1 |
commit: 04b08d98853038ae67ee57607755fb8ac1b7f7a0 |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Wed Apr 27 22:47:57 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 3 18:41:55 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04b08d98 |
7 |
|
8 |
container: add unconfined role |
9 |
|
10 |
Add a specific template for unconfined role access. This is mostly |
11 |
identical to the user role except container engines will run in the |
12 |
caller domain. |
13 |
|
14 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
15 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
16 |
|
17 |
policy/modules/services/container.if | 217 +++++++++++++++++++++++++++-------- |
18 |
1 file changed, 171 insertions(+), 46 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if |
21 |
index 07ef8873..bc4a12f4 100644 |
22 |
--- a/policy/modules/services/container.if |
23 |
+++ b/policy/modules/services/container.if |
24 |
@@ -130,7 +130,6 @@ interface(`container_user_engine',` |
25 |
# |
26 |
template(`container_base_role',` |
27 |
gen_require(` |
28 |
- type container_file_t, container_ro_file_t; |
29 |
type container_config_t; |
30 |
') |
31 |
|
32 |
@@ -143,19 +142,8 @@ template(`container_base_role',` |
33 |
files_search_etc($2) |
34 |
read_files_pattern($2, container_config_t, container_config_t) |
35 |
|
36 |
- allow $2 container_file_t:dir { manage_dir_perms relabel_dir_perms }; |
37 |
- allow $2 container_file_t:file { manage_file_perms relabel_file_perms }; |
38 |
- allow $2 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
39 |
- allow $2 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
40 |
- allow $2 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; |
41 |
- allow $2 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; |
42 |
- |
43 |
- allow $2 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms }; |
44 |
- allow $2 container_ro_file_t:file { manage_file_perms relabel_file_perms }; |
45 |
- allow $2 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
46 |
- allow $2 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
47 |
- allow $2 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; |
48 |
- allow $2 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; |
49 |
+ container_admin_all_files($2) |
50 |
+ container_admin_all_ro_files($2) |
51 |
') |
52 |
|
53 |
######################################## |
54 |
@@ -230,10 +218,6 @@ template(`container_user_role',` |
55 |
gen_require(` |
56 |
attribute container_user_domain; |
57 |
attribute container_engine_user_domain; |
58 |
- type container_file_t, container_ro_file_t; |
59 |
- type container_user_runtime_t; |
60 |
- type container_cache_home_t, container_conf_home_t; |
61 |
- type container_data_home_t; |
62 |
') |
63 |
|
64 |
role $4 types container_user_domain; |
65 |
@@ -245,34 +229,8 @@ template(`container_user_role',` |
66 |
allow $3 container_user_domain:process { ptrace signal_perms }; |
67 |
ps_process_pattern($3, container_user_domain) |
68 |
|
69 |
- allow $2 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; |
70 |
- allow $2 container_user_runtime_t:file { manage_file_perms relabel_file_perms }; |
71 |
- allow $2 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; |
72 |
- allow $2 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
73 |
- |
74 |
- allow $2 container_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; |
75 |
- allow $2 container_cache_home_t:file { manage_file_perms relabel_file_perms }; |
76 |
- xdg_cache_filetrans($2, container_cache_home_t, dir, "containers") |
77 |
- |
78 |
- allow $2 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms }; |
79 |
- allow $2 container_conf_home_t:file { manage_file_perms relabel_file_perms }; |
80 |
- xdg_config_filetrans($2, container_conf_home_t, dir, "containers") |
81 |
- |
82 |
- allow $2 container_data_home_t:dir { manage_dir_perms relabel_dir_perms }; |
83 |
- allow $2 container_data_home_t:file { manage_file_perms relabel_file_perms }; |
84 |
- allow $2 container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
85 |
- allow $2 container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; |
86 |
