From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 561C31581D3 for ; Tue, 14 May 2024 19:43:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 543C5E2A39; Tue, 14 May 2024 19:43:01 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 30A32E2A39 for ; Tue, 14 May 2024 19:43:01 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7921B341E1C for ; Tue, 14 May 2024 19:42:59 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1FF011ADC for ; Tue, 14 May 2024 19:42:56 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1715708512.b18c0d3743affd70627adf0832b0fef674f50165.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/container.if policy/modules/services/podman.te policy/modules/system/init.if X-VCS-Directories: policy/modules/system/ policy/modules/services/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: b18c0d3743affd70627adf0832b0fef674f50165 X-VCS-Branch: master Date: Tue, 14 May 2024 19:42:56 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: abc60e16-9816-4e87-bdbe-216030ca4ed2 X-Archives-Hash: 49a3e01b9012cf29ab879b639737d4a6 commit: b18c0d3743affd70627adf0832b0fef674f50165 Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 21:03:59 2024 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:52 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b18c0d37 container, podman: various fixes Various fixes for containers and podman, mostly centered around quadlet and netavark updates. One particular change which may stand out is allowing podman_conmon_t to IOCTL container_file_t files. I wish I could know why this was hit, but I don't. The relevant AVC is: type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762 type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30=" /run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-co mmand-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null) type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/container.if | 36 ++++++++++++++++++++++++++++++++++++ policy/modules/services/podman.te | 16 ++++++++++++++-- policy/modules/system/init.if | 20 ++++++++++++++++++++ 3 files changed, 70 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 268ebec46..009fffc4a 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -876,6 +876,24 @@ interface(`container_signal_all_containers',` allow $1 container_domain:process signal_perms; ') +######################################## +## +## Send signals to a system container. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_signal_system_containers',` + gen_require(` + attribute container_system_domain; + ') + + allow $1 container_system_domain:process signal; +') + ######################################## ## ## Create objects in /dev with an automatic @@ -1324,6 +1342,24 @@ interface(`container_manage_files',` manage_files_pattern($1, container_file_t, container_file_t) ') +######################################## +## +## IOCTL container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_ioctl_files',` + gen_require(` + type container_file_t; + ') + + allow $1 container_file_t:file ioctl; +') + ######################################## ## ## Do not audit attempts to relabel diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index d929bb253..78f8fc086 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -39,6 +39,12 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t) allow podman_t podman_conmon_t:process setsched; +kernel_rw_vm_overcommit_sysctl(podman_t) + +init_use_fds(podman_t) +init_setattr_stream_sockets(podman_t) +init_stream_connect(podman_t) + # for --network=host selinux_getattr_dirs(podman_t) selinux_mounton_dirs(podman_t) @@ -67,8 +73,10 @@ podman_spec_rangetrans_conmon(podman_t, s0) ifdef(`init_systemd',` init_dbus_chat(podman_t) init_setsched(podman_t) + init_get_system_status(podman_t) init_start_system(podman_t) init_stop_system(podman_t) + init_reload(podman_t) # containers get created as systemd transient units init_get_transient_units_status(podman_t) @@ -114,7 +122,7 @@ kernel_read_sysctl(podman_user_t) logging_send_syslog_msg(podman_user_t) -init_write_runtime_socket(podman_user_t) +init_stream_connect(podman_user_t) mount_exec(podman_user_t) @@ -191,7 +199,7 @@ ifdef(`init_systemd',` # podman conmon local policy # -allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource }; +allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource }; dontaudit podman_conmon_t self:capability net_admin; podman_domtrans(podman_conmon_t) @@ -199,8 +207,12 @@ podman_domtrans(podman_conmon_t) init_rw_inherited_stream_socket(podman_conmon_t) init_use_fds(podman_conmon_t) +container_signal_system_containers(podman_conmon_t) + container_read_system_container_state(podman_conmon_t) +container_ioctl_files(podman_conmon_t) + container_manage_runtime_files(podman_conmon_t) container_manage_runtime_fifo_files(podman_conmon_t) container_manage_runtime_sock_files(podman_conmon_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 24be1a7a7..5d720ffc3 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1163,6 +1163,26 @@ interface(`init_rw_stream_sockets',` allow $1 init_t:unix_stream_socket rw_stream_socket_perms; ') +######################################## +## +## Allow the specified domain to set the +## attributes of init's unix domain stream +## sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_setattr_stream_sockets',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket setattr; +') + ######################################## ## ## Do not audit attempts to search init keys.