1 |
commit: 2f03c3cca1ba622b2378892fadbce31ea5cfb317 |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Mon May 16 15:28:49 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 3 18:41:55 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f03c3cc |
7 |
|
8 |
podman: rework conmon rules |
9 |
|
10 |
Use a template to generate conmon domains and add a common attribute for |
11 |
them. This is so that domains who use conmon can execute it and have |
12 |
conmon transition back to the original domain instead of to the generic |
13 |
podman domain. This is used by CRI-O, for example. |
14 |
|
15 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
16 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
17 |
|
18 |
policy/modules/services/podman.fc | 2 +- |
19 |
policy/modules/services/podman.if | 96 +++++++++++++++------- |
20 |
policy/modules/services/podman.te | 166 +++++++++++++------------------------- |
21 |
3 files changed, 128 insertions(+), 136 deletions(-) |
22 |
|
23 |
diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc |
24 |
index ece2d0dc..31c45273 100644 |
25 |
--- a/policy/modules/services/podman.fc |
26 |
+++ b/policy/modules/services/podman.fc |
27 |
@@ -1,2 +1,2 @@ |
28 |
/usr/bin/podman -- gen_context(system_u:object_r:podman_exec_t,s0) |
29 |
-/usr/bin/conmon -- gen_context(system_u:object_r:podman_conmon_exec_t,s0) |
30 |
+/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) |
31 |
|
32 |
diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if |
33 |
index 626af3af..09b4f031 100644 |
34 |
--- a/policy/modules/services/podman.if |
35 |
+++ b/policy/modules/services/podman.if |
36 |
@@ -1,5 +1,47 @@ |
37 |
## <summary>Policy for podman</summary> |
38 |
|
39 |
+######################################## |
40 |
+## <summary> |
41 |
+## Template for conmon domains. |
42 |
+## </summary> |
43 |
+## <param name="prefix"> |
44 |
+## <summary> |
45 |
+## Prefix for generated types. |
46 |
+## </summary> |
47 |
+## </param> |
48 |
+## <param name="source_domain"> |
49 |
+## <summary> |
50 |
+## Domain allowed to transition. |
51 |
+## </summary> |
52 |
+## </param> |
53 |
+# |
54 |
+template(`podman_conmon_domain_template',` |
55 |
+ gen_require(` |
56 |
+ attribute conmon_domain; |
57 |
+ type conmon_exec_t; |
58 |
+ ') |
59 |
+ |
60 |
+ type $1_conmon_t, conmon_domain; |
61 |
+ application_domain($1_conmon_t, conmon_exec_t) |
62 |
+ |
63 |
+ domtrans_pattern($2, conmon_exec_t, $1_conmon_t) |
64 |
+ |
65 |
+ allow $2 $1_conmon_t:process signull; |
66 |
+ allow $2 $1_conmon_t:fifo_file setattr; |
67 |
+ allow $2 $1_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
68 |
+ |
69 |
+ allow $1_conmon_t $2:tcp_socket rw_stream_socket_perms; |
70 |
+ allow $1_conmon_t $2:unix_stream_socket rw_stream_socket_perms; |
71 |
+ allow $1_conmon_t $2:unix_dgram_socket rw_socket_perms; |
72 |
+ ps_process_pattern($1_conmon_t, $2) |
73 |
+ |
74 |
+ corecmd_search_bin($1_conmon_t) |
75 |
+ # conmon will execute crun/runc to create the container, |
76 |
+ # so transition back to the source domain when creating it |
77 |
+ container_generic_engine_domtrans($1_conmon_t, $2) |
78 |
+ container_engine_executable_entrypoint($2) |
79 |
+') |
80 |
+ |
81 |
######################################## |
82 |
## <summary> |
83 |
## Execute podman in the podman domain. |
84 |
@@ -96,7 +138,7 @@ interface(`podman_run_user',` |
85 |
|
86 |
######################################## |
87 |
## <summary> |
88 |
-## Execute conmon in the conmon domain. |
89 |
+## Execute conmon in the podman conmon domain. |
90 |
## </summary> |
91 |
## <param name="domain"> |
92 |
## <summary> |
93 |
@@ -106,18 +148,18 @@ interface(`podman_run_user',` |
94 |
# |
95 |
interface(`podman_domtrans_conmon',` |
96 |
gen_require(` |
97 |
- type podman_conmon_t, podman_conmon_exec_t; |
