1 |
commit: dd3730338d07fb8b8a96350f84148eb07ab40769 |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Thu Mar 31 19:09:25 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Apr 9 19:28:30 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dd373033 |
7 |
|
8 |
container: add tunables to allow containers to access public content |
9 |
|
10 |
Note that container engines only need read access to these files even if |
11 |
manage access is enabled. |
12 |
|
13 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
14 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
15 |
|
16 |
policy/modules/services/container.te | 30 ++++++++++++++++++++++++++++++ |
17 |
1 file changed, 30 insertions(+) |
18 |
|
19 |
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te |
20 |
index d7d27d7c..fa4145e3 100644 |
21 |
--- a/policy/modules/services/container.te |
22 |
+++ b/policy/modules/services/container.te |
23 |
@@ -16,6 +16,20 @@ gen_tunable(container_manage_cgroup, false) |
24 |
## </desc> |
25 |
gen_tunable(container_mounton_non_security, false) |
26 |
|
27 |
+## <desc> |
28 |
+## <p> |
29 |
+## Allow containers to manage all read-writable public content. |
30 |
+## </p> |
31 |
+## </desc> |
32 |
+gen_tunable(container_manage_public_content, false) |
33 |
+ |
34 |
+## <desc> |
35 |
+## <p> |
36 |
+## Allow containers to read all public content. |
37 |
+## </p> |
38 |
+## </desc> |
39 |
+gen_tunable(container_read_public_content, false) |
40 |
+ |
41 |
## <desc> |
42 |
## <p> |
43 |
## Allow containers to use NFS filesystems. |
44 |
@@ -232,6 +246,14 @@ tunable_policy(`container_manage_cgroup',` |
45 |
fs_manage_cgroup_files(container_domain) |
46 |
') |
47 |
|
48 |
+tunable_policy(`container_manage_public_content',` |
49 |
+ miscfiles_manage_public_files(container_domain) |
50 |
+') |
51 |
+ |
52 |
+tunable_policy(`container_read_public_content',` |
53 |
+ miscfiles_read_public_files(container_domain) |
54 |
+') |
55 |
+ |
56 |
tunable_policy(`container_use_nfs',` |
57 |
fs_manage_nfs_dirs(container_domain) |
58 |
fs_manage_nfs_files(container_domain) |
59 |
@@ -515,6 +537,14 @@ ifdef(`init_systemd',` |
60 |
init_run_bpf(container_engine_domain) |
61 |
') |
62 |
|
63 |
+tunable_policy(`container_manage_public_content',` |
64 |
+ miscfiles_read_public_files(container_engine_domain) |
65 |
+') |
66 |
+ |
67 |
+tunable_policy(`container_read_public_content',` |
68 |
+ miscfiles_read_public_files(container_engine_domain) |
69 |
+') |
70 |
+ |
71 |
tunable_policy(`container_mounton_non_security',` |
72 |
files_mounton_non_security(container_engine_domain) |
73 |
') |