commit: cd58aee691e5b70af9fd0a22beb97e635ef981e1
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 9 19:08:33 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd58aee6
container, kubernetes: add supporting rules for kubevirt and multus
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/container.if | 39 +++++++++++++++++++++++++++++++++++
policy/modules/services/container.te | 9 ++++++++
policy/modules/services/kubernetes.te | 2 ++
3 files changed, 50 insertions(+)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index ceb9de817..c9f4aa934 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1207,6 +1207,25 @@ interface(`container_watch_config_dirs',`
allow $1 container_config_t:dir watch;
')
+########################################
+## <summary>
+## Allow the specified domain to
+## create container config directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_create_config_dirs',`
+ gen_require(`
+ type container_config_t;
+ ')
+
+ create_dirs_pattern($1, container_config_t, container_config_t)
+')
+
########################################
## <summary>
## Allow the specified domain to
@@ -1607,6 +1626,26 @@ interface(`container_list_ro_dirs',`
allow $1 container_ro_file_t:dir list_dir_perms;
')
+########################################
+## <summary>
+## Allow the specified domain to get
+## the attributes of all read-only
+## container file character devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_getattr_all_ro_chr_files',`
+ gen_require(`
+ type container_ro_file_t;
+ ')
+
+ allow $1 container_ro_file_t:chr_file getattr;
+')
+
########################################
## <summary>
## Allow the specified domain to get
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 66b16e4e4..cc700c038 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -224,6 +224,9 @@ container_mountpoint(container_runtime_t)
type container_tmpfs_t;
files_tmpfs_file(container_tmpfs_t)
+type container_tmp_t;
+files_tmp_file(container_tmp_t)
+
type container_log_t;
logging_log_file(container_log_t)
optional_policy(`
@@ -1093,6 +1096,7 @@ container_manage_config_files(spc_t)
container_list_plugin_dirs(spc_t)
container_manage_plugin_files(spc_t)
+container_create_config_dirs(spc_t)
container_create_config_files(spc_t)
container_rw_config_files(spc_t)
@@ -1104,6 +1108,11 @@ container_manage_var_lib_dirs(spc_t)
container_manage_var_lib_files(spc_t)
container_map_var_lib_files(spc_t)
+manage_dirs_pattern(spc_t, container_tmp_t, container_tmp_t)
+manage_files_pattern(spc_t, container_tmp_t, container_tmp_t)
+files_tmp_filetrans(spc_t, container_tmp_t, { dir file })
+
+files_runtime_filetrans(spc_t, container_runtime_t, dir)
# for cilium
allow spc_t container_config_t:dir watch;
allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms;
diff --git a/policy/modules/services/kubernetes.te
b/policy/modules/services/kubernetes.te
index 95d5f9f42..787cdae30 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -82,6 +82,7 @@
corenet_tcp_connect_all_ports(kubernetes_container_engine_domain)
dev_create_generic_blk_files(kubernetes_container_engine_domain)
files_getattr_kernel_modules(kubernetes_container_engine_domain)
+files_mounton_runtime_dirs(kubernetes_container_engine_domain)
# for replicated storage that may be mounted in /mnt
files_search_mnt(kubernetes_container_engine_domain)
@@ -411,6 +412,7 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir
file lnk_file })
# for metrics and accounting
container_getattr_all_files(kubelet_t)
container_getattr_all_ro_files(kubelet_t)
+container_getattr_all_ro_chr_files(kubelet_t)
container_getattr_all_var_lib_files(kubelet_t)
ifdef(`init_systemd',`
