From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
Date: Tue, 14 May 2024 19:42:56 +0000 (UTC) [thread overview]
Message-ID: <1715708512.b18c0d3743affd70627adf0832b0fef674f50165.concord@gentoo> (raw)
commit: b18c0d3743affd70627adf0832b0fef674f50165
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May 6 21:03:59 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:52 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b18c0d37
container, podman: various fixes
Various fixes for containers and podman, mostly centered around quadlet
and netavark updates.
One particular change which may stand out is allowing podman_conmon_t to
IOCTL container_file_t files. I wish I could know why this was hit, but
I don't. The relevant AVC is:
type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762
type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="
/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-co
mmand-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7"
type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null)
type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/container.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/services/podman.te | 16 ++++++++++++++--
policy/modules/system/init.if | 20 ++++++++++++++++++++
3 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 268ebec46..009fffc4a 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -876,6 +876,24 @@ interface(`container_signal_all_containers',`
allow $1 container_domain:process signal_perms;
')
+########################################
+## <summary>
+## Send signals to a system container.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_signal_system_containers',`
+ gen_require(`
+ attribute container_system_domain;
+ ')
+
+ allow $1 container_system_domain:process signal;
+')
+
########################################
## <summary>
## Create objects in /dev with an automatic
@@ -1324,6 +1342,24 @@ interface(`container_manage_files',`
manage_files_pattern($1, container_file_t, container_file_t)
')
+########################################
+## <summary>
+## IOCTL container files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_ioctl_files',`
+ gen_require(`
+ type container_file_t;
+ ')
+
+ allow $1 container_file_t:file ioctl;
+')
+
########################################
## <summary>
## Do not audit attempts to relabel
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index d929bb253..78f8fc086 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -39,6 +39,12 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
allow podman_t podman_conmon_t:process setsched;
+kernel_rw_vm_overcommit_sysctl(podman_t)
+
+init_use_fds(podman_t)
+init_setattr_stream_sockets(podman_t)
+init_stream_connect(podman_t)
+
# for --network=host
selinux_getattr_dirs(podman_t)
selinux_mounton_dirs(podman_t)
@@ -67,8 +73,10 @@ podman_spec_rangetrans_conmon(podman_t, s0)
ifdef(`init_systemd',`
init_dbus_chat(podman_t)
init_setsched(podman_t)
+ init_get_system_status(podman_t)
init_start_system(podman_t)
init_stop_system(podman_t)
+ init_reload(podman_t)
# containers get created as systemd transient units
init_get_transient_units_status(podman_t)
@@ -114,7 +122,7 @@ kernel_read_sysctl(podman_user_t)
logging_send_syslog_msg(podman_user_t)
-init_write_runtime_socket(podman_user_t)
+init_stream_connect(podman_user_t)
mount_exec(podman_user_t)
@@ -191,7 +199,7 @@ ifdef(`init_systemd',`
# podman conmon local policy
#
-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource };
dontaudit podman_conmon_t self:capability net_admin;
podman_domtrans(podman_conmon_t)
@@ -199,8 +207,12 @@ podman_domtrans(podman_conmon_t)
init_rw_inherited_stream_socket(podman_conmon_t)
init_use_fds(podman_conmon_t)
+container_signal_system_containers(podman_conmon_t)
+
container_read_system_container_state(podman_conmon_t)
+container_ioctl_files(podman_conmon_t)
+
container_manage_runtime_files(podman_conmon_t)
container_manage_runtime_fifo_files(podman_conmon_t)
container_manage_runtime_sock_files(podman_conmon_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 24be1a7a7..5d720ffc3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1163,6 +1163,26 @@ interface(`init_rw_stream_sockets',`
allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
')
+########################################
+## <summary>
+## Allow the specified domain to set the
+## attributes of init's unix domain stream
+## sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_setattr_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket setattr;
+')
+
########################################
## <summary>
## Do not audit attempts to search init keys.
next reply other threads:[~2024-05-14 19:43 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-14 19:42 Kenton Groombridge [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-12-15 0:30 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/ Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-04-09 19:28 Jason Zaman
2022-02-27 2:52 Jason Zaman
2022-02-07 2:14 Jason Zaman
2022-01-30 1:22 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2017-01-01 16:36 Jason Zaman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1715708512.b18c0d3743affd70627adf0832b0fef674f50165.concord@gentoo \
--to=concord@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox