[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sat, 03 Sep 2022 19:10:25
Message-Id:	`1662230515.2f03c3cca1ba622b2378892fadbce31ea5cfb317.perfinion@gentoo`

1

commit:     2f03c3cca1ba622b2378892fadbce31ea5cfb317

2

Author:     Kenton Groombridge <me <AT> concord <DOT> sh>

3

AuthorDate: Mon May 16 15:28:49 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Sep  3 18:41:55 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f03c3cc

7

8

podman: rework conmon rules

9

10

Use a template to generate conmon domains and add a common attribute for

11

them. This is so that domains who use conmon can execute it and have

12

conmon transition back to the original domain instead of to the generic

13

podman domain. This is used by CRI-O, for example.

14

15

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>

16

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

17

18

 policy/modules/services/podman.fc |   2 +-

19

 policy/modules/services/podman.if |  96 +++++++++++++++-------

20

 policy/modules/services/podman.te | 166 +++++++++++++-------------------------

21

 3 files changed, 128 insertions(+), 136 deletions(-)

22

23

diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc

24

index ece2d0dc..31c45273 100644

25

--- a/policy/modules/services/podman.fc

26

+++ b/policy/modules/services/podman.fc

27

@@ -1,2 +1,2 @@

28

 /usr/bin/podman	--	gen_context(system_u:object_r:podman_exec_t,s0)

29

-/usr/bin/conmon	--	gen_context(system_u:object_r:podman_conmon_exec_t,s0)

30

+/usr/bin/conmon	--	gen_context(system_u:object_r:conmon_exec_t,s0)

31

32

diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if

33

index 626af3af..09b4f031 100644

34

--- a/policy/modules/services/podman.if

35

+++ b/policy/modules/services/podman.if

36

@@ -1,5 +1,47 @@

37

 ## <summary>Policy for podman</summary>

38

39

+########################################

40

+## <summary>

41

+##	Template for conmon domains.

42

+## </summary>

43

+## <param name="prefix">

44

+##	<summary>

45

+##	Prefix for generated types.

46

+##	</summary>

47

+## </param>

48

+## <param name="source_domain">

49

+##	<summary>

50

+##	Domain allowed to transition.

51

+##	</summary>

52

+## </param>

53

+#

54

+template(`podman_conmon_domain_template',`

55

+	gen_require(`

56

+		attribute conmon_domain;

57

+		type conmon_exec_t;

58

+	')

59

+

60

+	type $1_conmon_t, conmon_domain;

61

+	application_domain($1_conmon_t, conmon_exec_t)

62

+

63

+	domtrans_pattern($2, conmon_exec_t, $1_conmon_t)

64

+

65

+	allow $2 $1_conmon_t:process signull;

66

+	allow $2 $1_conmon_t:fifo_file setattr;

67

+	allow $2 $1_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms };

68

+

69

+	allow $1_conmon_t $2:tcp_socket rw_stream_socket_perms;

70

+	allow $1_conmon_t $2:unix_stream_socket rw_stream_socket_perms;

71

+	allow $1_conmon_t $2:unix_dgram_socket rw_socket_perms;

72

+	ps_process_pattern($1_conmon_t, $2)

73

+

74

+	corecmd_search_bin($1_conmon_t)

75

+	# conmon will execute crun/runc to create the container,

76

+	# so transition back to the source domain when creating it

77

+	container_generic_engine_domtrans($1_conmon_t, $2)

78

+	container_engine_executable_entrypoint($2)

79

+')

80

+

81

 ########################################

82

 ## <summary>

83

 ##	Execute podman in the podman domain.

84

@@ -96,7 +138,7 @@ interface(`podman_run_user',`

85

86

 ########################################

87

 ## <summary>

88

-##	Execute conmon in the conmon domain.

89

+##	Execute conmon in the podman conmon domain.

90

 ## </summary>

91

 ## <param name="domain">

92

 ## 	<summary>

93

@@ -106,18 +148,18 @@ interface(`podman_run_user',`

94

#

95

 interface(`podman_domtrans_conmon',`

96

 	gen_require(`

97

-		type podman_conmon_t, podman_conmon_exec_t;

98

+		type podman_conmon_t, conmon_exec_t;

99

')

100

101

 	corecmd_search_bin($1)

102

-	domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t)

103

+	domtrans_pattern($1, conmon_exec_t, podman_conmon_t)

104

')

105

106

 ########################################

107

 ## <summary>

108

-##	Execute conmon in the conmon domain,

109

-##	and allow the specified role the

110

-##	conmon domain.

111

+##	Execute conmon in the podman conmon

112

+##	domain, and allow the specified role

113

+##	the podman conmon domain.

