From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1362840-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id AFE58158087
	for <garchives@archives.gentoo.org>; Sun, 30 Jan 2022 01:22:58 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3AE472BC04C;
	Sun, 30 Jan 2022 01:22:53 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id AB3322BC04C
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:52 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 0A6A6343375
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:51 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 0F15F2D3
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:46 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1643505306.362646fea58e06a59f257c4c0f7e96cfd3105de6.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/rootlesskit.fc policy/modules/services/rootlesskit.if policy/modules/services/rootlesskit.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 362646fea58e06a59f257c4c0f7e96cfd3105de6
X-VCS-Branch: master
Date: Sun, 30 Jan 2022 01:22:46 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 32ecf978-b245-49ca-84bb-700675a8bd77
X-Archives-Hash: 64b09e357b44afe30460dc6795ed9079

commit:     362646fea58e06a59f257c4c0f7e96cfd3105de6
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Jan 11 20:56:38 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=362646fe

rootlesskit: new policy module

Rootlesskit is required by rootless docker

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/rootlesskit.fc |   3 +
 policy/modules/services/rootlesskit.if | 106 +++++++++++++++++++++++++++++++++
 policy/modules/services/rootlesskit.te |  43 +++++++++++++
 3 files changed, 152 insertions(+)

diff --git a/policy/modules/services/rootlesskit.fc b/policy/modules/services/rootlesskit.fc
new file mode 100644
index 00000000..613ebd9b
--- /dev/null
+++ b/policy/modules/services/rootlesskit.fc
@@ -0,0 +1,3 @@
+/usr/bin/rootlesskit	--	gen_context(system_u:object_r:rootlesskit_exec_t,s0)
+/usr/bin/rootlessctl	--	gen_context(system_u:object_r:rootlesskit_exec_t,s0)
+/usr/bin/rootlesskit-docker-proxy	--	gen_context(system_u:object_r:rootlesskit_exec_t,s0)

diff --git a/policy/modules/services/rootlesskit.if b/policy/modules/services/rootlesskit.if
new file mode 100644
index 00000000..2be598d7
--- /dev/null
+++ b/policy/modules/services/rootlesskit.if
@@ -0,0 +1,106 @@
+## <summary>Policy for RootlessKit</summary>
+
+########################################
+## <summary>
+##	Execute rootlesskit in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rootlesskit_exec',`
+	gen_require(`
+		type rootlesskit_exec_t;
+	')
+
+	can_exec($1, rootlesskit_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute rootlesskit in the rootlesskit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rootlesskit_domtrans',`
+	gen_require(`
+		type rootlesskit_t, rootlesskit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rootlesskit_exec_t, rootlesskit_t)
+')
+
+########################################
+## <summary>
+##	Execute rootlesskit in the rootlesskit
+##	domain, and allow the specified role
+##	the rootlesskit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the rootlesskit domain.
+##	</summary>
+## </param>
+#
+interface(`rootlesskit_run',`
+	gen_require(`
+		type rootlesskit_t;
+	')
+
+	role $2 types rootlesskit_t;
+
+	rootlesskit_domtrans($1)
+')
+
+########################################
+## <summary>
+##	Role access for rootlesskit.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`rootlesskit_role',`
+	gen_require(`
+		type rootlesskit_t;
+		type rootlesskit_exec_t;
+	')
+
+	rootlesskit_run($3, $4)
+
+	optional_policy(`
+		systemd_user_daemon_domain($1, rootlesskit_exec_t, rootlesskit_t)
+	')
+')
+

diff --git a/policy/modules/services/rootlesskit.te b/policy/modules/services/rootlesskit.te
new file mode 100644
index 00000000..31168801
--- /dev/null
+++ b/policy/modules/services/rootlesskit.te
@@ -0,0 +1,43 @@
+policy_module(rootlesskit)
+
+########################################
+#
+# Declarations
+#
+
+container_engine_domain_template(rootlesskit)
+type rootlesskit_exec_t;
+container_user_engine(rootlesskit_t)
+application_domain(rootlesskit_t, rootlesskit_exec_t)
+mls_trusted_object(rootlesskit_t)
+
+########################################
+#
+# Rootlesskit local policy
+#
+
+# rootlesskit fails without this access
+allow rootlesskit_t self:tun_socket { relabelfrom relabelto };
+
+can_exec(rootlesskit_t, rootlesskit_exec_t)
+
+domain_use_interactive_fds(rootlesskit_t)
+
+# any dir not readable or file not stat-able causes rootlesskit to hang
+# when --copy-up would access it; the below rules cover at least the
+# access needed for rootless docker (copying /etc and /run)
+files_list_all(rootlesskit_t)
+files_getattr_all_files(rootlesskit_t)
+files_getattr_all_pipes(rootlesskit_t)
+files_getattr_all_sockets(rootlesskit_t)
+
+kernel_read_sysctl(rootlesskit_t)
+
+auth_use_nsswitch(rootlesskit_t)
+
+userdom_exec_user_bin_files(rootlesskit_t)
+
+optional_policy(`
+	dbus_list_system_bus_runtime(rootlesskit_t)
+	dbus_system_bus_client(rootlesskit_t)
+')