- allow $2 container_data_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
87 |
- allow $2 container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; |
88 |
- allow $2 container_data_home_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; |
89 |
- xdg_data_filetrans($2, container_data_home_t, dir, "containers") |
90 |
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay") |
91 |
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay-images") |
92 |
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay-layers") |
93 |
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2") |
94 |
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2-images") |
95 |
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2-layers") |
96 |
- filetrans_pattern($2, container_data_home_t, container_file_t, dir, "volumes") |
97 |
+ container_admin_all_home_content($2) |
98 |
+ container_admin_all_user_runtime_content($2) |
99 |
|
100 |
optional_policy(` |
101 |
systemd_read_user_manager_state($1, container_engine_user_domain) |
102 |
@@ -293,6 +251,60 @@ template(`container_user_role',` |
103 |
') |
104 |
') |
105 |
|
106 |
+######################################## |
107 |
+## <summary> |
108 |
+## Unconfined role access for containers. |
109 |
+## </summary> |
110 |
+## <param name="role_prefix"> |
111 |
+## <summary> |
112 |
+## The prefix of the user role (e.g., user |
113 |
+## is the prefix for user_r). |
114 |
+## </summary> |
115 |
+## </param> |
116 |
+## <param name="user_domain"> |
117 |
+## <summary> |
118 |
+## User domain for the role. |
119 |
+## </summary> |
120 |
+## </param> |
121 |
+## <param name="user_exec_domain"> |
122 |
+## <summary> |
123 |
+## User exec domain for execute and transition access. |
124 |
+## </summary> |
125 |
+## </param> |
126 |
+## <param name="role"> |
127 |
+## <summary> |
128 |
+## Role allowed access. |
129 |
+## </summary> |
130 |
+## </param> |
131 |
+# |
132 |
+template(`container_unconfined_role',` |
133 |
+ gen_require(` |
134 |
+ attribute container_domain; |
135 |
+ type container_config_t; |
136 |
+ ') |
137 |
+ |
138 |
+ role $4 types container_domain; |
139 |
+ |
140 |
+ allow $3 container_domain:process transition; |
141 |
+ allow $3 container_domain:process2 { nnp_transition nosuid_transition }; |
142 |
+ allow container_domain $3:fd use; |
143 |
+ allow container_domain $3:unix_stream_socket rw_stream_socket_perms; |
144 |
+ |
145 |
+ allow $3 self:cap_userns { kill sys_ptrace }; |
146 |
+ |
147 |
+ allow $3 container_domain:process { ptrace signal_perms }; |
148 |
+ ps_process_pattern($3, container_domain) |
149 |
+ |
150 |
+ files_search_etc($2) |
151 |
+ read_files_pattern($2, container_config_t, container_config_t) |
152 |
+ |
153 |
+ container_admin_all_files($2) |
154 |
+ container_admin_all_ro_files($2) |
155 |
+ |
156 |
+ container_admin_all_home_content($2) |
157 |
+ container_admin_all_user_runtime_content($2) |
158 |
+') |
159 |
+ |
160 |
######################################## |
161 |
## <summary> |
162 |
## Execute generic container engines in the |
163 |
@@ -1079,6 +1091,119 @@ interface(`container_manage_home_data_sock_files',` |
164 |
manage_sock_files_pattern($1, container_data_home_t, container_data_home_t) |
165 |
') |
166 |
|
167 |
+######################################## |
168 |
+## <summary> |
169 |
+## Administrate all container files. |
170 |
+## </summary> |
171 |
+## <param name="domain"> |
172 |
+## <summary> |
173 |
+## Domain allowed access. |
174 |
+## </summary> |
175 |
+## </param> |
176 |
+# |
177 |
+interface(`container_admin_all_files',` |
178 |
+ gen_require(` |
179 |
+ type container_file_t; |
180 |
+ ') |
181 |
+ |
182 |
+ allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms }; |
183 |
+ allow $1 container_file_t:file { manage_file_perms relabel_file_perms }; |
184 |
+ allow $1 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
185 |
+ allow $1 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
186 |
+ allow $1 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; |
187 |
+ allow $1 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; |
188 |
+') |
189 |
+ |
190 |
+######################################## |
191 |