98 |
+ type podman_conmon_t, conmon_exec_t; |
99 |
') |
100 |
|
101 |
corecmd_search_bin($1) |
102 |
- domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t) |
103 |
+ domtrans_pattern($1, conmon_exec_t, podman_conmon_t) |
104 |
') |
105 |
|
106 |
######################################## |
107 |
## <summary> |
108 |
-## Execute conmon in the conmon domain, |
109 |
-## and allow the specified role the |
110 |
-## conmon domain. |
111 |
+## Execute conmon in the podman conmon |
112 |
+## domain, and allow the specified role |
113 |
+## the podman conmon domain. |
114 |
## </summary> |
115 |
## <param name="domain"> |
116 |
## <summary> |
117 |
@@ -142,8 +184,8 @@ interface(`podman_run_conmon',` |
118 |
|
119 |
######################################## |
120 |
## <summary> |
121 |
-## Execute conmon in the conmon user |
122 |
-## domain (rootless podman). |
123 |
+## Execute conmon in the podman conmon |
124 |
+## user domain (rootless podman). |
125 |
## </summary> |
126 |
## <param name="domain"> |
127 |
## <summary> |
128 |
@@ -153,19 +195,19 @@ interface(`podman_run_conmon',` |
129 |
# |
130 |
interface(`podman_domtrans_conmon_user',` |
131 |
gen_require(` |
132 |
- type podman_conmon_user_t, podman_conmon_exec_t; |
133 |
+ type podman_user_conmon_t, conmon_exec_t; |
134 |
') |
135 |
|
136 |
corecmd_search_bin($1) |
137 |
- domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t) |
138 |
+ domtrans_pattern($1, conmon_exec_t, podman_user_conmon_t) |
139 |
') |
140 |
|
141 |
######################################## |
142 |
## <summary> |
143 |
-## Execute conmon in the conmon user |
144 |
-## domain, and allow the specified role |
145 |
-## the conmon user domain (rootless |
146 |
-## podman). |
147 |
+## Execute conmon in the podman conmon |
148 |
+## user domain, and allow the specified |
149 |
+## role the podman conmon user domain |
150 |
+## (rootless podman). |
151 |
## </summary> |
152 |
## <param name="domain"> |
153 |
## <summary> |
154 |
@@ -180,10 +222,10 @@ interface(`podman_domtrans_conmon_user',` |
155 |
# |
156 |
interface(`podman_run_conmon_user',` |
157 |
gen_require(` |
158 |
- type podman_conmon_user_t; |
159 |
+ type podman_user_conmon_t; |
160 |
') |
161 |
|
162 |
- role $2 types podman_conmon_user_t; |
163 |
+ role $2 types podman_user_conmon_t; |
164 |
|
165 |
podman_domtrans_conmon_user($1) |
166 |
') |
167 |
@@ -206,20 +248,20 @@ interface(`podman_run_conmon_user',` |
168 |
# |
169 |
interface(`podman_spec_rangetrans_conmon',` |
170 |
gen_require(` |
171 |
- type podman_conmon_exec_t; |
172 |
+ type conmon_exec_t; |
173 |
') |
174 |
|
175 |
ifdef(`enable_mcs',` |
176 |
- range_transition $1 podman_conmon_exec_t:process $2; |
177 |
+ range_transition $1 conmon_exec_t:process $2; |
178 |
') |
179 |
ifdef(`enable_mls',` |
180 |
- range_transition $1 podman_conmon_exec_t:process $2; |
181 |
+ range_transition $1 conmon_exec_t:process $2; |
182 |
') |
183 |
') |
184 |
|
185 |
######################################## |
186 |
## <summary> |
187 |
-## Read and write conmon unnamed pipes. |
188 |
+## Read and write podman conmon unnamed pipes. |
189 |
## </summary> |
190 |
## <param name="domain"> |
191 |
## <summary> |
192 |
@@ -230,17 +272,17 @@ interface(`podman_spec_rangetrans_conmon',` |
193 |
interface(`podman_rw_conmon_pipes',` |
194 |
gen_require(` |
195 |
type podman_conmon_t; |
196 |
- type podman_conmon_user_t; |
197 |
+ type podman_user_conmon_t; |
198 |
') |
199 |
|
200 |
allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms; |
201 |
- allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms; |
202 |
+ allow $1 podman_user_conmon_t:fifo_file rw_fifo_file_perms; |
203 |
') |
204 |
|
205 |
######################################## |
206 |
## <summary> |
207 |