114

 ## </summary>

115

 ## <param name="domain">

116

 ##	<summary>

117

@@ -142,8 +184,8 @@ interface(`podman_run_conmon',`

118

119

 ########################################

120

 ## <summary>

121

-##	Execute conmon in the conmon user

122

-##	domain (rootless podman).

123

+##	Execute conmon in the podman conmon

124

+##	user domain (rootless podman).

125

 ## </summary>

126

 ## <param name="domain">

127

 ## 	<summary>

128

@@ -153,19 +195,19 @@ interface(`podman_run_conmon',`

129

#

130

 interface(`podman_domtrans_conmon_user',`

131

 	gen_require(`

132

-		type podman_conmon_user_t, podman_conmon_exec_t;

133

+		type podman_user_conmon_t, conmon_exec_t;

134

')

135

136

 	corecmd_search_bin($1)

137

-	domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t)

138

+	domtrans_pattern($1, conmon_exec_t, podman_user_conmon_t)

139

')

140

141

 ########################################

142

 ## <summary>

143

-##	Execute conmon in the conmon user

144

-##	domain, and allow the specified role

145

-##	the conmon user domain (rootless

146

-##	podman).

147

+##	Execute conmon in the podman conmon

148

+##	user domain, and allow the specified

149

+##	role the podman conmon user domain

150

+##	(rootless podman).

151

 ## </summary>

152

 ## <param name="domain">

153

 ##	<summary>

154

@@ -180,10 +222,10 @@ interface(`podman_domtrans_conmon_user',`

155

#

156

 interface(`podman_run_conmon_user',`

157

 	gen_require(`

158

-		type podman_conmon_user_t;

159

+		type podman_user_conmon_t;

160

')

161

162

-	role $2 types podman_conmon_user_t;

163

+	role $2 types podman_user_conmon_t;

164

165

 	podman_domtrans_conmon_user($1)

166

')

167

@@ -206,20 +248,20 @@ interface(`podman_run_conmon_user',`

168

#

169

 interface(`podman_spec_rangetrans_conmon',`

170

 	gen_require(`

171

-		type podman_conmon_exec_t;

172

+		type conmon_exec_t;

173

')

174

175

 	ifdef(`enable_mcs',`

176

-		range_transition $1 podman_conmon_exec_t:process $2;

177

+		range_transition $1 conmon_exec_t:process $2;

178

')

179

 	ifdef(`enable_mls',`

180

-		range_transition $1 podman_conmon_exec_t:process $2;

181

+		range_transition $1 conmon_exec_t:process $2;

182

')

183

')

184

185

 ########################################

186

 ## <summary>

187

-##	Read and write conmon unnamed pipes.

188

+##	Read and write podman conmon unnamed pipes.

189

 ## </summary>

190

 ## <param name="domain">

191

 ##	<summary>

192

@@ -230,17 +272,17 @@ interface(`podman_spec_rangetrans_conmon',`

193

 interface(`podman_rw_conmon_pipes',`

194

 	gen_require(`

195

 		type podman_conmon_t;

196

-		type podman_conmon_user_t;

197

+		type podman_user_conmon_t;

198

')

199

200

 	allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;

201

-	allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;

202

+	allow $1 podman_user_conmon_t:fifo_file rw_fifo_file_perms;

203

')

204

205

 ########################################

206

 ## <summary>

207

 ##	Allow the specified domain to inherit

208

-##	file descriptors from conmon.

209

+##	file descriptors from podman conmon.

210

 ## </summary>

211

 ## <param name="domain">

212

 ##	<summary>

213

@@ -251,11 +293,11 @@ interface(`podman_rw_conmon_pipes',`

214

 interface(`podman_use_conmon_fds',`

215

 	gen_require(`

216

 		type podman_conmon_t;

217

-		type podman_conmon_user_t;

218

+		type podman_user_conmon_t;

219

')

220

221

 	allow $1 podman_conmon_t:fd use;

222

-	allow $1 podman_conmon_user_t:fd use;

223

+	allow $1 podman_user_conmon_t:fd use;

224

')

225

226

 ########################################

227

@@ -288,7 +330,7 @@ interface(`podman_use_conmon_fds',`

228

 template(`podman_user_role',`

229

 	gen_require(`

230

 		type podman_user_t;

231

-		type podman_conmon_user_t;

232

+		type podman_user_conmon_t;

233

')

234

235

 	podman_run_user($3, $4)

236

@@ -300,7 +342,7 @@ template(`podman_user_role',`

237

238

 	optional_policy(`

239

 		systemd_user_app_status($1, podman_user_t)

240

-		systemd_user_app_status($1, podman_conmon_user_t)

241

+		systemd_user_app_status($1, podman_user_conmon_t)

242

')

243

')

244

245

246

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te

247

index bb0f67bd..aef0fac9 100644

248

--- a/policy/modules/services/podman.te

249

+++ b/policy/modules/services/podman.te

250

@@ -21,31 +21,26 @@ container_user_engine(podman_user_t)

