and have
conmon transition back to the original domain instead of to the generic
podman domain. This is used by CRI-O, for example.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/podman.fc | 2 +-
policy/modules/services/podman.if | 96 +++++++++++++++-------
policy/modules/services/podman.te | 166 +++++++++++++-------------------------
3 files changed, 128 insertions(+), 136 deletions(-)
diff --git a/policy/modules/services/podman.fc
b/policy/modules/services/podman.fc
index ece2d0dc..31c45273 100644
--- a/policy/modules/services/podman.fc
+++ b/policy/modules/services/podman.fc
@@ -1,2 +1,2 @@
/usr/bin/podman -- gen_context(system_u:object_r:podman_exec_t,s0)
-/usr/bin/conmon --
gen_context(system_u:object_r:podman_conmon_exec_t,s0)
+/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
diff --git a/policy/modules/services/podman.if
b/policy/modules/services/podman.if
index 626af3af..09b4f031 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -1,5 +1,47 @@
## <summary>Policy for podman</summary>
+########################################
+## <summary>
+## Template for conmon domains.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for generated types.
+## </summary>
+## </param>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+template(`podman_conmon_domain_template',`
+ gen_require(`
+ attribute conmon_domain;
+ type conmon_exec_t;
+ ')
+
+ type $1_conmon_t, conmon_domain;
+ application_domain($1_conmon_t, conmon_exec_t)
+
+ domtrans_pattern($2, conmon_exec_t, $1_conmon_t)
+
+ allow $2 $1_conmon_t:process signull;
+ allow $2 $1_conmon_t:fifo_file setattr;
+ allow $2 $1_conmon_t:unix_stream_socket { connectto
rw_stream_socket_perms };
+
+ allow $1_conmon_t $2:tcp_socket rw_stream_socket_perms;
+ allow $1_conmon_t $2:unix_stream_socket rw_stream_socket_perms;
+ allow $1_conmon_t $2:unix_dgram_socket rw_socket_perms;
+ ps_process_pattern($1_conmon_t, $2)
+
+ corecmd_search_bin($1_conmon_t)
+ # conmon will execute crun/runc to create the container,
+ # so transition back to the source domain when creating it
+ container_generic_engine_domtrans($1_conmon_t, $2)
+ container_engine_executable_entrypoint($2)
+')
+
########################################
## <summary>
## Execute podman in the podman domain.
@@ -96,7 +138,7 @@ interface(`podman_run_user',`
########################################
## <summary>
-## Execute conmon in the conmon domain.
+## Execute conmon in the podman conmon domain.
## </summary>
## <param name="domain">
## <summary>
@@ -106,18 +148,18 @@ interface(`podman_run_user',`
#
interface(`podman_domtrans_conmon',`
gen_require(`
- type podman_conmon_t, podman_conmon_exec_t;
+ type podman_conmon_t, conmon_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t)
+ domtrans_pattern($1, conmon_exec_t, podman_conmon_t)
')
########################################
## <summary>
-## Execute conmon in the conmon domain,
-## and allow the specified role the
-## conmon domain.
+## Execute conmon in the podman conmon
+## domain, and allow the specified role
+## the podman conmon domain.
## </summary>
## <param name="domain">
## <summary>
@@ -142,8 +184,8 @@ interface(`podman_run_conmon',`
########################################
## <summary>
-## Execute conmon in the conmon user
-## domain (rootless podman).
+## Execute conmon in the podman conmon
+## user domain (rootless podman).
## </summary>
## <param name="domain">
## <summary>
@@ -153,19 +195,19 @@ interface(`podman_run_conmon',`
#
interface(`podman_domtrans_conmon_user',`
gen_require(`
- type podman_conmon_user_t, podman_conmon_exec_t;
+ type podman_user_conmon_t, conmon_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t)
+ domtrans_pattern($1, conmon_exec_t, podman_user_conmon_t)
')
########################################
## <summary>
-## Execute conmon in the conmon user
-## domain, and allow the specified role
-## the conmon user domain (rootless
-## podman).
