commit: 7b14e6ede407fbfa69976840b71cc39d1e3cf2cc
Author: Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 24 16:08:20 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b14e6ed
qemu: add qemu_incus_managed tunable
This tunable makes it possible to run qemu virtual
machines controlled by incus
Also add interface required by qemu to these modules:
* files
* storage
Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/apps/qemu.te | 37 +++++++++++++++++++++++++++++++++++++
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/kernel/storage.if | 33 +++++++++++++++++++++++++++++++++
3 files changed, 88 insertions(+)
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index cfbcedf73..29480ec7a 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -13,6 +13,14 @@ policy_module(qemu)
## </desc>
gen_tunable(qemu_full_network, false)
+## <desc>
+## <p>
+## Determine whether qemu can be
+## managed by incus.
+## </p>
+## </desc>
+gen_tunable(qemu_incus_managed, false)
+
attribute_role qemu_roles;
roleattribute system_r qemu_roles;
@@ -47,6 +55,35 @@ tunable_policy(`qemu_full_network',`
corenet_tcp_connect_all_ports(qemu_t)
')
+optional_policy(`
+ tunable_policy(`qemu_incus_managed',`
+ incus_stream_connect_daemon(qemu_t)
+
+ files_create_generic_tmp_named_sockets(qemu_t)
+
+ kernel_read_kernel_sysctls(qemu_t)
+ kernel_read_vm_overcommit_sysctl(qemu_t)
+
+ # incus VMs do not start otherwise
+ allow qemu_t self:capability { dac_override dac_read_search
setuid setgid };
+ allow qemu_t qemu_tmpfs_t:file mmap_read_file_perms;
+
+ # this is due to incus lack of selinux support for VMs
+ # see https://github.com/lxc/incus/issues/1037
+ kernel_rw_unlabeled_files(qemu_t)
+ kernel_rw_unlabeled_dirs(qemu_t)
+ kernel_manage_unlabeled_symlinks(qemu_t)
+
+ container_manage_engine_tmp_files(qemu_t)
+ container_manage_log_files(qemu_t)
+ container_manage_runtime_files(qemu_t)
+ container_manage_runtime_sock_files(qemu_t)
+ ')
+
+ storage_raw_read_fixed_disk_cond(qemu_t, qemu_incus_managed)
+ storage_raw_write_fixed_disk_cond(qemu_t, qemu_incus_managed)
+')
+
optional_policy(`
fs_manage_xenfs_files(qemu_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 592d0c2d8..a37365e9d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -7554,6 +7554,24 @@ interface(`files_create_all_runtime_pipes',`
')
+########################################
+## <summary>
+## Create tmp_t sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_generic_tmp_named_sockets',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ create_sock_files_pattern($1, tmp_t, tmp_t)
+')
+
########################################
## <summary>
## Delete all runtime named pipes
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 6f62adead..81a4d1a61 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -186,6 +186,39 @@ interface(`storage_raw_write_fixed_disk',`
typeattribute $1 fixed_disk_raw_write;
')
+########################################
+## <summary>
+## Allow the caller to directly write to a fixed disk
+## if a tunable is set.
+## This is extremely dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="tunable">
+## <summary>
+## Tunable to depend on
+## </summary>
+## </param>
+#
+interface(`storage_raw_write_fixed_disk_cond',`
+ gen_require(`
+ attribute fixed_disk_raw_write;
+ type fixed_disk_device_t;
+ ')
+
+ typeattribute $1 fixed_disk_raw_write;
+ tunable_policy(`$2', `
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
+ ')
+')
+
########################################
## <summary>
## Do not audit attempts made by the caller to write