251

 userdom_user_application_domain(podman_user_t, podman_exec_t)

252

 mls_trusted_object(podman_user_t)

253

254

-type podman_conmon_t;

255

-type podman_conmon_exec_t;

256

-application_domain(podman_conmon_t, podman_conmon_exec_t)

257

+attribute conmon_domain;

258

+type conmon_exec_t;

259

+

260

+podman_conmon_domain_template(podman, podman_t)

261

 role system_r types podman_conmon_t;

262

263

-type podman_conmon_user_t;

264

-userdom_user_application_domain(podman_conmon_user_t, podman_conmon_exec_t)

265

+podman_conmon_domain_template(podman_user, podman_user_t)

266

+userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)

267

268

 ########################################

269

#

270

 # Podman local policy

271

#

272

273

-allow podman_t podman_conmon_t:process { setsched signull };

274

-allow podman_t podman_conmon_t:fifo_file setattr;

275

-allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms };

276

-

277

-container_engine_executable_entrypoint(podman_t)

278

+allow podman_t podman_conmon_t:process setsched;

279

280

 # podman 4.0.0 now creates OCI networking configs

281

 container_create_config_files(podman_t)

282

 container_write_config_files(podman_t)

283

284

-domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)

285

-

286

 logging_send_syslog_msg(podman_t)

287

288

 userdom_list_user_home_content(podman_t)

289

@@ -90,14 +85,6 @@ ifdef(`init_systemd',`

290

 # Rootless Podman local policy

291

#

292

293

-allow podman_user_t podman_conmon_user_t:process signull;

294

-allow podman_user_t podman_conmon_user_t:fifo_file setattr;

295

-allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto rw_stream_socket_perms };

296

-

297

-container_engine_executable_entrypoint(podman_user_t)

298

-

299

-domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t)

300

-

301

 # required by slirp4netns

302

 files_mounton_etc_dirs(podman_user_t)

303

 # required by slirp4netns

304

@@ -154,50 +141,58 @@ ifdef(`init_systemd',`

305

 	systemd_watch_journal_dirs(podman_user_t)

306

')

307

308

+

309

 ########################################

310

#

311

-# conmon local policy

312

+# common conmon local policy

313

#

314

315

-allow podman_conmon_t self:process signal;

316

-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };

317

-allow podman_conmon_t self:cap_userns sys_ptrace;

318

-allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr };

319

-allow podman_conmon_t self:unix_dgram_socket create_socket_perms;

320

-dontaudit podman_conmon_t self:capability net_admin;

321

+allow conmon_domain self:process signal;

322

+allow conmon_domain self:cap_userns sys_ptrace;

323

+allow conmon_domain self:fifo_file { rw_fifo_file_perms setattr };

324

+allow conmon_domain self:unix_dgram_socket create_socket_perms;

325

326

-# conmon will execute crun/runc to create the container

327

-container_generic_engine_domtrans(podman_conmon_t, podman_t)

328

-podman_domtrans(podman_conmon_t)

329

+domain_use_interactive_fds(conmon_domain)

330

331

-allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms;

332

-allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms;

333

-allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms;

334

-ps_process_pattern(podman_conmon_t, podman_t)

335

+fs_getattr_cgroup(conmon_domain)

336

+fs_search_cgroup_dirs(conmon_domain)

337

+fs_read_cgroup_files(conmon_domain)

338

+fs_watch_cgroup_files(conmon_domain)

339

340

-domain_use_interactive_fds(podman_conmon_t)

341

+fs_getattr_tmpfs(conmon_domain)

342

+fs_getattr_xattr_fs(conmon_domain)

343

344

-fs_getattr_cgroup(podman_conmon_t)

345

-fs_search_cgroup_dirs(podman_conmon_t)

346

-fs_read_cgroup_files(podman_conmon_t)

347

-fs_watch_cgroup_files(podman_conmon_t)

348

+logging_send_syslog_msg(conmon_domain)

349

350

-fs_getattr_tmpfs(podman_conmon_t)

351

-fs_getattr_xattr_fs(podman_conmon_t)

352

+miscfiles_read_localization(conmon_domain)

353

354

-init_rw_inherited_stream_socket(podman_conmon_t)

355

-init_use_fds(podman_conmon_t)

356

+userdom_use_user_ptys(conmon_domain)

357

358

-logging_send_syslog_msg(podman_conmon_t)

359

+# to send/receive data from container ttys

360

+container_rw_chr_files(conmon_domain)

361

362

-miscfiles_read_localization(podman_conmon_t)

363

+ifdef(`init_systemd',`

364

+	# conmon can read logs from containers which are

365

+	# sent to the system journal

366

+	logging_search_logs(conmon_domain)