+## Execute conmon in the podman conmon
+## user domain, and allow the specified
+## role the podman conmon user domain
+## (rootless podman).
## </summary>
## <param name="domain">
## <summary>
@@ -180,10 +222,10 @@ interface(`podman_domtrans_conmon_user',`
#
interface(`podman_run_conmon_user',`
gen_require(`
- type podman_conmon_user_t;
+ type podman_user_conmon_t;
')
- role $2 types podman_conmon_user_t;
+ role $2 types podman_user_conmon_t;
podman_domtrans_conmon_user($1)
')
@@ -206,20 +248,20 @@ interface(`podman_run_conmon_user',`
#
interface(`podman_spec_rangetrans_conmon',`
gen_require(`
- type podman_conmon_exec_t;
+ type conmon_exec_t;
')
ifdef(`enable_mcs',`
- range_transition $1 podman_conmon_exec_t:process $2;
+ range_transition $1 conmon_exec_t:process $2;
')
ifdef(`enable_mls',`
- range_transition $1 podman_conmon_exec_t:process $2;
+ range_transition $1 conmon_exec_t:process $2;
')
')
########################################
## <summary>
-## Read and write conmon unnamed pipes.
+## Read and write podman conmon unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
@@ -230,17 +272,17 @@ interface(`podman_spec_rangetrans_conmon',`
interface(`podman_rw_conmon_pipes',`
gen_require(`
type podman_conmon_t;
- type podman_conmon_user_t;
+ type podman_user_conmon_t;
')
allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
- allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;
+ allow $1 podman_user_conmon_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Allow the specified domain to inherit
-## file descriptors from conmon.
+## file descriptors from podman conmon.
## </summary>
## <param name="domain">
## <summary>
@@ -251,11 +293,11 @@ interface(`podman_rw_conmon_pipes',`
interface(`podman_use_conmon_fds',`
gen_require(`
type podman_conmon_t;
- type podman_conmon_user_t;
+ type podman_user_conmon_t;
')
allow $1 podman_conmon_t:fd use;
- allow $1 podman_conmon_user_t:fd use;
+ allow $1 podman_user_conmon_t:fd use;
')
########################################
@@ -288,7 +330,7 @@ interface(`podman_use_conmon_fds',`
template(`podman_user_role',`
gen_require(`
type podman_user_t;
- type podman_conmon_user_t;
+ type podman_user_conmon_t;
')
podman_run_user($3, $4)
@@ -300,7 +342,7 @@ template(`podman_user_role',`
optional_policy(`
systemd_user_app_status($1, podman_user_t)
- systemd_user_app_status($1, podman_conmon_user_t)
+ systemd_user_app_status($1, podman_user_conmon_t)
')
')
diff --git a/policy/modules/services/podman.te
b/policy/modules/services/podman.te
index bb0f67bd..aef0fac9 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -21,31 +21,26 @@ container_user_engine(podman_user_t)
userdom_user_application_domain(podman_user_t, podman_exec_t)
mls_trusted_object(podman_user_t)
-type podman_conmon_t;
-type podman_conmon_exec_t;
-application_domain(podman_conmon_t, podman_conmon_exec_t)
+attribute conmon_domain;
+type conmon_exec_t;
+
+podman_conmon_domain_template(podman, podman_t)
role system_r types podman_conmon_t;
-type podman_conmon_user_t;
-userdom_user_application_domain(podman_conmon_user_t, podman_conmon_exec_t)
+podman_conmon_domain_template(podman_user, podman_user_t)
+userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
########################################
#
# Podman local policy
#
-allow podman_t podman_conmon_t:process { setsched signull };
-allow podman_t podman_conmon_t:fifo_file setattr;
-allow podman_t podman_conmon_t:unix_stream_socket { connectto
rw_stream_socket_perms };
-
-container_engine_executable_entrypoint(podman_t)
+allow podman_t podman_conmon_t:process setsched;
