1 |
commit: c293797e2f2a99b76d81bb1fc89ffbd4d5955e0f |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Sat Nov 27 20:08:52 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jan 30 01:12:42 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c293797e |
7 |
|
8 |
container: add tunables for containers to use nfs and cifs |
9 |
|
10 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
12 |
|
13 |
policy/modules/services/container.te | 51 ++++++++++++++++++++++++++++++++++++ |
14 |
1 file changed, 51 insertions(+) |
15 |
|
16 |
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te |
17 |
index 015d9f2d..35613b23 100644 |
18 |
--- a/policy/modules/services/container.te |
19 |
+++ b/policy/modules/services/container.te |
20 |
@@ -9,6 +9,20 @@ policy_module(container) |
21 |
## </desc> |
22 |
gen_tunable(container_manage_cgroup, false) |
23 |
|
24 |
+## <desc> |
25 |
+## <p> |
26 |
+## Allow containers to use NFS filesystems. |
27 |
+## </p> |
28 |
+## </desc> |
29 |
+gen_tunable(container_use_nfs, false) |
30 |
+ |
31 |
+## <desc> |
32 |
+## <p> |
33 |
+## Allow containers to use CIFS filesystems. |
34 |
+## </p> |
35 |
+## </desc> |
36 |
+gen_tunable(container_use_samba, false) |
37 |
+ |
38 |
######################################## |
39 |
# |
40 |
# Declarations |
41 |
@@ -216,6 +230,22 @@ tunable_policy(`container_manage_cgroup',` |
42 |
fs_manage_cgroup_files(container_domain) |
43 |
') |
44 |
|
45 |
+tunable_policy(`container_use_nfs',` |
46 |
+ fs_manage_nfs_dirs(container_domain) |
47 |
+ fs_manage_nfs_files(container_domain) |
48 |
+ fs_manage_nfs_named_sockets(container_domain) |
49 |
+ fs_read_nfs_symlinks(container_domain) |
50 |
+ fs_exec_nfs_files(container_domain) |
51 |
+') |
52 |
+ |
53 |
+tunable_policy(`container_use_samba',` |
54 |
+ fs_manage_cifs_dirs(container_domain) |
55 |
+ fs_manage_cifs_files(container_domain) |
56 |
+ fs_manage_cifs_named_sockets(container_domain) |
57 |
+ fs_read_cifs_symlinks(container_domain) |
58 |
+ fs_exec_cifs_files(container_domain) |
59 |
+') |
60 |
+ |
61 |
optional_policy(` |
62 |
udev_read_runtime_files(container_domain) |
63 |
') |
64 |
@@ -476,6 +506,27 @@ ifdef(`init_systemd',` |
65 |
init_run_bpf(container_engine_domain) |
66 |
') |
67 |
|
68 |
+tunable_policy(`container_use_nfs',` |
69 |
+ fs_manage_nfs_dirs(container_engine_domain) |
70 |
+ fs_manage_nfs_files(container_engine_domain) |
71 |
+ fs_manage_nfs_named_sockets(container_engine_domain) |
72 |
+ fs_read_nfs_symlinks(container_engine_domain) |
73 |
+ fs_mount_nfs(container_engine_domain) |
74 |
+ fs_unmount_nfs(container_engine_domain) |
75 |
+ fs_exec_nfs_files(container_engine_domain) |
76 |
+ kernel_rw_fs_sysctls(container_engine_domain) |
77 |
+',` |
78 |
+ kernel_dontaudit_search_fs_sysctls(container_engine_domain) |
79 |
+') |
80 |
+ |
81 |
+tunable_policy(`container_use_samba',` |
82 |
+ fs_manage_cifs_dirs(container_engine_domain) |
83 |
+ fs_manage_cifs_files(container_engine_domain) |
84 |
+ fs_manage_cifs_named_sockets(container_engine_domain) |
85 |
+ fs_read_cifs_symlinks(container_engine_domain) |
86 |
+ fs_exec_cifs_files(container_engine_domain) |
87 |
+') |
88 |
+ |
89 |
optional_policy(` |
90 |
# to verify container image signatures |
91 |
gpg_exec(container_engine_domain) |