Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Sun, 30 Jan 2022 01:22:55
Message-Id: 1643505162.5555bf53167e28f78a0f7f80784ee5ea5999c434.perfinion@gentoo
1 commit: 5555bf53167e28f78a0f7f80784ee5ea5999c434
2 Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3 AuthorDate: Fri Dec 31 19:20:49 2021 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Jan 30 01:12:42 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5555bf53
7
8 container, docker: add initial support for docker
9
10 Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
11 Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
12
13 policy/modules/services/container.fc | 25 ++++++++++
14 policy/modules/services/container.if | 96 ++++++++++++++++++++++++++++++++++++
15 policy/modules/services/docker.fc | 8 +++
16 policy/modules/services/docker.if | 69 ++++++++++++++++++++++++++
17 policy/modules/services/docker.te | 85 +++++++++++++++++++++++++++++++
18 5 files changed, 283 insertions(+)
19
20 diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
21 index 9de5a68d..524ccedb 100644
22 --- a/policy/modules/services/container.fc
23 +++ b/policy/modules/services/container.fc
24 @@ -13,13 +13,24 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.* gen_context(system_u
25 /usr/bin/crun -- gen_context(system_u:object_r:container_engine_exec_t,s0)
26 /usr/bin/runc -- gen_context(system_u:object_r:container_engine_exec_t,s0)
27
28 +/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_t,s0)
29 +/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_t,s0)
30 +
31 /etc/containers(/.*)? gen_context(system_u:object_r:container_config_t,s0)
32 /etc/cni(/.*)? gen_context(system_u:object_r:container_config_t,s0)
33 +/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
34 +/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
35
36 /run/containers(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
37 /run/libpod(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
38 /run/runc(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
39
40 +/run/docker(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
41 +/run/docker\.pid -- gen_context(system_u:object_r:container_runtime_t,s0)
42 +/run/docker\.sock -s gen_context(system_u:object_r:container_runtime_t,s0)
43 +/run/containerd(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
44 +/run/containerd/[^/]+/sandboxes/[^/]+/shm(/.*)? gen_context(system_u:object_r:container_engine_tmpfs_t,s0)
45 +
46 /run/user/%{USERID}/netns(/.*)? gen_context(system_u:object_r:container_runtime_t,s0)
47
48 /var/cache/containers(/.*)? gen_context(system_u:object_r:container_engine_cache_t,s0)
49 @@ -42,5 +53,19 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.* gen_context(system_u
50 /var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
51 /var/lib/containers/storage/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0)
52
53 +/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
54 +/var/lib/docker/.*/config\.env -- gen_context(system_u:object_r:container_ro_file_t,s0)
55 +/var/lib/docker/containers/.*/.*\.log -- gen_context(system_u:object_r:container_log_t,s0)
56 +/var/lib/docker/containers/.*/hostname -- gen_context(system_u:object_r:container_ro_file_t,s0)
57 +/var/lib/docker/containers/.*/hosts -- gen_context(system_u:object_r:container_ro_file_t,s0)
58 +/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
59 +/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
60 +/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
61 +/var/lib/docker/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0)
62 +
63 +/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
64 +/var/lib/containerd/[^/]+/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
65 +/var/lib/containerd/[^/]+/snapshots(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
66 +
67 /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
68 /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
69
70 diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
71 index 1c1950c7..58e8c470 100644
72 --- a/policy/modules/services/container.if
73 +++ b/policy/modules/services/container.if
74 @@ -423,6 +423,27 @@ interface(`container_engine_dbus_chat',`
75 allow container_engine_domain $1:dbus send_msg;
76 ')
77
78 +########################################
79 +## <summary>
80 +## Allow the specified domain to be started
81 +## by systemd socket activation using a
82 +## named socket labeled the container
83 +## runtime type.
84 +## </summary>
85 +## <param name="domain">
86 +## <summary>
87 +## Domain allowed access.
88 +## </summary>
89 +## </param>
90 +#
91 +interface(`container_runtime_named_socket_activation',`
92 + gen_require(`
93 + type container_runtime_t;
94 + ')
95 +
96 + init_named_socket_activation($1, container_runtime_t)
97 +')
98 +
99 ########################################
100 ## <summary>
101 ## Allow the specified domain to manage
102 @@ -572,6 +593,28 @@ interface(`container_domtrans',`
103 allow $1 container_domain:process transition;
104 ')
105
106 +########################################
107 +## <summary>
108 +## Connect to a system container domain
109 +## over a unix stream socket.
110 +## </summary>
111 +## <param name="domain">
112 +## <summary>
113 +## Domain allowed access.
