various: rules required for DV manipulation in kubevirt

Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
author: Kenton Groombridge <concord@gentoo.org> 2024-08-09 15:36:57 -0400
committer: Jason Zaman <perfinion@gentoo.org> 2024-09-21 15:28:29 -0700
commit: 5771206e2319d9616db89272c86f99e50a21ee00 (patch)
tree: 8bd531fbe8d28b3301052a621e341e715a50b6e9
parent: container: add container_kvm_t and supporting kubevirt rules (diff)
download: hardened-refpolicy-5771206e2319d9616db89272c86f99e50a21ee00.tar.gz
hardened-refpolicy-5771206e2319d9616db89272c86f99e50a21ee00.tar.bz2
hardened-refpolicy-5771206e2319d9616db89272c86f99e50a21ee00.zip
7 files changed, 48 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 085bd30f0..aabc1b8e7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -110,6 +110,24 @@ interface(`dev_getattr_fs',`
 
 ########################################
 ## <summary>
+##	Unmount device filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_unmount_fs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem unmount;
+')
+
+########################################
+## <summary>
 ##	Remount device filesystems.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b16142608..b791ebc71 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -315,6 +315,7 @@ dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_blk_files(kernel_t)
 dev_rw_generic_chr_files(kernel_t)
 dev_setattr_generic_blk_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index e91cd18f4..e9f59e516 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1071,6 +1071,9 @@ dev_dontaudit_relabelto_generic_blk_files(spc_t)
 dev_getattr_kvm_dev(spc_t)
 dev_getattr_vhost_dev(spc_t)
 dev_watch_dev_dirs(spc_t)
+# for DV upload in kubevirt over rook-ceph
+dev_unmount_fs(spc_t)
+dev_remount_fs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index de14a7b61..2af5b64b3 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -379,6 +379,25 @@ interface(`kubernetes_run_engine_bpf',`
 
 ########################################
 ## <summary>
+##	Read and write FIFO files from
+##	kubernetes container engines.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_rw_container_engine_fifo_files',`
+	gen_require(`
+		attribute kubernetes_container_engine_domain;
+	')
+
+	allow $1 kubernetes_container_engine_domain:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
 ##	Search kubernetes config directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 787cdae30..38b3a545e 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -258,6 +258,7 @@ corecmd_exec_bin(kubelet_t)
 corecmd_watch_bin_dirs(kubelet_t)
 
 dev_getattr_mtrr_dev(kubelet_t)
+dev_getattr_generic_blk_files(kubelet_t)
 dev_read_kmsg(kubelet_t)
 dev_read_sysfs(kubelet_t)
 
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 7c401fa50..5dc07b874 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -129,6 +129,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# apply firewall rules from multus
+	kubernetes_rw_container_engine_fifo_files(iptables_t)
+')
+
+optional_policy(`
 	modutils_run(iptables_t, iptables_roles)
 ')
 
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 88ffb90f6..01fe24528 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -83,6 +83,7 @@ dev_dontaudit_write_sysfs_dirs(mount_t)
 dev_rw_lvm_control(mount_t)
 dev_rw_loop_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_generic_blk_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 # Early devtmpfs, before udev relabel
author	Kenton Groombridge <concord@gentoo.org>	2024-08-09 15:36:57 -0400
committer	Jason Zaman <perfinion@gentoo.org>	2024-09-21 15:28:29 -0700
commit	5771206e2319d9616db89272c86f99e50a21ee00 (patch)
tree	8bd531fbe8d28b3301052a621e341e715a50b6e9
parent	container: add container_kvm_t and supporting kubevirt rules (diff)
download	hardened-refpolicy-5771206e2319d9616db89272c86f99e50a21ee00.tar.gz hardened-refpolicy-5771206e2319d9616db89272c86f99e50a21ee00.tar.bz2 hardened-refpolicy-5771206e2319d9616db89272c86f99e50a21ee00.zip