## Allow the specified domain to inherit |
208 |
-## file descriptors from conmon. |
209 |
+## file descriptors from podman conmon. |
210 |
## </summary> |
211 |
## <param name="domain"> |
212 |
## <summary> |
213 |
@@ -251,11 +293,11 @@ interface(`podman_rw_conmon_pipes',` |
214 |
interface(`podman_use_conmon_fds',` |
215 |
gen_require(` |
216 |
type podman_conmon_t; |
217 |
- type podman_conmon_user_t; |
218 |
+ type podman_user_conmon_t; |
219 |
') |
220 |
|
221 |
allow $1 podman_conmon_t:fd use; |
222 |
- allow $1 podman_conmon_user_t:fd use; |
223 |
+ allow $1 podman_user_conmon_t:fd use; |
224 |
') |
225 |
|
226 |
######################################## |
227 |
@@ -288,7 +330,7 @@ interface(`podman_use_conmon_fds',` |
228 |
template(`podman_user_role',` |
229 |
gen_require(` |
230 |
type podman_user_t; |
231 |
- type podman_conmon_user_t; |
232 |
+ type podman_user_conmon_t; |
233 |
') |
234 |
|
235 |
podman_run_user($3, $4) |
236 |
@@ -300,7 +342,7 @@ template(`podman_user_role',` |
237 |
|
238 |
optional_policy(` |
239 |
systemd_user_app_status($1, podman_user_t) |
240 |
- systemd_user_app_status($1, podman_conmon_user_t) |
241 |
+ systemd_user_app_status($1, podman_user_conmon_t) |
242 |
') |
243 |
') |
244 |
|
245 |
|
246 |
diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te |
247 |
index bb0f67bd..aef0fac9 100644 |
248 |
--- a/policy/modules/services/podman.te |
249 |
+++ b/policy/modules/services/podman.te |
250 |
@@ -21,31 +21,26 @@ container_user_engine(podman_user_t) |
251 |
userdom_user_application_domain(podman_user_t, podman_exec_t) |
252 |
mls_trusted_object(podman_user_t) |
253 |
|
254 |
-type podman_conmon_t; |
255 |
-type podman_conmon_exec_t; |
256 |
-application_domain(podman_conmon_t, podman_conmon_exec_t) |
257 |
+attribute conmon_domain; |
258 |
+type conmon_exec_t; |
259 |
+ |
260 |
+podman_conmon_domain_template(podman, podman_t) |
261 |
role system_r types podman_conmon_t; |
262 |
|
263 |
-type podman_conmon_user_t; |
264 |
-userdom_user_application_domain(podman_conmon_user_t, podman_conmon_exec_t) |
265 |
+podman_conmon_domain_template(podman_user, podman_user_t) |
266 |
+userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t) |
267 |
|
268 |
######################################## |
269 |
# |
270 |
# Podman local policy |
271 |
# |
272 |
|
273 |
-allow podman_t podman_conmon_t:process { setsched signull }; |
274 |
-allow podman_t podman_conmon_t:fifo_file setattr; |
275 |
-allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
276 |
- |
277 |
-container_engine_executable_entrypoint(podman_t) |
278 |
+allow podman_t podman_conmon_t:process setsched; |
279 |
|
280 |
# podman 4.0.0 now creates OCI networking configs |
281 |
container_create_config_files(podman_t) |
282 |
container_write_config_files(podman_t) |
283 |
|
284 |
-domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t) |
285 |
- |
286 |
logging_send_syslog_msg(podman_t) |
287 |
|
288 |
userdom_list_user_home_content(podman_t) |
289 |
@@ -90,14 +85,6 @@ ifdef(`init_systemd',` |
290 |
# Rootless Podman local policy |
291 |
# |
292 |
|
293 |
-allow podman_user_t podman_conmon_user_t:process signull; |
294 |
-allow podman_user_t podman_conmon_user_t:fifo_file setattr; |
295 |
-allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto rw_stream_socket_perms }; |
296 |
- |
297 |
-container_engine_executable_entrypoint(podman_user_t) |
298 |
- |
299 |
-domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t) |
300 |
- |
301 |
# required by slirp4netns |
302 |
files_mounton_etc_dirs(podman_user_t) |
303 |
# required by slirp4netns |
304 |
@@ -154,50 +141,58 @@ ifdef(`init_systemd',` |
305 |
systemd_watch_journal_dirs(podman_user_t) |
306 |
') |
307 |
|
308 |
+ |
309 |
######################################## |
310 |
# |
311 |