367

+	systemd_list_journal_dirs(conmon_domain)

368

+	systemd_read_journal_files(conmon_domain)

369

+')

370

371

-userdom_use_user_ptys(podman_conmon_t)

372

+########################################

373

+#

374

+# podman conmon local policy

375

+#

376

377

-container_read_system_container_state(podman_conmon_t)

378

+allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };

379

+dontaudit podman_conmon_t self:capability net_admin;

380

381

-# to send/receive data from container ttys

382

-container_rw_chr_files(podman_conmon_t)

383

+podman_domtrans(podman_conmon_t)

384

+

385

+init_rw_inherited_stream_socket(podman_conmon_t)

386

+init_use_fds(podman_conmon_t)

387

+

388

+container_read_system_container_state(podman_conmon_t)

389

390

 container_manage_runtime_files(podman_conmon_t)

391

 container_manage_runtime_fifo_files(podman_conmon_t)

392

@@ -217,12 +212,6 @@ ifdef(`init_systemd',`

393

 	init_start_transient_units(podman_conmon_t)

394

 	init_start_system(podman_conmon_t)

395

 	init_stop_system(podman_conmon_t)

396

-

397

-	# conmon can read logs from containers which are

398

-	# sent to the system journal

399

-	logging_search_logs(podman_conmon_t)

400

-	systemd_list_journal_dirs(podman_conmon_t)

401

-	systemd_read_journal_files(podman_conmon_t)

402

')

403

404

 optional_policy(`

405

@@ -231,62 +220,23 @@ optional_policy(`

406

407

 ########################################

408

#

409

-# Rootless conmon local policy

410

+# Rootless podman conmon local policy

411

#

412

413

-allow podman_conmon_user_t self:process signal;

414

-allow podman_conmon_user_t self:cap_userns sys_ptrace;

415

-allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr };

416

-allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms;

417

-

418

-ps_process_pattern(podman_conmon_user_t, podman_user_t)

419

-allow podman_conmon_user_t podman_user_t:process signal;

420

-allow podman_conmon_user_t podman_user_t:unix_stream_socket rw_stream_socket_perms;

421

-allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms;

422

-

423

-# conmon will execute crun/runc to create the container

424

-container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t)

425

-podman_domtrans_user(podman_conmon_user_t)

426

-

427

-domain_use_interactive_fds(podman_conmon_user_t)

428

+podman_domtrans_user(podman_user_conmon_t)

429

430

-fs_getattr_cgroup(podman_conmon_user_t)

431

-fs_search_cgroup_dirs(podman_conmon_user_t)

432

-fs_read_cgroup_files(podman_conmon_user_t)

433

-fs_watch_cgroup_files(podman_conmon_user_t)

434

+container_read_user_container_state(podman_user_conmon_t)

435

436

-fs_getattr_tmpfs(podman_conmon_user_t)

437

-fs_getattr_xattr_fs(podman_conmon_user_t)

438

+userdom_search_user_home_dirs(podman_user_conmon_t)

439

+xdg_search_data_dirs(podman_user_conmon_t)

440

+container_manage_home_data_files(podman_user_conmon_t)

441

+container_manage_home_data_fifo_files(podman_user_conmon_t)

442

+container_manage_home_data_sock_files(podman_user_conmon_t)

443

444

-logging_send_syslog_msg(podman_conmon_user_t)

445

+userdom_search_user_runtime_root(podman_user_conmon_t)

446

+userdom_search_user_runtime(podman_user_conmon_t)

447

+container_manage_user_runtime_files(podman_user_conmon_t)

448

449

-miscfiles_read_localization(podman_conmon_user_t)

450

-

451

-userdom_use_user_ptys(podman_conmon_user_t)

452

-

453

-container_read_user_container_state(podman_conmon_user_t)

454

-

455

-# to send/receive data from container ttys

456

-container_rw_chr_files(podman_conmon_user_t)

457

-

458

-userdom_search_user_home_dirs(podman_conmon_user_t)

459

-xdg_search_data_dirs(podman_conmon_user_t)

460

-container_manage_home_data_files(podman_conmon_user_t)

461

-container_manage_home_data_fifo_files(podman_conmon_user_t)

462

-container_manage_home_data_sock_files(podman_conmon_user_t)

463

-

464

-userdom_search_user_runtime_root(podman_conmon_user_t)

465

-userdom_search_user_runtime(podman_conmon_user_t)

466

-container_manage_user_runtime_files(podman_conmon_user_t)

467

-

468

-container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })

469

-container_manage_engine_tmp_files(podman_conmon_user_t)

470

-container_manage_engine_tmp_sock_files(podman_conmon_user_t)

471

-

472

-ifdef(`init_systemd',`

473

-	# conmon can read logs from containers which are

474

-	# sent to the system journal

475

-	logging_search_logs(podman_conmon_user_t)

