commit: 04b08d98853038ae67ee57607755fb8ac1b7f7a0
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Apr 27 22:47:57 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 18:41:55 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04b08d98
container: add unconfined role
Add a specific template for unconfined role access. This is mostly
identical to the user role except container engines will run in the
caller domain.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/container.if | 217 +++++++++++++++++++++++++++--------
1 file changed, 171 insertions(+), 46 deletions(-)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index 07ef8873..bc4a12f4 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -130,7 +130,6 @@ interface(`container_user_engine',`
#
template(`container_base_role',`
gen_require(`
- type container_file_t, container_ro_file_t;
type container_config_t;
')
@@ -143,19 +142,8 @@ template(`container_base_role',`
files_search_etc($2)
read_files_pattern($2, container_config_t, container_config_t)
- allow $2 container_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_file_t:file { manage_file_perms relabel_file_perms };
- allow $2 container_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $2 container_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $2 container_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $2 container_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
-
- allow $2 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_ro_file_t:file { manage_file_perms
relabel_file_perms };
- allow $2 container_ro_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $2 container_ro_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $2 container_ro_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $2 container_ro_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+ container_admin_all_files($2)
+ container_admin_all_ro_files($2)
')
########################################
@@ -230,10 +218,6 @@ template(`container_user_role',`
gen_require(`
attribute container_user_domain;
attribute container_engine_user_domain;
- type container_file_t, container_ro_file_t;
- type container_user_runtime_t;
- type container_cache_home_t, container_conf_home_t;
- type container_data_home_t;
')
role $4 types container_user_domain;
@@ -245,34 +229,8 @@ template(`container_user_role',`
allow $3 container_user_domain:process { ptrace signal_perms };
ps_process_pattern($3, container_user_domain)
- allow $2 container_user_runtime_t:dir { manage_dir_perms
relabel_dir_perms };
- allow $2 container_user_runtime_t:file { manage_file_perms
relabel_file_perms };
- allow $2 container_user_runtime_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
- allow $2 container_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
-
- allow $2 container_cache_home_t:dir { manage_dir_perms
relabel_dir_perms };
- allow $2 container_cache_home_t:file { manage_file_perms
relabel_file_perms };
- xdg_cache_filetrans($2, container_cache_home_t, dir, "containers")
-
- allow $2 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms
};
- allow $2 container_conf_home_t:file { manage_file_perms
relabel_file_perms };
- xdg_config_filetrans($2, container_conf_home_t, dir, "containers")
-
- allow $2 container_data_home_t:dir { manage_dir_perms relabel_dir_perms
};
- allow $2 container_data_home_t:file { manage_file_perms
relabel_file_perms };
- allow $2 container_data_home_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $2 container_data_home_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
- allow $2 container_data_home_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $2 container_data_home_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $2 container_data_home_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
- xdg_data_filetrans($2, container_data_home_t, dir, "containers")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir,
"overlay")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir,
"overlay-images")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir,
"overlay-layers")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir,
"overlay2")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir,
"overlay2-images")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir,
"overlay2-layers")
- filetrans_pattern($2, container_data_home_t, container_file_t, dir,
"volumes")
+ container_admin_all_home_content($2)
+ container_admin_all_user_runtime_content($2)
optional_policy(`
systemd_read_user_manager_state($1,
container_engine_user_domain)
@@ -293,6 +251,60 @@ template(`container_user_role',`
')
')
+########################################
+## <summary>
+## Unconfined role access for containers.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+## <param name="user_exec_domain">
+## <summary>
+## User exec domain for execute and transition access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+template(`container_unconfined_role',`
+ gen_require(`
+ attribute container_domain;
+ type container_config_t;
+ ')
+
+ role $4 types container_domain;
+
+ allow $3 container_domain:process transition;
+ allow $3 container_domain:process2 { nnp_transition nosuid_transition };
+ allow container_domain $3:fd use;
+ allow container_domain $3:unix_stream_socket rw_stream_socket_perms;
+
+ allow $3 self:cap_userns { kill sys_ptrace };
+
+ allow $3 container_domain:process { ptrace signal_perms };
+ ps_process_pattern($3, container_domain)
+
+ files_search_etc($2)
+ read_files_pattern($2, container_config_t, container_config_t)
+
+ container_admin_all_files($2)
+ container_admin_all_ro_files($2)
+
+ container_admin_all_home_content($2)
+ container_admin_all_user_runtime_content($2)
+')
+
########################################
## <summary>
## Execute generic container engines in the
@@ -1079,6 +1091,119 @@ interface(`container_manage_home_data_sock_files',`
manage_sock_files_pattern($1, container_data_home_t,
container_data_home_t)
')
+########################################
+## <summary>
+## Administrate all container files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_admin_all_files',`
+ gen_require(`
+ type container_file_t;
+ ')
+
+ allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1 container_file_t:file { manage_file_perms relabel_file_perms };
+ allow $1 container_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
+ allow $1 container_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+ allow $1 container_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
+ allow $1 container_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+')
+
+########################################
+## <summary>
+## Administrate all container read-only files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_admin_all_ro_files',`
+ gen_require(`
+ type container_ro_file_t;
+ ')
+
+ allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
+ allow $1 container_ro_file_t:file { manage_file_perms
relabel_file_perms };
+ allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
+ allow $1 container_ro_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+ allow $1 container_ro_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
+ allow $1 container_ro_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+')
+
+########################################
+## <summary>
+## All of the rules necessary for a user
+## to manage user container runtime data
+## in their user runtime directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_admin_all_user_runtime_content',`
+ gen_require(`
+ type container_user_runtime_t;
+ ')
+
+ allow $1 container_user_runtime_t:dir { manage_dir_perms
relabel_dir_perms };
+ allow $1 container_user_runtime_t:file { manage_file_perms
relabel_file_perms };
+ allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
+ allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+')
+
+########################################
+## <summary>
+## All of the rules necessary for a user
+## to manage container data in their home
+## directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_admin_all_home_content',`
+ gen_require(`
+ type container_file_t, container_ro_file_t;
+ type container_cache_home_t, container_conf_home_t;
+ type container_data_home_t;
+ ')
+
+ allow $1 container_cache_home_t:dir { manage_dir_perms
relabel_dir_perms };
+ allow $1 container_cache_home_t:file { manage_file_perms
relabel_file_perms };
+ xdg_cache_filetrans($1, container_cache_home_t, dir, "containers")
+
+ allow $1 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms
};
+ allow $1 container_conf_home_t:file { manage_file_perms
relabel_file_perms };
+ xdg_config_filetrans($1, container_conf_home_t, dir, "containers")
+
+ allow $1 container_data_home_t:dir { manage_dir_perms relabel_dir_perms
};
+ allow $1 container_data_home_t:file { manage_file_perms
relabel_file_perms };
+ allow $1 container_data_home_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
+ allow $1 container_data_home_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
+ allow $1 container_data_home_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+ allow $1 container_data_home_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
+ allow $1 container_data_home_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+ xdg_data_filetrans($1, container_data_home_t, dir, "containers")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir,
"overlay")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir,
"overlay-images")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir,
"overlay-layers")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir,
"overlay2")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir,
"overlay2-images")
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir,
"overlay2-layers")
+ filetrans_pattern($1, container_data_home_t, container_file_t, dir,
"volumes")
+')
+
########################################
## <summary>
## Allow the specified domain to
