commit: 5771206e2319d9616db89272c86f99e50a21ee00
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 9 19:36:57 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5771206e
various: rules required for DV manipulation in kubevirt
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.te | 1 +
policy/modules/services/container.te | 3 +++
policy/modules/services/kubernetes.if | 19 +++++++++++++++++++
policy/modules/services/kubernetes.te | 1 +
policy/modules/system/iptables.te | 5 +++++
policy/modules/system/mount.te | 1 +
7 files changed, 48 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 085bd30f0..aabc1b8e7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -108,6 +108,24 @@ interface(`dev_getattr_fs',`
allow $1 device_t:filesystem getattr;
')
+########################################
+## <summary>
+## Unmount device filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_unmount_fs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem unmount;
+')
+
########################################
## <summary>
## Remount device filesystems.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b16142608..b791ebc71 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -315,6 +315,7 @@ dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_blk_files(kernel_t)
dev_rw_generic_chr_files(kernel_t)
dev_setattr_generic_blk_files(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index e91cd18f4..e9f59e516 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1071,6 +1071,9 @@ dev_dontaudit_relabelto_generic_blk_files(spc_t)
dev_getattr_kvm_dev(spc_t)
dev_getattr_vhost_dev(spc_t)
dev_watch_dev_dirs(spc_t)
+# for DV upload in kubevirt over rook-ceph
+dev_unmount_fs(spc_t)
+dev_remount_fs(spc_t)
fs_read_nsfs_files(spc_t)
fs_mount_xattr_fs(spc_t)
diff --git a/policy/modules/services/kubernetes.if
b/policy/modules/services/kubernetes.if
index de14a7b61..2af5b64b3 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -377,6 +377,25 @@ interface(`kubernetes_run_engine_bpf',`
allow $1 kubernetes_container_engine_domain:bpf prog_run;
')
+########################################
+## <summary>
+## Read and write FIFO files from
+## kubernetes container engines.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kubernetes_rw_container_engine_fifo_files',`
+ gen_require(`
+ attribute kubernetes_container_engine_domain;
+ ')
+
+ allow $1 kubernetes_container_engine_domain:fifo_file
rw_fifo_file_perms;
+')
+
########################################
## <summary>
## Search kubernetes config directories.
diff --git a/policy/modules/services/kubernetes.te
b/policy/modules/services/kubernetes.te
index 787cdae30..38b3a545e 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -258,6 +258,7 @@ corecmd_exec_bin(kubelet_t)
corecmd_watch_bin_dirs(kubelet_t)
dev_getattr_mtrr_dev(kubelet_t)
+dev_getattr_generic_blk_files(kubelet_t)
dev_read_kmsg(kubelet_t)
dev_read_sysfs(kubelet_t)
diff --git a/policy/modules/system/iptables.te
b/policy/modules/system/iptables.te
index 7c401fa50..5dc07b874 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -128,6 +128,11 @@ optional_policy(`
firstboot_rw_pipes(iptables_t)
')
+optional_policy(`
+ # apply firewall rules from multus
+ kubernetes_rw_container_engine_fifo_files(iptables_t)
+')
+
optional_policy(`
modutils_run(iptables_t, iptables_roles)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 88ffb90f6..01fe24528 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -83,6 +83,7 @@ dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
dev_rw_loop_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_generic_blk_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
# Early devtmpfs, before udev relabel
