[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sat, 03 Sep 2022 19:10:26
Message-Id:	`1662230515.b8f614bfbcc1fe34a9664de1b1937a6e6cfbcf40.perfinion@gentoo`

1

commit:     b8f614bfbcc1fe34a9664de1b1937a6e6cfbcf40

2

Author:     Kenton Groombridge <me <AT> concord <DOT> sh>

3

AuthorDate: Mon May 16 13:56:29 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Sep  3 18:41:55 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8f614bf

7

8

podman: add interface to rangetrans when executing conmon

9

10

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>

11

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

12

13

 policy/modules/services/podman.if | 29 +++++++++++++++++++++++++++++

14

 policy/modules/services/podman.te | 20 ++++----------------

15

 2 files changed, 33 insertions(+), 16 deletions(-)

16

17

diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if

18

index 7523e33d..626af3af 100644

19

--- a/policy/modules/services/podman.if

20

+++ b/policy/modules/services/podman.if

21

@@ -188,6 +188,35 @@ interface(`podman_run_conmon_user',`

22

 	podman_domtrans_conmon_user($1)

23

')

24

25

+########################################

26

+## <summary>

27

+##	Make the specified domain perform a

28

+##	range transition when executing conmon.

29

+## </summary>

30

+## <param name="domain">

31

+##	<summary>

32

+##	Domain to transition ranges.

33

+##	</summary>

34

+## </param>

35

+## <param name="range">

36

+##	<summary>

37

+##	MLS range to transition to.

38

+##	</summary>

39

+## </param>

40

+#

41

+interface(`podman_spec_rangetrans_conmon',`

42

+	gen_require(`

43

+		type podman_conmon_exec_t;

44

+	')

45

+

46

+	ifdef(`enable_mcs',`

47

+		range_transition $1 podman_conmon_exec_t:process $2;

48

+	')

49

+	ifdef(`enable_mls',`

50

+		range_transition $1 podman_conmon_exec_t:process $2;

51

+	')

52

+')

53

+

54

 ########################################

55

 ## <summary>

56

 ##	Read and write conmon unnamed pipes.

57

58

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te

59

index 12c67145..bb0f67bd 100644

60

--- a/policy/modules/services/podman.te

61

+++ b/policy/modules/services/podman.te

62

@@ -61,6 +61,8 @@ container_manage_home_config(podman_t)

63

64

 container_manage_sock_files(podman_t)

65

66

+podman_spec_rangetrans_conmon(podman_t, s0)

67

+

68

 ifdef(`init_systemd',`

69

 	init_dbus_chat(podman_t)

70

 	init_setsched(podman_t)

71

@@ -129,6 +131,8 @@ storage_rw_fuse(podman_user_t)

72

 userdom_relabel_generic_user_home_dirs(podman_user_t)

73

 userdom_relabel_generic_user_home_files(podman_user_t)

74

75

+podman_spec_rangetrans_conmon(podman_user_t, s0)

76

+

77

 ifdef(`init_systemd',`

78

 	# podman queries the cgroup manager (systemd) over the session bus socket

79

 	dbus_getattr_session_runtime_socket(podman_user_t)

80

@@ -208,14 +212,6 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })

81

 container_manage_engine_tmp_files(podman_conmon_t)

82

 container_manage_engine_tmp_sock_files(podman_conmon_t)

83

84

-# Ensure conmon runs in s0 so that it can talk to the container

85

-ifdef(`enable_mcs',`

86

-	range_transition podman_t podman_conmon_exec_t:process s0;

87

-')

88

-ifdef(`enable_mls',`

89

-	range_transition podman_t podman_conmon_exec_t:process s0;

90

-')

91

-

92

 ifdef(`init_systemd',`

93

 	init_get_transient_units_status(podman_conmon_t)

94

 	init_start_transient_units(podman_conmon_t)

95

@@ -287,14 +283,6 @@ container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })

96

 container_manage_engine_tmp_files(podman_conmon_user_t)

97

 container_manage_engine_tmp_sock_files(podman_conmon_user_t)

98

99

-# Ensure conmon runs in s0 so that it can talk to the container

100

-ifdef(`enable_mcs',`

101

-	range_transition podman_user_t podman_conmon_exec_t:process s0;

102

-')

103

-ifdef(`enable_mls',`

104

-	range_transition podman_user_t podman_conmon_exec_t:process s0;

