From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 947F7158087 for ; Sun, 30 Jan 2022 01:22:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6B34B2BC003; Sun, 30 Jan 2022 01:22:49 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E37DD2BC002 for ; Sun, 30 Jan 2022 01:22:48 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 955FE343375 for ; Sun, 30 Jan 2022 01:22:46 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DAC9A2B2 for ; Sun, 30 Jan 2022 01:22:44 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1643505162.7312b188899d6ea718be9c885eb4a6f15ccd8aa7.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/container.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 7312b188899d6ea718be9c885eb4a6f15ccd8aa7 X-VCS-Branch: master Date: Sun, 30 Jan 2022 01:22:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: c6010662-d249-44e7-86ed-5c4c2260f421 X-Archives-Hash: 8f5e8aca985f1a87ee0f54c67aaa4263 commit: 7312b188899d6ea718be9c885eb4a6f15ccd8aa7 Author: Kenton Groombridge concord sh> AuthorDate: Thu Dec 23 15:55:53 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 30 01:12:42 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7312b188 container: add policy for privileged containers Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.te | 86 ++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 7ab2765e..483cdcb2 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -22,6 +22,9 @@ attribute container_engine_user_domain; # containers which require network access attribute container_net_domain; +# containers considered privileged +attribute privileged_container_domain; + attribute container_engine_exec_type; attribute container_mountpoint_type; @@ -43,6 +46,13 @@ ifdef(`enable_mls',` ') mls_trusted_object(container_engine_t) +type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain; +domain_type(spc_t) +role system_r types spc_t; + +type spc_user_t, container_domain, container_net_domain, container_user_domain, privileged_container_domain; +domain_type(spc_user_t) + type container_unit_t; init_unit_file(container_unit_t) @@ -562,3 +572,79 @@ filetrans_pattern(container_engine_user_domain, container_data_home_t, container filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-images") filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-layers") filetrans_pattern(container_engine_user_domain, container_data_home_t, container_file_t, dir, "volumes") + +######################################## +# +# Common privileged container local policy +# + +allow privileged_container_domain container_file_t:file entrypoint; +allow privileged_container_domain container_ro_file_t:file entrypoint; +allow privileged_container_domain container_var_lib_t:file entrypoint; + +optional_policy(` + systemd_dbus_chat_machined(privileged_container_domain) + systemd_dbus_chat_logind(privileged_container_domain) +') + +######################################## +# +# spc local policy +# +# spc_t is the default type for containers created +# with the --privileged (or similar) argument +# + +# Containers run from an engine with the --privileged argument are not +# restricted by the engine. One of these restrictions is a manual +# transition to the default context for containers, usually container_t. +# Instead of performing a manual transition when creating a restricted +# container (default), we do an automatic transition to spc_t when +# restrictions are disabled. +domtrans_pattern(container_engine_system_domain, container_file_t, spc_t) +domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t) +domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t) + +allow container_engine_system_domain spc_t:process { setsched signal_perms }; + +allow spc_t container_engine_system_domain:fifo_file rw_fifo_file_perms; + +init_dbus_chat(spc_t) + +optional_policy(` + dbus_system_bus_client(spc_t) + dbus_all_session_bus_client(spc_t) +') + +optional_policy(` +# If unconfined domains are enabled, spc is also unconfined + unconfined_domain_noaudit(spc_t) + domain_ptrace_all_domains(spc_t) +') + +######################################## +# +# spc user local policy +# + +# Similar to above, automatically transition to spc_user_t when a +# container engine runs a container with the --privileged argument +domtrans_pattern(container_engine_user_domain, container_file_t, spc_user_t) +domtrans_pattern(container_engine_user_domain, container_ro_file_t, spc_user_t) +domtrans_pattern(container_engine_user_domain, container_var_lib_t, spc_user_t) +fs_fusefs_domtrans(container_engine_user_domain, spc_user_t) + +allow container_engine_user_domain spc_user_t:process { setsched signal_perms }; + +allow spc_user_t container_engine_user_domain:fifo_file rw_fifo_file_perms; + +optional_policy(` + dbus_system_bus_client(spc_user_t) + dbus_all_session_bus_client(spc_user_t) +') + +optional_policy(` + # If unconfined domains are enabled, spc is also unconfined + unconfined_domain_noaudit(spc_user_t) + domain_ptrace_all_domains(spc_user_t) +')