# podman 4.0.0 now creates OCI networking configs
container_create_config_files(podman_t)
container_write_config_files(podman_t)
-domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
-
logging_send_syslog_msg(podman_t)
userdom_list_user_home_content(podman_t)
@@ -90,14 +85,6 @@ ifdef(`init_systemd',`
# Rootless Podman local policy
#
-allow podman_user_t podman_conmon_user_t:process signull;
-allow podman_user_t podman_conmon_user_t:fifo_file setattr;
-allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto
rw_stream_socket_perms };
-
-container_engine_executable_entrypoint(podman_user_t)
-
-domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t)
-
# required by slirp4netns
files_mounton_etc_dirs(podman_user_t)
# required by slirp4netns
@@ -154,50 +141,58 @@ ifdef(`init_systemd',`
systemd_watch_journal_dirs(podman_user_t)
')
+
########################################
#
-# conmon local policy
+# common conmon local policy
#
-allow podman_conmon_t self:process signal;
-allow podman_conmon_t self:capability { dac_override dac_read_search
sys_ptrace sys_resource };
-allow podman_conmon_t self:cap_userns sys_ptrace;
-allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr };
-allow podman_conmon_t self:unix_dgram_socket create_socket_perms;
-dontaudit podman_conmon_t self:capability net_admin;
+allow conmon_domain self:process signal;
+allow conmon_domain self:cap_userns sys_ptrace;
+allow conmon_domain self:fifo_file { rw_fifo_file_perms setattr };
+allow conmon_domain self:unix_dgram_socket create_socket_perms;
-# conmon will execute crun/runc to create the container
-container_generic_engine_domtrans(podman_conmon_t, podman_t)
-podman_domtrans(podman_conmon_t)
+domain_use_interactive_fds(conmon_domain)
-allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms;
-allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms;
-allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms;
-ps_process_pattern(podman_conmon_t, podman_t)
+fs_getattr_cgroup(conmon_domain)
+fs_search_cgroup_dirs(conmon_domain)
+fs_read_cgroup_files(conmon_domain)
+fs_watch_cgroup_files(conmon_domain)
-domain_use_interactive_fds(podman_conmon_t)
+fs_getattr_tmpfs(conmon_domain)
+fs_getattr_xattr_fs(conmon_domain)
-fs_getattr_cgroup(podman_conmon_t)
-fs_search_cgroup_dirs(podman_conmon_t)
-fs_read_cgroup_files(podman_conmon_t)
-fs_watch_cgroup_files(podman_conmon_t)
+logging_send_syslog_msg(conmon_domain)
-fs_getattr_tmpfs(podman_conmon_t)
-fs_getattr_xattr_fs(podman_conmon_t)
+miscfiles_read_localization(conmon_domain)
-init_rw_inherited_stream_socket(podman_conmon_t)
-init_use_fds(podman_conmon_t)
+userdom_use_user_ptys(conmon_domain)
-logging_send_syslog_msg(podman_conmon_t)
+# to send/receive data from container ttys
+container_rw_chr_files(conmon_domain)
-miscfiles_read_localization(podman_conmon_t)
+ifdef(`init_systemd',`
+ # conmon can read logs from containers which are
+ # sent to the system journal
+ logging_search_logs(conmon_domain)
+ systemd_list_journal_dirs(conmon_domain)
+ systemd_read_journal_files(conmon_domain)
+')
-userdom_use_user_ptys(podman_conmon_t)
+########################################
+#
+# podman conmon local policy
+#
-container_read_system_container_state(podman_conmon_t)
+allow podman_conmon_t self:capability { dac_override dac_read_search
sys_ptrace sys_resource };
+dontaudit podman_conmon_t self:capability net_admin;
-# to send/receive data from container ttys
-container_rw_chr_files(podman_conmon_t)
+podman_domtrans(podman_conmon_t)
+
+init_rw_inherited_stream_socket(podman_conmon_t)
+init_use_fds(podman_conmon_t)
+