114 +## </summary>
115 +## </param>
116 +#
117 +interface(`container_stream_connect_system_containers',`
118 + gen_require(`
119 + attribute container_system_domain;
120 + type container_runtime_t;
121 + ')
122 +
123 + files_search_runtime($1)
124 + stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_system_domain)
125 + allow $1 container_runtime_t:sock_file read_sock_file_perms;
126 +')
127 +
128 ########################################
129 ## <summary>
130 ## Connect to a container domain
131 @@ -591,6 +634,7 @@ interface(`container_stream_connect_all_containers',`
132
133 files_search_runtime($1)
134 stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_domain)
135 + allow $1 container_runtime_t:sock_file read_sock_file_perms;
136 ')
137
138 ########################################
139 @@ -650,6 +694,25 @@ interface(`container_mountpoint',`
140 typeattribute $1 container_mountpoint_type;
141 ')
142
143 +########################################
144 +## <summary>
145 +## Allow the specified domain to
146 +## manage container config files.
147 +## </summary>
148 +## <param name="domain">
149 +## <summary>
150 +## Domain allowed access.
151 +## </summary>
152 +## </param>
153 +#
154 +interface(`container_manage_config_files',`
155 + gen_require(`
156 + type container_config_t;
157 + ')
158 +
159 + manage_files_pattern($1, container_config_t, container_config_t)
160 +')
161 +
162 ########################################
163 ## <summary>
164 ## Allow the specified domain to
165 @@ -1166,6 +1229,39 @@ interface(`container_manage_var_lib_sock_files',`
166 manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t)
167 ')
168
169 +########################################
170 +## <summary>
171 +## Allow the specified domain to create
172 +## objects in unlabeled directories with
173 +## an automatic type transition to the
174 +## container var lib type.
175 +## </summary>
176 +## <param name="domain">
177 +## <summary>
178 +## Domain allowed access.
179 +## </summary>
180 +## </param>
181 +## <param name="object">
182 +## <summary>
183 +## The object class of the object being created.
184 +## </summary>
185 +## </param>
186 +## <param name="name" optional="true">
187 +## <summary>
188 +## The name of the object being created.
189 +## </summary>
190 +## </param>
191 +#
192 +interface(`container_unlabeled_var_lib_filetrans',`
193 + gen_require(`
194 + type container_var_lib_t;
195 + ')
196 +
197 + # This access is to workaround an issue in Docker
198 + # See: https://github.com/moby/moby/issues/43088
199 + kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
200 +')
201 +
202 ########################################
203 ## <summary>
204 ## All of the rules required to
205
206 diff --git a/policy/modules/services/docker.fc b/policy/modules/services/docker.fc
207 new file mode 100644
208 index 00000000..577d148f
209 --- /dev/null
210 +++ b/policy/modules/services/docker.fc
211 @@ -0,0 +1,8 @@
212 +/usr/bin/docker -- gen_context(system_u:object_r:dockerc_exec_t,s0)
213 +/usr/bin/dockerd -- gen_context(system_u:object_r:dockerd_exec_t,s0)
214 +/usr/bin/docker-proxy -- gen_context(system_u:object_r:dockerd_exec_t,s0)
215 +/usr/bin/containerd -- gen_context(system_u:object_r:dockerd_exec_t,s0)
216 +/usr/bin/containerd-shim -- gen_context(system_u:object_r:dockerd_exec_t,s0)
217 +/usr/bin/containerd-shim-runc-v1 -- gen_context(system_u:object_r:dockerd_exec_t,s0)
218 +/usr/bin/containerd-shim-runc-v2 -- gen_context(system_u:object_r:dockerd_exec_t,s0)
219 +/usr/bin/containerd-stress -- gen_context(system_u:object_r:dockerd_exec_t,s0)
220
221 diff --git a/policy/modules/services/docker.if b/policy/modules/services/docker.if
222 new file mode 100644
223 index 00000000..28965cdb
224 --- /dev/null
225 +++ b/policy/modules/services/docker.if
226 @@ -0,0 +1,69 @@
227 +## <summary>Policy for docker</summary>
228 +
229 +########################################
230 +## <summary>
231 +## Execute docker CLI in the docker CLI domain.
232 +## </summary>
233 +## <param name="domain">
234 +## <summary>
235 +## Domain allowed to transition.
236 +## </summary>
237 +## </param>
238 +#
239 +interface(`docker_domtrans_cli',`
240 + gen_require(`
241 + type dockerc_t, dockerc_exec_t;
242 + ')
243 +
244 + corecmd_search_bin($1)
245 + domtrans_pattern($1, dockerc_exec_t, dockerc_t)
246 +')
247 +
248 +########################################
249 +## <summary>
250 +## Execute docker CLI in the docker CLI
251 +## domain, and allow the specified role
252 +## the docker CLI domain.