476

-	systemd_list_journal_dirs(podman_conmon_user_t)

477

-	systemd_read_journal_files(podman_conmon_user_t)

478

-')

479

+container_engine_tmp_filetrans(podman_user_conmon_t, { file sock_file })

480

+container_manage_engine_tmp_files(podman_user_conmon_t)

481

+container_manage_engine_tmp_sock_files(podman_user_conmon_t)

1	commit: 2f03c3cca1ba622b2378892fadbce31ea5cfb317
2	Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3	AuthorDate: Mon May 16 15:28:49 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Sep 3 18:41:55 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f03c3cc
7
8	podman: rework conmon rules
9
10	Use a template to generate conmon domains and add a common attribute for
11	them. This is so that domains who use conmon can execute it and have
12	conmon transition back to the original domain instead of to the generic
13	podman domain. This is used by CRI-O, for example.
14
15	Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
16	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
17
18	policy/modules/services/podman.fc \| 2 +-
19	policy/modules/services/podman.if \| 96 +++++++++++++++-------
20	policy/modules/services/podman.te \| 166 +++++++++++++-------------------------
21	3 files changed, 128 insertions(+), 136 deletions(-)
22
23	diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc
24	index ece2d0dc..31c45273 100644
25	--- a/policy/modules/services/podman.fc
26	+++ b/policy/modules/services/podman.fc
27	@@ -1,2 +1,2 @@
28	/usr/bin/podman -- gen_context(system_u:object_r:podman_exec_t,s0)
29	-/usr/bin/conmon -- gen_context(system_u:object_r:podman_conmon_exec_t,s0)
30	+/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
31
32	diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
33	index 626af3af..09b4f031 100644
34	--- a/policy/modules/services/podman.if
35	+++ b/policy/modules/services/podman.if
36	@@ -1,5 +1,47 @@
37	## <summary>Policy for podman</summary>
38
39	+########################################
40	+## <summary>
41	+## Template for conmon domains.
42	+## </summary>
43	+## <param name="prefix">
44	+## <summary>
45	+## Prefix for generated types.
46	+## </summary>
47	+## </param>
48	+## <param name="source_domain">
49	+## <summary>
50	+## Domain allowed to transition.
51	+## </summary>
52	+## </param>
53	+#
54	+template(`podman_conmon_domain_template',`
55	+ gen_require(`
56	+ attribute conmon_domain;
57	+ type conmon_exec_t;
58	+ ')
59	+
60	+ type $1_conmon_t, conmon_domain;
61	+ application_domain($1_conmon_t, conmon_exec_t)
62	+
63	+ domtrans_pattern($2, conmon_exec_t, $1_conmon_t)
64	+
65	+ allow $2 $1_conmon_t:process signull;
66	+ allow $2 $1_conmon_t:fifo_file setattr;
67	+ allow $2 $1_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms };
68	+
69	+ allow $1_conmon_t $2:tcp_socket rw_stream_socket_perms;
70	+ allow $1_conmon_t $2:unix_stream_socket rw_stream_socket_perms;
71	+ allow $1_conmon_t $2:unix_dgram_socket rw_socket_perms;
72	+ ps_process_pattern($1_conmon_t, $2)
73	+
74	+ corecmd_search_bin($1_conmon_t)
75	+ # conmon will execute crun/runc to create the container,
76	+ # so transition back to the source domain when creating it
77	+ container_generic_engine_domtrans($1_conmon_t, $2)
78	+ container_engine_executable_entrypoint($2)
79	+')
80	+
81	########################################
82	## <summary>
83	## Execute podman in the podman domain.
84	@@ -96,7 +138,7 @@ interface(`podman_run_user',`
85
86	########################################
87	## <summary>
88	-## Execute conmon in the conmon domain.
89	+## Execute conmon in the podman conmon domain.
90	## </summary>
91	## <param name="domain">
92	## <summary>
93	@@ -106,18 +148,18 @@ interface(`podman_run_user',`
94	#
95	interface(`podman_domtrans_conmon',`
96	gen_require(`
97	- type podman_conmon_t, podman_conmon_exec_t;
98	+ type podman_conmon_t, conmon_exec_t;
99	')
100
101	corecmd_search_bin($1)
102	- domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t)
103	+ domtrans_pattern($1, conmon_exec_t, podman_conmon_t)
104	')
105
106	########################################
107	## <summary>
108	-## Execute conmon in the conmon domain,
109	-## and allow the specified role the
110	-## conmon domain.
111	+## Execute conmon in the podman conmon
112	+## domain, and allow the specified role
113	+## the podman conmon domain.
114	## </summary>
115	## <param name="domain">
