Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Sun, 30 Jan 2022 01:22:58
Message-Id: 1643505306.362646fea58e06a59f257c4c0f7e96cfd3105de6.perfinion@gentoo
1 commit: 362646fea58e06a59f257c4c0f7e96cfd3105de6
2 Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3 AuthorDate: Tue Jan 11 20:56:38 2022 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Jan 30 01:15:06 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=362646fe
7
8 rootlesskit: new policy module
9
10 Rootlesskit is required by rootless docker
11
12 Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
13 Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15 policy/modules/services/rootlesskit.fc | 3 +
16 policy/modules/services/rootlesskit.if | 106 +++++++++++++++++++++++++++++++++
17 policy/modules/services/rootlesskit.te | 43 +++++++++++++
18 3 files changed, 152 insertions(+)
19
20 diff --git a/policy/modules/services/rootlesskit.fc b/policy/modules/services/rootlesskit.fc
21 new file mode 100644
22 index 00000000..613ebd9b
23 --- /dev/null
24 +++ b/policy/modules/services/rootlesskit.fc
25 @@ -0,0 +1,3 @@
26 +/usr/bin/rootlesskit -- gen_context(system_u:object_r:rootlesskit_exec_t,s0)
27 +/usr/bin/rootlessctl -- gen_context(system_u:object_r:rootlesskit_exec_t,s0)
28 +/usr/bin/rootlesskit-docker-proxy -- gen_context(system_u:object_r:rootlesskit_exec_t,s0)
29
30 diff --git a/policy/modules/services/rootlesskit.if b/policy/modules/services/rootlesskit.if
31 new file mode 100644
32 index 00000000..2be598d7
33 --- /dev/null
34 +++ b/policy/modules/services/rootlesskit.if
35 @@ -0,0 +1,106 @@
36 +## <summary>Policy for RootlessKit</summary>
37 +
38 +########################################
39 +## <summary>
40 +## Execute rootlesskit in the caller domain.
41 +## </summary>
42 +## <param name="domain">
43 +## <summary>
44 +## Domain allowed access.
45 +## </summary>
46 +## </param>
47 +#
48 +interface(`rootlesskit_exec',`
49 + gen_require(`
50 + type rootlesskit_exec_t;
51 + ')
52 +
53 + can_exec($1, rootlesskit_exec_t)
54 +')
55 +
56 +########################################
57 +## <summary>
58 +## Execute rootlesskit in the rootlesskit domain.
59 +## </summary>
60 +## <param name="domain">
61 +## <summary>
62 +## Domain allowed to transition.
63 +## </summary>
64 +## </param>
65 +#
66 +interface(`rootlesskit_domtrans',`
67 + gen_require(`
68 + type rootlesskit_t, rootlesskit_exec_t;
69 + ')
70 +
71 + corecmd_search_bin($1)
72 + domtrans_pattern($1, rootlesskit_exec_t, rootlesskit_t)
73 +')
74 +
75 +########################################
76 +## <summary>
77 +## Execute rootlesskit in the rootlesskit
78 +## domain, and allow the specified role
79 +## the rootlesskit domain.
80 +## </summary>
81 +## <param name="domain">
82 +## <summary>
83 +## Domain allowed to transition.
84 +## </summary>
85 +## </param>
86 +## <param name="role">
87 +## <summary>
88 +## The role to be allowed the rootlesskit domain.
89 +## </summary>
90 +## </param>
91 +#
92 +interface(`rootlesskit_run',`
93 + gen_require(`
94 + type rootlesskit_t;
95 + ')
96 +
97 + role $2 types rootlesskit_t;
98 +
99 + rootlesskit_domtrans($1)
100 +')
101 +
102 +########################################
103 +## <summary>
104 +## Role access for rootlesskit.
105 +## </summary>
106 +## <param name="role_prefix">
107 +## <summary>
108 +## The prefix of the user role (e.g., user
109 +## is the prefix for user_r).
110 +## </summary>
111 +## </param>
112 +## <param name="user_domain">
113 +## <summary>
114 +## User domain for the role.
115 +## </summary>
116 +## </param>
117 +## <param name="user_exec_domain">
118 +## <summary>
119 +## User exec domain for execute and transition access.
120 +## </summary>
121 +## </param>
122 +## <param name="role">
123 +## <summary>
124 +## Role allowed access.
125 +## </summary>
126 +## </param>
127 +## <rolecap/>
128 +#
129 +template(`rootlesskit_role',`
130 + gen_require(`
131 + type rootlesskit_t;
132 + type rootlesskit_exec_t;
133 + ')
134 +
135 + rootlesskit_run($3, $4)
136 +
137 + optional_policy(`
138 + systemd_user_daemon_domain($1, rootlesskit_exec_t, rootlesskit_t)
139 + ')
140 +')
141 +
142
143 diff --git a/policy/modules/services/rootlesskit.te b/policy/modules/services/rootlesskit.te
144 new file mode 100644
145 index 00000000..31168801
146 --- /dev/null
147 +++ b/policy/modules/services/rootlesskit.te
148 @@ -0,0 +1,43 @@
149 +policy_module(rootlesskit)
150 +
151 +########################################
152 +#
153 +# Declarations
154 +#
155 +
156 +container_engine_domain_template(rootlesskit)
157 +type rootlesskit_exec_t;
158 +container_user_engine(rootlesskit_t)
159 +application_domain(rootlesskit_t, rootlesskit_exec_t)
160 +mls_trusted_object(rootlesskit_t)
161 +
162 +########################################
163 +#
164 +# Rootlesskit local policy
165 +#
166 +
167 +# rootlesskit fails without this access
168 +allow rootlesskit_t self:tun_socket { relabelfrom relabelto };
169 +
170 +can_exec(rootlesskit_t, rootlesskit_exec_t)
171 +
172 +domain_use_interactive_fds(rootlesskit_t)
173 +
174 +# any dir not readable or file not stat-able causes rootlesskit to hang
175 +# when --copy-up would access it; the below rules cover at least the
176 +# access needed for rootless docker (copying /etc and /run)
177 +files_list_all(rootlesskit_t)
178 +files_getattr_all_files(rootlesskit_t)
179 +files_getattr_all_pipes(rootlesskit_t)
180 +files_getattr_all_sockets(rootlesskit_t)
181 +
182 +kernel_read_sysctl(rootlesskit_t)
183 +
184 +auth_use_nsswitch(rootlesskit_t)
185 +
186 +userdom_exec_user_bin_files(rootlesskit_t)
187 +
188 +optional_policy(`
189 + dbus_list_system_bus_runtime(rootlesskit_t)
190 + dbus_system_bus_client(rootlesskit_t)
191 +')