Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Sat, 09 Apr 2022 19:28:55
Message-Id: 1649532510.dd3730338d07fb8b8a96350f84148eb07ab40769.perfinion@gentoo
1 commit: dd3730338d07fb8b8a96350f84148eb07ab40769
2 Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3 AuthorDate: Thu Mar 31 19:09:25 2022 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sat Apr 9 19:28:30 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dd373033
7
8 container: add tunables to allow containers to access public content
9
10 Note that container engines only need read access to these files even if
11 manage access is enabled.
12
13 Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
14 Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
15
16 policy/modules/services/container.te | 30 ++++++++++++++++++++++++++++++
17 1 file changed, 30 insertions(+)
18
19 diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
20 index d7d27d7c..fa4145e3 100644
21 --- a/policy/modules/services/container.te
22 +++ b/policy/modules/services/container.te
23 @@ -16,6 +16,20 @@ gen_tunable(container_manage_cgroup, false)
24 ## </desc>
25 gen_tunable(container_mounton_non_security, false)
26
27 +## <desc>
28 +## <p>
29 +## Allow containers to manage all read-writable public content.
30 +## </p>
31 +## </desc>
32 +gen_tunable(container_manage_public_content, false)
33 +
34 +## <desc>
35 +## <p>
36 +## Allow containers to read all public content.
37 +## </p>
38 +## </desc>
39 +gen_tunable(container_read_public_content, false)
40 +
41 ## <desc>
42 ## <p>
43 ## Allow containers to use NFS filesystems.
44 @@ -232,6 +246,14 @@ tunable_policy(`container_manage_cgroup',`
45 fs_manage_cgroup_files(container_domain)
46 ')
47
48 +tunable_policy(`container_manage_public_content',`
49 + miscfiles_manage_public_files(container_domain)
50 +')
51 +
52 +tunable_policy(`container_read_public_content',`
53 + miscfiles_read_public_files(container_domain)
54 +')
55 +
56 tunable_policy(`container_use_nfs',`
57 fs_manage_nfs_dirs(container_domain)
58 fs_manage_nfs_files(container_domain)
59 @@ -515,6 +537,14 @@ ifdef(`init_systemd',`
60 init_run_bpf(container_engine_domain)
61 ')
62
63 +tunable_policy(`container_manage_public_content',`
64 + miscfiles_read_public_files(container_engine_domain)
65 +')
66 +
67 +tunable_policy(`container_read_public_content',`
68 + miscfiles_read_public_files(container_engine_domain)
69 +')
70 +
71 tunable_policy(`container_mounton_non_security',`
72 files_mounton_non_security(container_engine_domain)
73 ')
Report Message
Find on MARC Find on Google Groups