-# conmon local policy |
312 |
+# common conmon local policy |
313 |
# |
314 |
|
315 |
-allow podman_conmon_t self:process signal; |
316 |
-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource }; |
317 |
-allow podman_conmon_t self:cap_userns sys_ptrace; |
318 |
-allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr }; |
319 |
-allow podman_conmon_t self:unix_dgram_socket create_socket_perms; |
320 |
-dontaudit podman_conmon_t self:capability net_admin; |
321 |
+allow conmon_domain self:process signal; |
322 |
+allow conmon_domain self:cap_userns sys_ptrace; |
323 |
+allow conmon_domain self:fifo_file { rw_fifo_file_perms setattr }; |
324 |
+allow conmon_domain self:unix_dgram_socket create_socket_perms; |
325 |
|
326 |
-# conmon will execute crun/runc to create the container |
327 |
-container_generic_engine_domtrans(podman_conmon_t, podman_t) |
328 |
-podman_domtrans(podman_conmon_t) |
329 |
+domain_use_interactive_fds(conmon_domain) |
330 |
|
331 |
-allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms; |
332 |
-allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms; |
333 |
-allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms; |
334 |
-ps_process_pattern(podman_conmon_t, podman_t) |
335 |
+fs_getattr_cgroup(conmon_domain) |
336 |
+fs_search_cgroup_dirs(conmon_domain) |
337 |
+fs_read_cgroup_files(conmon_domain) |
338 |
+fs_watch_cgroup_files(conmon_domain) |
339 |
|
340 |
-domain_use_interactive_fds(podman_conmon_t) |
341 |
+fs_getattr_tmpfs(conmon_domain) |
342 |
+fs_getattr_xattr_fs(conmon_domain) |
343 |
|
344 |
-fs_getattr_cgroup(podman_conmon_t) |
345 |
-fs_search_cgroup_dirs(podman_conmon_t) |
346 |
-fs_read_cgroup_files(podman_conmon_t) |
347 |
-fs_watch_cgroup_files(podman_conmon_t) |
348 |
+logging_send_syslog_msg(conmon_domain) |
349 |
|
350 |
-fs_getattr_tmpfs(podman_conmon_t) |
351 |
-fs_getattr_xattr_fs(podman_conmon_t) |
352 |
+miscfiles_read_localization(conmon_domain) |
353 |
|
354 |
-init_rw_inherited_stream_socket(podman_conmon_t) |
355 |
-init_use_fds(podman_conmon_t) |
356 |
+userdom_use_user_ptys(conmon_domain) |
357 |
|
358 |
-logging_send_syslog_msg(podman_conmon_t) |
359 |
+# to send/receive data from container ttys |
360 |
+container_rw_chr_files(conmon_domain) |
361 |
|
362 |
-miscfiles_read_localization(podman_conmon_t) |
363 |
+ifdef(`init_systemd',` |
364 |
+ # conmon can read logs from containers which are |
365 |
+ # sent to the system journal |
366 |
+ logging_search_logs(conmon_domain) |
367 |
+ systemd_list_journal_dirs(conmon_domain) |
368 |
+ systemd_read_journal_files(conmon_domain) |
369 |
+') |
370 |
|
371 |
-userdom_use_user_ptys(podman_conmon_t) |
372 |
+######################################## |
373 |
+# |
374 |
+# podman conmon local policy |
375 |
+# |
376 |
|
377 |
-container_read_system_container_state(podman_conmon_t) |
378 |
+allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource }; |
379 |
+dontaudit podman_conmon_t self:capability net_admin; |
380 |
|
381 |
-# to send/receive data from container ttys |
382 |
-container_rw_chr_files(podman_conmon_t) |
383 |
+podman_domtrans(podman_conmon_t) |
384 |
+ |
385 |
+init_rw_inherited_stream_socket(podman_conmon_t) |
386 |
+init_use_fds(podman_conmon_t) |
387 |
+ |
388 |
+container_read_system_container_state(podman_conmon_t) |
389 |
|
390 |
container_manage_runtime_files(podman_conmon_t) |
391 |
container_manage_runtime_fifo_files(podman_conmon_t) |
392 |
@@ -217,12 +212,6 @@ ifdef(`init_systemd',` |
393 |
init_start_transient_units(podman_conmon_t) |
394 |
init_start_system(podman_conmon_t) |
395 |
init_stop_system(podman_conmon_t) |
396 |
- |
397 |
- # conmon can read logs from containers which are |
398 |
- # sent to the system journal |
399 |
- logging_search_logs(podman_conmon_t) |
400 |