+## <summary> |
192 |
+## Administrate all container read-only files. |
193 |
+## </summary> |
194 |
+## <param name="domain"> |
195 |
+## <summary> |
196 |
+## Domain allowed access. |
197 |
+## </summary> |
198 |
+## </param> |
199 |
+# |
200 |
+interface(`container_admin_all_ro_files',` |
201 |
+ gen_require(` |
202 |
+ type container_ro_file_t; |
203 |
+ ') |
204 |
+ |
205 |
+ allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms }; |
206 |
+ allow $1 container_ro_file_t:file { manage_file_perms relabel_file_perms }; |
207 |
+ allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
208 |
+ allow $1 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
209 |
+ allow $1 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; |
210 |
+ allow $1 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; |
211 |
+') |
212 |
+ |
213 |
+######################################## |
214 |
+## <summary> |
215 |
+## All of the rules necessary for a user |
216 |
+## to manage user container runtime data |
217 |
+## in their user runtime directory. |
218 |
+## </summary> |
219 |
+## <param name="domain"> |
220 |
+## <summary> |
221 |
+## Domain allowed access. |
222 |
+## </summary> |
223 |
+## </param> |
224 |
+# |
225 |
+interface(`container_admin_all_user_runtime_content',` |
226 |
+ gen_require(` |
227 |
+ type container_user_runtime_t; |
228 |
+ ') |
229 |
+ |
230 |
+ allow $1 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms }; |
231 |
+ allow $1 container_user_runtime_t:file { manage_file_perms relabel_file_perms }; |
232 |
+ allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; |
233 |
+ allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
234 |
+') |
235 |
+ |
236 |
+######################################## |
237 |
+## <summary> |
238 |
+## All of the rules necessary for a user |
239 |
+## to manage container data in their home |
240 |
+## directory. |
241 |
+## </summary> |
242 |
+## <param name="domain"> |
243 |
+## <summary> |
244 |
+## Domain allowed access. |
245 |
+## </summary> |
246 |
+## </param> |
247 |
+# |
248 |
+interface(`container_admin_all_home_content',` |
249 |
+ gen_require(` |
250 |
+ type container_file_t, container_ro_file_t; |
251 |
+ type container_cache_home_t, container_conf_home_t; |
252 |
+ type container_data_home_t; |
253 |
+ ') |
254 |
+ |
255 |
+ allow $1 container_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; |
256 |
+ allow $1 container_cache_home_t:file { manage_file_perms relabel_file_perms }; |
257 |
+ xdg_cache_filetrans($1, container_cache_home_t, dir, "containers") |
258 |
+ |
259 |
+ allow $1 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms }; |
260 |
+ allow $1 container_conf_home_t:file { manage_file_perms relabel_file_perms }; |
261 |
+ xdg_config_filetrans($1, container_conf_home_t, dir, "containers") |
262 |
+ |
263 |
+ allow $1 container_data_home_t:dir { manage_dir_perms relabel_dir_perms }; |
264 |
+ allow $1 container_data_home_t:file { manage_file_perms relabel_file_perms }; |
265 |
+ allow $1 container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; |
266 |
+ allow $1 container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; |
267 |
+ allow $1 container_data_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |
268 |
+ allow $1 container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms }; |
269 |
+ allow $1 container_data_home_t:blk_file { manage_blk_file_perms relabel_blk_file_perms }; |
270 |
+ xdg_data_filetrans($1, container_data_home_t, dir, "containers") |
271 |
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay") |
272 |
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay-images") |
273 |
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay-layers") |
274 |
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2") |
275 |
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2-images") |
276 |
+ filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2-layers") |
277 |
+ filetrans_pattern($1, container_data_home_t, container_file_t, dir, "volumes") |
278 |
+') |
279 |
+ |
280 |
######################################## |
281 |
## <summary> |
282 |
## Allow the specified domain to |