105

-')

106

-

107

 ifdef(`init_systemd',`

108

 	# conmon can read logs from containers which are

109

 	# sent to the system journal

1	commit: b8f614bfbcc1fe34a9664de1b1937a6e6cfbcf40
2	Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3	AuthorDate: Mon May 16 13:56:29 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Sep 3 18:41:55 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8f614bf
7
8	podman: add interface to rangetrans when executing conmon
9
10	Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
11	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
12
13	policy/modules/services/podman.if \| 29 +++++++++++++++++++++++++++++
14	policy/modules/services/podman.te \| 20 ++++----------------
15	2 files changed, 33 insertions(+), 16 deletions(-)
16
17	diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
18	index 7523e33d..626af3af 100644
19	--- a/policy/modules/services/podman.if
20	+++ b/policy/modules/services/podman.if
21	@@ -188,6 +188,35 @@ interface(`podman_run_conmon_user',`
22	podman_domtrans_conmon_user($1)
23	')
24
25	+########################################
26	+## <summary>
27	+## Make the specified domain perform a
28	+## range transition when executing conmon.
29	+## </summary>
30	+## <param name="domain">
31	+## <summary>
32	+## Domain to transition ranges.
33	+## </summary>
34	+## </param>
35	+## <param name="range">
36	+## <summary>
37	+## MLS range to transition to.
38	+## </summary>
39	+## </param>
40	+#
41	+interface(`podman_spec_rangetrans_conmon',`
42	+ gen_require(`
43	+ type podman_conmon_exec_t;
44	+ ')
45	+
46	+ ifdef(`enable_mcs',`
47	+ range_transition $1 podman_conmon_exec_t:process $2;
48	+ ')
49	+ ifdef(`enable_mls',`
50	+ range_transition $1 podman_conmon_exec_t:process $2;
51	+ ')
52	+')
53	+
54	########################################
55	## <summary>
56	## Read and write conmon unnamed pipes.
57
58	diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
59	index 12c67145..bb0f67bd 100644
60	--- a/policy/modules/services/podman.te
61	+++ b/policy/modules/services/podman.te
62	@@ -61,6 +61,8 @@ container_manage_home_config(podman_t)
63
64	container_manage_sock_files(podman_t)
65
66	+podman_spec_rangetrans_conmon(podman_t, s0)
67	+
68	ifdef(`init_systemd',`
69	init_dbus_chat(podman_t)
70	init_setsched(podman_t)
71	@@ -129,6 +131,8 @@ storage_rw_fuse(podman_user_t)
72	userdom_relabel_generic_user_home_dirs(podman_user_t)
73	userdom_relabel_generic_user_home_files(podman_user_t)
74
75	+podman_spec_rangetrans_conmon(podman_user_t, s0)
76	+
77	ifdef(`init_systemd',`
78	# podman queries the cgroup manager (systemd) over the session bus socket
79	dbus_getattr_session_runtime_socket(podman_user_t)
80	@@ -208,14 +212,6 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
81	container_manage_engine_tmp_files(podman_conmon_t)
82	container_manage_engine_tmp_sock_files(podman_conmon_t)
83
84	-# Ensure conmon runs in s0 so that it can talk to the container
85	-ifdef(`enable_mcs',`
86	- range_transition podman_t podman_conmon_exec_t:process s0;
87	-')
88	-ifdef(`enable_mls',`
89	- range_transition podman_t podman_conmon_exec_t:process s0;
90	-')
91	-
92	ifdef(`init_systemd',`
93	init_get_transient_units_status(podman_conmon_t)
94	init_start_transient_units(podman_conmon_t)
95	@@ -287,14 +283,6 @@ container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })
96	container_manage_engine_tmp_files(podman_conmon_user_t)
97	container_manage_engine_tmp_sock_files(podman_conmon_user_t)
98
99	-# Ensure conmon runs in s0 so that it can talk to the container
100	-ifdef(`enable_mcs',`
101	- range_transition podman_user_t podman_conmon_exec_t:process s0;
102	-')
103	-ifdef(`enable_mls',`
104	- range_transition podman_user_t podman_conmon_exec_t:process s0;
105	-')
106	-
107	ifdef(`init_systemd',`
108	# conmon can read logs from containers which are
109	# sent to the system journal

Gentoo Archives: gentoo-commits