1 |
commit: 362646fea58e06a59f257c4c0f7e96cfd3105de6 |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Tue Jan 11 20:56:38 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jan 30 01:15:06 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=362646fe |
7 |
|
8 |
rootlesskit: new policy module |
9 |
|
10 |
Rootlesskit is required by rootless docker |
11 |
|
12 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/services/rootlesskit.fc | 3 + |
16 |
policy/modules/services/rootlesskit.if | 106 +++++++++++++++++++++++++++++++++ |
17 |
policy/modules/services/rootlesskit.te | 43 +++++++++++++ |
18 |
3 files changed, 152 insertions(+) |
19 |
|
20 |
diff --git a/policy/modules/services/rootlesskit.fc b/policy/modules/services/rootlesskit.fc |
21 |
new file mode 100644 |
22 |
index 00000000..613ebd9b |
23 |
--- /dev/null |
24 |
+++ b/policy/modules/services/rootlesskit.fc |
25 |
@@ -0,0 +1,3 @@ |
26 |
+/usr/bin/rootlesskit -- gen_context(system_u:object_r:rootlesskit_exec_t,s0) |
27 |
+/usr/bin/rootlessctl -- gen_context(system_u:object_r:rootlesskit_exec_t,s0) |
28 |
+/usr/bin/rootlesskit-docker-proxy -- gen_context(system_u:object_r:rootlesskit_exec_t,s0) |
29 |
|
30 |
diff --git a/policy/modules/services/rootlesskit.if b/policy/modules/services/rootlesskit.if |
31 |
new file mode 100644 |
32 |
index 00000000..2be598d7 |
33 |
--- /dev/null |
34 |
+++ b/policy/modules/services/rootlesskit.if |
35 |
@@ -0,0 +1,106 @@ |
36 |
+## <summary>Policy for RootlessKit</summary> |
37 |
+ |
38 |
+######################################## |
39 |
+## <summary> |
40 |
+## Execute rootlesskit in the caller domain. |
41 |
+## </summary> |
42 |
+## <param name="domain"> |
43 |
+## <summary> |
44 |
+## Domain allowed access. |
45 |
+## </summary> |
46 |
+## </param> |
47 |
+# |
48 |
+interface(`rootlesskit_exec',` |
49 |
+ gen_require(` |
50 |
+ type rootlesskit_exec_t; |
51 |
+ ') |
52 |
+ |
53 |
+ can_exec($1, rootlesskit_exec_t) |
54 |
+') |
55 |
+ |
56 |
+######################################## |
57 |
+## <summary> |
58 |
+## Execute rootlesskit in the rootlesskit domain. |
59 |
+## </summary> |
60 |
+## <param name="domain"> |
61 |
+## <summary> |
62 |
+## Domain allowed to transition. |
63 |
+## </summary> |
64 |
+## </param> |
65 |
+# |
66 |
+interface(`rootlesskit_domtrans',` |
67 |
+ gen_require(` |
68 |
+ type rootlesskit_t, rootlesskit_exec_t; |
69 |
+ ') |
70 |
+ |
71 |
+ corecmd_search_bin($1) |
72 |
+ domtrans_pattern($1, rootlesskit_exec_t, rootlesskit_t) |
73 |
+') |
74 |
+ |
75 |
+######################################## |
76 |
+## <summary> |
77 |
+## Execute rootlesskit in the rootlesskit |
78 |
+## domain, and allow the specified role |
79 |
+## the rootlesskit domain. |
80 |
+## </summary> |
81 |
+## <param name="domain"> |
82 |
+## <summary> |
83 |
+## Domain allowed to transition. |
84 |
+## </summary> |
85 |
+## </param> |
86 |
+## <param name="role"> |
87 |
+## <summary> |
88 |
+## The role to be allowed the rootlesskit domain. |
89 |
+## </summary> |
90 |
+## </param> |
91 |
+# |
92 |
+interface(`rootlesskit_run',` |
93 |