116	## <summary>
117	@@ -142,8 +184,8 @@ interface(`podman_run_conmon',`
118
119	########################################
120	## <summary>
121	-## Execute conmon in the conmon user
122	-## domain (rootless podman).
123	+## Execute conmon in the podman conmon
124	+## user domain (rootless podman).
125	## </summary>
126	## <param name="domain">
127	## <summary>
128	@@ -153,19 +195,19 @@ interface(`podman_run_conmon',`
129	#
130	interface(`podman_domtrans_conmon_user',`
131	gen_require(`
132	- type podman_conmon_user_t, podman_conmon_exec_t;
133	+ type podman_user_conmon_t, conmon_exec_t;
134	')
135
136	corecmd_search_bin($1)
137	- domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t)
138	+ domtrans_pattern($1, conmon_exec_t, podman_user_conmon_t)
139	')
140
141	########################################
142	## <summary>
143	-## Execute conmon in the conmon user
144	-## domain, and allow the specified role
145	-## the conmon user domain (rootless
146	-## podman).
147	+## Execute conmon in the podman conmon
148	+## user domain, and allow the specified
149	+## role the podman conmon user domain
150	+## (rootless podman).
151	## </summary>
152	## <param name="domain">
153	## <summary>
154	@@ -180,10 +222,10 @@ interface(`podman_domtrans_conmon_user',`
155	#
156	interface(`podman_run_conmon_user',`
157	gen_require(`
158	- type podman_conmon_user_t;
159	+ type podman_user_conmon_t;
160	')
161
162	- role $2 types podman_conmon_user_t;
163	+ role $2 types podman_user_conmon_t;
164
165	podman_domtrans_conmon_user($1)
166	')
167	@@ -206,20 +248,20 @@ interface(`podman_run_conmon_user',`
168	#
169	interface(`podman_spec_rangetrans_conmon',`
170	gen_require(`
171	- type podman_conmon_exec_t;
172	+ type conmon_exec_t;
173	')
174
175	ifdef(`enable_mcs',`
176	- range_transition $1 podman_conmon_exec_t:process $2;
177	+ range_transition $1 conmon_exec_t:process $2;
178	')
179	ifdef(`enable_mls',`
180	- range_transition $1 podman_conmon_exec_t:process $2;
181	+ range_transition $1 conmon_exec_t:process $2;
182	')
183	')
184
185	########################################
186	## <summary>
187	-## Read and write conmon unnamed pipes.
188	+## Read and write podman conmon unnamed pipes.
189	## </summary>
190	## <param name="domain">
191	## <summary>
192	@@ -230,17 +272,17 @@ interface(`podman_spec_rangetrans_conmon',`
193	interface(`podman_rw_conmon_pipes',`
194	gen_require(`
195	type podman_conmon_t;
196	- type podman_conmon_user_t;
197	+ type podman_user_conmon_t;
198	')
199
200	allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
201	- allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;
202	+ allow $1 podman_user_conmon_t:fifo_file rw_fifo_file_perms;
203	')
204
205	########################################
206	## <summary>
207	## Allow the specified domain to inherit
208	-## file descriptors from conmon.
209	+## file descriptors from podman conmon.
210	## </summary>
211	## <param name="domain">
212	## <summary>
213	@@ -251,11 +293,11 @@ interface(`podman_rw_conmon_pipes',`
214	interface(`podman_use_conmon_fds',`
215	gen_require(`
216	type podman_conmon_t;
217	- type podman_conmon_user_t;
218	+ type podman_user_conmon_t;
219	')
220
221	allow $1 podman_conmon_t:fd use;
222	- allow $1 podman_conmon_user_t:fd use;
223	+ allow $1 podman_user_conmon_t:fd use;
224	')
225
226	########################################
227	@@ -288,7 +330,7 @@ interface(`podman_use_conmon_fds',`
228	template(`podman_user_role',`
229	gen_require(`
230	type podman_user_t;
231	- type podman_conmon_user_t;
232	+ type podman_user_conmon_t;
233	')
234
235	podman_run_user($3, $4)
236	@@ -300,7 +342,7 @@ template(`podman_user_role',`
237
238	optional_policy(`
239	systemd_user_app_status($1, podman_user_t)
240	- systemd_user_app_status($1, podman_conmon_user_t)
241	+ systemd_user_app_status($1, podman_user_conmon_t)
242	')
243	')
244
245
246	diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
247	index bb0f67bd..aef0fac9 100644
248	--- a/policy/modules/services/podman.te
249	+++ b/policy/modules/services/podman.te
250	@@ -21,31 +21,26 @@ container_user_engine(podman_user_t)
251	userdom_user_application_domain(podman_user_t, podman_exec_t)
252	mls_trusted_object(podman_user_t)
253
254	-type podman_conmon_t;
255	-type podman_conmon_exec_t;
256	-application_domain(podman_conmon_t, podman_conmon_exec_t)
257	+attribute conmon_domain;