- systemd_list_journal_dirs(podman_conmon_t) |
401 |
- systemd_read_journal_files(podman_conmon_t) |
402 |
') |
403 |
|
404 |
optional_policy(` |
405 |
@@ -231,62 +220,23 @@ optional_policy(` |
406 |
|
407 |
######################################## |
408 |
# |
409 |
-# Rootless conmon local policy |
410 |
+# Rootless podman conmon local policy |
411 |
# |
412 |
|
413 |
-allow podman_conmon_user_t self:process signal; |
414 |
-allow podman_conmon_user_t self:cap_userns sys_ptrace; |
415 |
-allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr }; |
416 |
-allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms; |
417 |
- |
418 |
-ps_process_pattern(podman_conmon_user_t, podman_user_t) |
419 |
-allow podman_conmon_user_t podman_user_t:process signal; |
420 |
-allow podman_conmon_user_t podman_user_t:unix_stream_socket rw_stream_socket_perms; |
421 |
-allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms; |
422 |
- |
423 |
-# conmon will execute crun/runc to create the container |
424 |
-container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t) |
425 |
-podman_domtrans_user(podman_conmon_user_t) |
426 |
- |
427 |
-domain_use_interactive_fds(podman_conmon_user_t) |
428 |
+podman_domtrans_user(podman_user_conmon_t) |
429 |
|
430 |
-fs_getattr_cgroup(podman_conmon_user_t) |
431 |
-fs_search_cgroup_dirs(podman_conmon_user_t) |
432 |
-fs_read_cgroup_files(podman_conmon_user_t) |
433 |
-fs_watch_cgroup_files(podman_conmon_user_t) |
434 |
+container_read_user_container_state(podman_user_conmon_t) |
435 |
|
436 |
-fs_getattr_tmpfs(podman_conmon_user_t) |
437 |
-fs_getattr_xattr_fs(podman_conmon_user_t) |
438 |
+userdom_search_user_home_dirs(podman_user_conmon_t) |
439 |
+xdg_search_data_dirs(podman_user_conmon_t) |
440 |
+container_manage_home_data_files(podman_user_conmon_t) |
441 |
+container_manage_home_data_fifo_files(podman_user_conmon_t) |
442 |
+container_manage_home_data_sock_files(podman_user_conmon_t) |
443 |
|
444 |
-logging_send_syslog_msg(podman_conmon_user_t) |
445 |
+userdom_search_user_runtime_root(podman_user_conmon_t) |
446 |
+userdom_search_user_runtime(podman_user_conmon_t) |
447 |
+container_manage_user_runtime_files(podman_user_conmon_t) |
448 |
|
449 |
-miscfiles_read_localization(podman_conmon_user_t) |
450 |
- |
451 |
-userdom_use_user_ptys(podman_conmon_user_t) |
452 |
- |
453 |
-container_read_user_container_state(podman_conmon_user_t) |
454 |
- |
455 |
-# to send/receive data from container ttys |
456 |
-container_rw_chr_files(podman_conmon_user_t) |
457 |
- |
458 |
-userdom_search_user_home_dirs(podman_conmon_user_t) |
459 |
-xdg_search_data_dirs(podman_conmon_user_t) |
460 |
-container_manage_home_data_files(podman_conmon_user_t) |
461 |
-container_manage_home_data_fifo_files(podman_conmon_user_t) |
462 |
-container_manage_home_data_sock_files(podman_conmon_user_t) |
463 |
- |
464 |
-userdom_search_user_runtime_root(podman_conmon_user_t) |
465 |
-userdom_search_user_runtime(podman_conmon_user_t) |
466 |
-container_manage_user_runtime_files(podman_conmon_user_t) |
467 |
- |
468 |
-container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file }) |
469 |
-container_manage_engine_tmp_files(podman_conmon_user_t) |
470 |
-container_manage_engine_tmp_sock_files(podman_conmon_user_t) |
471 |
- |
472 |
-ifdef(`init_systemd',` |
473 |
- # conmon can read logs from containers which are |
474 |
- # sent to the system journal |
475 |
- logging_search_logs(podman_conmon_user_t) |
476 |
- systemd_list_journal_dirs(podman_conmon_user_t) |
477 |
- systemd_read_journal_files(podman_conmon_user_t) |
478 |
-') |
479 |
+container_engine_tmp_filetrans(podman_user_conmon_t, { file sock_file }) |
480 |
+container_manage_engine_tmp_files(podman_user_conmon_t) |
481 |
+container_manage_engine_tmp_sock_files(podman_user_conmon_t) |