+ gen_require(` |
94 |
+ type rootlesskit_t; |
95 |
+ ') |
96 |
+ |
97 |
+ role $2 types rootlesskit_t; |
98 |
+ |
99 |
+ rootlesskit_domtrans($1) |
100 |
+') |
101 |
+ |
102 |
+######################################## |
103 |
+## <summary> |
104 |
+## Role access for rootlesskit. |
105 |
+## </summary> |
106 |
+## <param name="role_prefix"> |
107 |
+## <summary> |
108 |
+## The prefix of the user role (e.g., user |
109 |
+## is the prefix for user_r). |
110 |
+## </summary> |
111 |
+## </param> |
112 |
+## <param name="user_domain"> |
113 |
+## <summary> |
114 |
+## User domain for the role. |
115 |
+## </summary> |
116 |
+## </param> |
117 |
+## <param name="user_exec_domain"> |
118 |
+## <summary> |
119 |
+## User exec domain for execute and transition access. |
120 |
+## </summary> |
121 |
+## </param> |
122 |
+## <param name="role"> |
123 |
+## <summary> |
124 |
+## Role allowed access. |
125 |
+## </summary> |
126 |
+## </param> |
127 |
+## <rolecap/> |
128 |
+# |
129 |
+template(`rootlesskit_role',` |
130 |
+ gen_require(` |
131 |
+ type rootlesskit_t; |
132 |
+ type rootlesskit_exec_t; |
133 |
+ ') |
134 |
+ |
135 |
+ rootlesskit_run($3, $4) |
136 |
+ |
137 |
+ optional_policy(` |
138 |
+ systemd_user_daemon_domain($1, rootlesskit_exec_t, rootlesskit_t) |
139 |
+ ') |
140 |
+') |
141 |
+ |
142 |
|
143 |
diff --git a/policy/modules/services/rootlesskit.te b/policy/modules/services/rootlesskit.te |
144 |
new file mode 100644 |
145 |
index 00000000..31168801 |
146 |
--- /dev/null |
147 |
+++ b/policy/modules/services/rootlesskit.te |
148 |
@@ -0,0 +1,43 @@ |
149 |
+policy_module(rootlesskit) |
150 |
+ |
151 |
+######################################## |
152 |
+# |
153 |
+# Declarations |
154 |
+# |
155 |
+ |
156 |
+container_engine_domain_template(rootlesskit) |
157 |
+type rootlesskit_exec_t; |
158 |
+container_user_engine(rootlesskit_t) |
159 |
+application_domain(rootlesskit_t, rootlesskit_exec_t) |
160 |
+mls_trusted_object(rootlesskit_t) |
161 |
+ |
162 |
+######################################## |
163 |
+# |
164 |
+# Rootlesskit local policy |
165 |
+# |
166 |
+ |
167 |
+# rootlesskit fails without this access |
168 |
+allow rootlesskit_t self:tun_socket { relabelfrom relabelto }; |
169 |
+ |
170 |
+can_exec(rootlesskit_t, rootlesskit_exec_t) |
171 |
+ |
172 |
+domain_use_interactive_fds(rootlesskit_t) |
173 |
+ |
174 |
+# any dir not readable or file not stat-able causes rootlesskit to hang |
175 |
+# when --copy-up would access it; the below rules cover at least the |
176 |
+# access needed for rootless docker (copying /etc and /run) |
177 |
+files_list_all(rootlesskit_t) |
178 |
+files_getattr_all_files(rootlesskit_t) |
179 |
+files_getattr_all_pipes(rootlesskit_t) |
180 |
+files_getattr_all_sockets(rootlesskit_t) |
181 |
+ |
182 |
+kernel_read_sysctl(rootlesskit_t) |
183 |
+ |
184 |
+auth_use_nsswitch(rootlesskit_t) |
185 |
+ |
186 |
+userdom_exec_user_bin_files(rootlesskit_t) |
187 |
+ |
188 |
+optional_policy(` |
189 |
+ dbus_list_system_bus_runtime(rootlesskit_t) |
190 |
+ dbus_system_bus_client(rootlesskit_t) |
191 |
+') |