+container_read_system_container_state(podman_conmon_t)
container_manage_runtime_files(podman_conmon_t)
container_manage_runtime_fifo_files(podman_conmon_t)
@@ -217,12 +212,6 @@ ifdef(`init_systemd',`
init_start_transient_units(podman_conmon_t)
init_start_system(podman_conmon_t)
init_stop_system(podman_conmon_t)
-
- # conmon can read logs from containers which are
- # sent to the system journal
- logging_search_logs(podman_conmon_t)
- systemd_list_journal_dirs(podman_conmon_t)
- systemd_read_journal_files(podman_conmon_t)
')
optional_policy(`
@@ -231,62 +220,23 @@ optional_policy(`
########################################
#
-# Rootless conmon local policy
+# Rootless podman conmon local policy
#
-allow podman_conmon_user_t self:process signal;
-allow podman_conmon_user_t self:cap_userns sys_ptrace;
-allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr };
-allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms;
-
-ps_process_pattern(podman_conmon_user_t, podman_user_t)
-allow podman_conmon_user_t podman_user_t:process signal;
-allow podman_conmon_user_t podman_user_t:unix_stream_socket
rw_stream_socket_perms;
-allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms;
-
-# conmon will execute crun/runc to create the container
-container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t)
-podman_domtrans_user(podman_conmon_user_t)
-
-domain_use_interactive_fds(podman_conmon_user_t)
+podman_domtrans_user(podman_user_conmon_t)
-fs_getattr_cgroup(podman_conmon_user_t)
-fs_search_cgroup_dirs(podman_conmon_user_t)
-fs_read_cgroup_files(podman_conmon_user_t)
-fs_watch_cgroup_files(podman_conmon_user_t)
+container_read_user_container_state(podman_user_conmon_t)
-fs_getattr_tmpfs(podman_conmon_user_t)
-fs_getattr_xattr_fs(podman_conmon_user_t)
+userdom_search_user_home_dirs(podman_user_conmon_t)
+xdg_search_data_dirs(podman_user_conmon_t)
+container_manage_home_data_files(podman_user_conmon_t)
+container_manage_home_data_fifo_files(podman_user_conmon_t)
+container_manage_home_data_sock_files(podman_user_conmon_t)
-logging_send_syslog_msg(podman_conmon_user_t)
+userdom_search_user_runtime_root(podman_user_conmon_t)
+userdom_search_user_runtime(podman_user_conmon_t)
+container_manage_user_runtime_files(podman_user_conmon_t)
-miscfiles_read_localization(podman_conmon_user_t)
-
-userdom_use_user_ptys(podman_conmon_user_t)
-
-container_read_user_container_state(podman_conmon_user_t)
-
-# to send/receive data from container ttys
-container_rw_chr_files(podman_conmon_user_t)
-
-userdom_search_user_home_dirs(podman_conmon_user_t)
-xdg_search_data_dirs(podman_conmon_user_t)
-container_manage_home_data_files(podman_conmon_user_t)
-container_manage_home_data_fifo_files(podman_conmon_user_t)
-container_manage_home_data_sock_files(podman_conmon_user_t)
-
-userdom_search_user_runtime_root(podman_conmon_user_t)
-userdom_search_user_runtime(podman_conmon_user_t)
-container_manage_user_runtime_files(podman_conmon_user_t)
-
-container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })
-container_manage_engine_tmp_files(podman_conmon_user_t)
-container_manage_engine_tmp_sock_files(podman_conmon_user_t)
-
-ifdef(`init_systemd',`
- # conmon can read logs from containers which are
- # sent to the system journal
- logging_search_logs(podman_conmon_user_t)
- systemd_list_journal_dirs(podman_conmon_user_t)
- systemd_read_journal_files(podman_conmon_user_t)
-')
+container_engine_tmp_filetrans(podman_user_conmon_t, { file sock_file })
+container_manage_engine_tmp_files(podman_user_conmon_t)
+container_manage_engine_tmp_sock_files(podman_user_conmon_t)
