[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/roles/

Tue, 15 Jul 2025 01:12:55 -0700 

commit:     7db3bc1fa545722afea63bc916e9553126440776
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 23 18:31:58 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7db3bc1f

sysadm: allow BPF debugging for container-related system domains

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/roles/sysadm.te       | 12 ++++++
 policy/modules/services/container.if | 72 ++++++++++++++++++++++++++++++++++++
 policy/modules/system/init.if        | 18 +++++++++
 3 files changed, 102 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 74982b8a9..14425f4cf 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -35,6 +35,8 @@ ifndef(`enable_mls',`
 
 # for networkctl and possibly other networking tools
 allow sysadm_t self:netlink_route_socket rw_netlink_socket_perms;
+# for debugging BPF programs
+allow sysadm_t self:capability2 bpf;
 
 corecmd_exec_shell(sysadm_t)
 
@@ -98,6 +100,10 @@ ifdef(`init_systemd',`
        # LookupDynamicUserByUID on org.freedesktop.systemd1.
        init_dbus_chat(sysadm_t)
 
+       # Debug BPF programs.
+       init_rw_bpf(sysadm_t)
+       init_run_bpf(sysadm_t)
+
        # Allow sysadm to get the status of and set properties of other users,
        # sessions, and seats on the system.
        systemd_dbus_chat_logind(sysadm_t)
@@ -305,6 +311,12 @@ optional_policy(`
 
 optional_policy(`
        container_admin(sysadm_t, sysadm_r)
+
+       # Debug BPF programs.
+       container_run_system_engine_bpf(sysadm_t)
+       container_rw_system_engine_bpf(sysadm_t)
+       container_run_system_container_bpf(sysadm_t)
+       container_rw_system_container_bpf(sysadm_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/container.if 
b/policy/modules/services/container.if
index 1ae716c78..a7a2ff684 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -439,6 +439,42 @@ interface(`container_engine_dbus_chat',`
        allow container_engine_domain $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##     Run system container engine BPF programs.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_run_system_engine_bpf',`
+       gen_require(`
+               attribute container_engine_system_domain;
+       ')
+
+       allow $1 container_engine_system_domain:bpf prog_run;
+')
+
+########################################
+## <summary>
+##     Read and write system container engine BPF programs.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_rw_system_engine_bpf',`
+       gen_require(`
+               attribute container_engine_system_domain;
+       ')
+
+       allow $1 container_engine_system_domain:bpf { map_read map_write };
+')
+
 ########################################
 ## <summary>
 ##     Allow the specified domain to be started
@@ -590,6 +626,42 @@ interface(`container_read_all_container_state',`
        ps_process_pattern($1, container_domain)
 ')
 
+########################################
+## <summary>
+##     Run all system container BPF programs.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_run_system_container_bpf',`
+       gen_require(`
+               attribute container_system_domain;
+       ')
+
+       allow $1 container_system_domain:bpf prog_run;
+')
+
+########################################
+## <summary>
+##     Read and write all system container BPF programs.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_rw_system_container_bpf',`
+       gen_require(`
+               attribute container_system_domain;
+       ')
+
+       allow $1 container_system_domain:bpf { map_read map_write };
+')
+
 ########################################
 ## <summary>
 ##     Read the process state (/proc/pid)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index fdab1be0c..113677ac6 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1344,6 +1344,24 @@ interface(`init_run_bpf',`
        allow $1 init_t:bpf prog_run;
 ')
 
+########################################
+## <summary>
+##     Read and write init BPF programs.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`init_rw_bpf',`
+       gen_require(`
+               type init_t;
+       ')
+
+       allow $1 init_t:bpf { map_read map_write };
+')
+
 ########################################
 ## <summary>
 ##      read/follow symlinks under /var/lib/systemd/

Reply via email to