258	+type conmon_exec_t;
259	+
260	+podman_conmon_domain_template(podman, podman_t)
261	role system_r types podman_conmon_t;
262
263	-type podman_conmon_user_t;
264	-userdom_user_application_domain(podman_conmon_user_t, podman_conmon_exec_t)
265	+podman_conmon_domain_template(podman_user, podman_user_t)
266	+userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
267
268	########################################
269	#
270	# Podman local policy
271	#
272
273	-allow podman_t podman_conmon_t:process { setsched signull };
274	-allow podman_t podman_conmon_t:fifo_file setattr;
275	-allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms };
276	-
277	-container_engine_executable_entrypoint(podman_t)
278	+allow podman_t podman_conmon_t:process setsched;
279
280	# podman 4.0.0 now creates OCI networking configs
281	container_create_config_files(podman_t)
282	container_write_config_files(podman_t)
283
284	-domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
285	-
286	logging_send_syslog_msg(podman_t)
287
288	userdom_list_user_home_content(podman_t)
289	@@ -90,14 +85,6 @@ ifdef(`init_systemd',`
290	# Rootless Podman local policy
291	#
292
293	-allow podman_user_t podman_conmon_user_t:process signull;
294	-allow podman_user_t podman_conmon_user_t:fifo_file setattr;
295	-allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto rw_stream_socket_perms };
296	-
297	-container_engine_executable_entrypoint(podman_user_t)
298	-
299	-domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t)
300	-
301	# required by slirp4netns
302	files_mounton_etc_dirs(podman_user_t)
303	# required by slirp4netns
304	@@ -154,50 +141,58 @@ ifdef(`init_systemd',`
305	systemd_watch_journal_dirs(podman_user_t)
306	')
307
308	+
309	########################################
310	#
311	-# conmon local policy
312	+# common conmon local policy
313	#
314
315	-allow podman_conmon_t self:process signal;
316	-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
317	-allow podman_conmon_t self:cap_userns sys_ptrace;
318	-allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr };
319	-allow podman_conmon_t self:unix_dgram_socket create_socket_perms;
320	-dontaudit podman_conmon_t self:capability net_admin;
321	+allow conmon_domain self:process signal;
322	+allow conmon_domain self:cap_userns sys_ptrace;
323	+allow conmon_domain self:fifo_file { rw_fifo_file_perms setattr };
324	+allow conmon_domain self:unix_dgram_socket create_socket_perms;
325
326	-# conmon will execute crun/runc to create the container
327	-container_generic_engine_domtrans(podman_conmon_t, podman_t)
328	-podman_domtrans(podman_conmon_t)
329	+domain_use_interactive_fds(conmon_domain)
330
331	-allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms;
332	-allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms;
333	-allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms;
334	-ps_process_pattern(podman_conmon_t, podman_t)
335	+fs_getattr_cgroup(conmon_domain)
336	+fs_search_cgroup_dirs(conmon_domain)
337	+fs_read_cgroup_files(conmon_domain)
338	+fs_watch_cgroup_files(conmon_domain)
339
340	-domain_use_interactive_fds(podman_conmon_t)
341	+fs_getattr_tmpfs(conmon_domain)
342	+fs_getattr_xattr_fs(conmon_domain)
343
344	-fs_getattr_cgroup(podman_conmon_t)
345	-fs_search_cgroup_dirs(podman_conmon_t)
346	-fs_read_cgroup_files(podman_conmon_t)
347	-fs_watch_cgroup_files(podman_conmon_t)
348	+logging_send_syslog_msg(conmon_domain)
349
350	-fs_getattr_tmpfs(podman_conmon_t)
351	-fs_getattr_xattr_fs(podman_conmon_t)
352	+miscfiles_read_localization(conmon_domain)
353
354	-init_rw_inherited_stream_socket(podman_conmon_t)
355	-init_use_fds(podman_conmon_t)
356	+userdom_use_user_ptys(conmon_domain)
357
358	-logging_send_syslog_msg(podman_conmon_t)
359	+# to send/receive data from container ttys
360	+container_rw_chr_files(conmon_domain)
361
362	-miscfiles_read_localization(podman_conmon_t)
363	+ifdef(`init_systemd',`
364	+ # conmon can read logs from containers which are
365	+ # sent to the system journal
366	+ logging_search_logs(conmon_domain)
367	+ systemd_list_journal_dirs(conmon_domain)
368	+ systemd_read_journal_files(conmon_domain)
369	+')
370
371	-userdom_use_user_ptys(podman_conmon_t)
372	+########################################
373	+#
374	+# podman conmon local policy
375	+#
376
377	-container_read_system_container_state(podman_conmon_t)