253 +## </summary>
254 +## <param name="domain">
255 +## <summary>
256 +## Domain allowed to transition.
257 +## </summary>
258 +## </param>
259 +## <param name="role">
260 +## <summary>
261 +## The role to be allowed the docker domain.
262 +## </summary>
263 +## </param>
264 +#
265 +interface(`docker_run_cli',`
266 + gen_require(`
267 + type dockerc_t;
268 + ')
269 +
270 + role $2 types dockerc_t;
271 +
272 + docker_domtrans_cli($1)
273 +')
274 +
275 +########################################
276 +## <summary>
277 +## All of the rules required to
278 +## administrate a docker
279 +## environment.
280 +## </summary>
281 +## <param name="domain">
282 +## <summary>
283 +## Domain allowed access.
284 +## </summary>
285 +## </param>
286 +## <param name="role">
287 +## <summary>
288 +## Role allowed access.
289 +## </summary>
290 +## </param>
291 +## <rolecap/>
292 +#
293 +interface(`docker_admin',`
294 + docker_run_cli($1, $2)
295 +')
296
297 diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
298 new file mode 100644
299 index 00000000..27278127
300 --- /dev/null
301 +++ b/policy/modules/services/docker.te
302 @@ -0,0 +1,85 @@
303 +policy_module(docker)
304 +
305 +########################################
306 +#
307 +# Declarations
308 +#
309 +
310 +container_engine_domain_template(dockerd)
311 +container_system_engine(dockerd_t)
312 +type dockerd_exec_t;
313 +container_engine_executable_file(dockerd_exec_t)
314 +application_domain(dockerd_t, dockerd_exec_t)
315 +ifdef(`enable_mls',`
316 + init_ranged_daemon_domain(dockerd_t, dockerd_exec_t, s0 - mls_systemhigh)
317 +')
318 +mls_trusted_object(dockerd_t)
319 +
320 +type dockerc_t;
321 +type dockerc_exec_t;
322 +container_engine_executable_file(dockerc_t)
323 +application_domain(dockerc_t, dockerc_exec_t)
324 +
325 +########################################
326 +#
327 +# Docker daemon local policy
328 +#
329 +
330 +allow dockerd_t self:netlink_netfilter_socket create_socket_perms;
331 +allow dockerd_t self:netlink_xfrm_socket create_socket_perms;
332 +
333 +init_write_runtime_socket(dockerd_t)
334 +container_runtime_named_socket_activation(dockerd_t)
335 +
336 +# docker fails to start if /proc/kallsyms is unreadable,
337 +# but only when btrfs support is disabled
338 +files_read_kernel_symbol_table(dockerd_t)
339 +files_dontaudit_write_usr_dirs(dockerd_t)
340 +
341 +kernel_relabelfrom_unlabeled_dirs(dockerd_t)
342 +# docker wants to load binfmt_misc
343 +kernel_request_load_module(dockerd_t)
344 +kernel_dontaudit_search_fs_sysctls(dockerd_t)
345 +
346 +logging_send_syslog_msg(dockerd_t)
347 +
348 +container_stream_connect_system_containers(dockerd_t)
349 +
350 +# docker manages key.json in /etc/docker
351 +container_manage_config_files(dockerd_t)
352 +
353 +# In btrfs mode, docker creates subvolumes which are unlabeled
354 +# in /var/lib/docker/btrfs/subvolumes. The files inside will
355 +# become labeled with a file transition, but the subvolume
356 +# root will always be unlabeled.
357 +container_unlabeled_var_lib_filetrans(dockerd_t, dir)
358 +
359 +ifdef(`init_systemd',`
360 + init_dbus_chat(dockerd_t)
361 + init_get_generic_units_status(dockerd_t)
362 + init_start_generic_units(dockerd_t)
363 + init_start_system(dockerd_t)
364 + init_stop_system(dockerd_t)
365 +')
366 +
367 +########################################
368 +#
369 +# Docker CLI local policy
370 +#
371 +
372 +allow dockerc_t self:process { getsched signal };
373 +allow dockerc_t self:fifo_file rw_fifo_file_perms;
374 +
375 +allow dockerc_t dockerd_t:unix_stream_socket connectto;
376 +
377 +corecmd_dontaudit_search_bin(dockerc_t)
378 +
379 +domain_use_interactive_fds(dockerc_t)
380 +
381 +auth_use_nsswitch(dockerc_t)
382 +
383 +miscfiles_read_localization(dockerc_t)
384 +
385 +userdom_use_user_ptys(dockerc_t)
386 +
387 +container_stream_connect_system_containers(dockerc_t)