378	+allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
379	+dontaudit podman_conmon_t self:capability net_admin;
380
381	-# to send/receive data from container ttys
382	-container_rw_chr_files(podman_conmon_t)
383	+podman_domtrans(podman_conmon_t)
384	+
385	+init_rw_inherited_stream_socket(podman_conmon_t)
386	+init_use_fds(podman_conmon_t)
387	+
388	+container_read_system_container_state(podman_conmon_t)
389
390	container_manage_runtime_files(podman_conmon_t)
391	container_manage_runtime_fifo_files(podman_conmon_t)
392	@@ -217,12 +212,6 @@ ifdef(`init_systemd',`
393	init_start_transient_units(podman_conmon_t)
394	init_start_system(podman_conmon_t)
395	init_stop_system(podman_conmon_t)
396	-
397	- # conmon can read logs from containers which are
398	- # sent to the system journal
399	- logging_search_logs(podman_conmon_t)
400	- systemd_list_journal_dirs(podman_conmon_t)
401	- systemd_read_journal_files(podman_conmon_t)
402	')
403
404	optional_policy(`
405	@@ -231,62 +220,23 @@ optional_policy(`
406
407	########################################
408	#
409	-# Rootless conmon local policy
410	+# Rootless podman conmon local policy
411	#
412
413	-allow podman_conmon_user_t self:process signal;
414	-allow podman_conmon_user_t self:cap_userns sys_ptrace;
415	-allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr };
416	-allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms;
417	-
418	-ps_process_pattern(podman_conmon_user_t, podman_user_t)
419	-allow podman_conmon_user_t podman_user_t:process signal;
420	-allow podman_conmon_user_t podman_user_t:unix_stream_socket rw_stream_socket_perms;
421	-allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms;
422	-
423	-# conmon will execute crun/runc to create the container
424	-container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t)
425	-podman_domtrans_user(podman_conmon_user_t)
426	-
427	-domain_use_interactive_fds(podman_conmon_user_t)
428	+podman_domtrans_user(podman_user_conmon_t)
429
430	-fs_getattr_cgroup(podman_conmon_user_t)
431	-fs_search_cgroup_dirs(podman_conmon_user_t)
432	-fs_read_cgroup_files(podman_conmon_user_t)
433	-fs_watch_cgroup_files(podman_conmon_user_t)
434	+container_read_user_container_state(podman_user_conmon_t)
435
436	-fs_getattr_tmpfs(podman_conmon_user_t)
437	-fs_getattr_xattr_fs(podman_conmon_user_t)
438	+userdom_search_user_home_dirs(podman_user_conmon_t)
439	+xdg_search_data_dirs(podman_user_conmon_t)
440	+container_manage_home_data_files(podman_user_conmon_t)
441	+container_manage_home_data_fifo_files(podman_user_conmon_t)
442	+container_manage_home_data_sock_files(podman_user_conmon_t)
443
444	-logging_send_syslog_msg(podman_conmon_user_t)
445	+userdom_search_user_runtime_root(podman_user_conmon_t)
446	+userdom_search_user_runtime(podman_user_conmon_t)
447	+container_manage_user_runtime_files(podman_user_conmon_t)
448
449	-miscfiles_read_localization(podman_conmon_user_t)
450	-
451	-userdom_use_user_ptys(podman_conmon_user_t)
452	-
453	-container_read_user_container_state(podman_conmon_user_t)
454	-
455	-# to send/receive data from container ttys
456	-container_rw_chr_files(podman_conmon_user_t)
457	-
458	-userdom_search_user_home_dirs(podman_conmon_user_t)
459	-xdg_search_data_dirs(podman_conmon_user_t)
460	-container_manage_home_data_files(podman_conmon_user_t)
461	-container_manage_home_data_fifo_files(podman_conmon_user_t)
462	-container_manage_home_data_sock_files(podman_conmon_user_t)
463	-
464	-userdom_search_user_runtime_root(podman_conmon_user_t)
465	-userdom_search_user_runtime(podman_conmon_user_t)
466	-container_manage_user_runtime_files(podman_conmon_user_t)
467	-
468	-container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })
469	-container_manage_engine_tmp_files(podman_conmon_user_t)
470	-container_manage_engine_tmp_sock_files(podman_conmon_user_t)
471	-
472	-ifdef(`init_systemd',`
473	- # conmon can read logs from containers which are
474	- # sent to the system journal
475	- logging_search_logs(podman_conmon_user_t)
476	- systemd_list_journal_dirs(podman_conmon_user_t)
477	- systemd_read_journal_files(podman_conmon_user_t)
478	-')
479	+container_engine_tmp_filetrans(podman_user_conmon_t, { file sock_file })
480	+container_manage_engine_tmp_files(podman_user_conmon_t)
481	+container_manage_engine_tmp_sock_files(podman_user_conmon_t)

Gentoo Archives: gentoo-commits