diff options
author | Chris PeBenito <Christopher.PeBenito@microsoft.com> | 2022-07-19 19:29:16 +0000 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:05:02 -0500 |
commit | 705646d61aef72020124861894134b9e75dab2ee (patch) | |
tree | df347baf88673cda003a5efeb51e306d0cb0f79b | |
parent | kernel: hv_utils shutdown on systemd systems. (diff) | |
download | hardened-refpolicy-705646d61aef72020124861894134b9e75dab2ee.tar.gz hardened-refpolicy-705646d61aef72020124861894134b9e75dab2ee.tar.bz2 hardened-refpolicy-705646d61aef72020124861894134b9e75dab2ee.zip |
Container: Minor fixes from interactive container use.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/kernel/filesystem.if | 19 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.te | 4 | ||||
-rw-r--r-- | policy/modules/services/container.te | 7 |
3 files changed, 29 insertions, 1 deletions
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 5b6b185a..e529b187 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1018,6 +1018,25 @@ interface(`fs_watch_cgroup_files',` ######################################## ## <summary> +## Read cgroup symlnks. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_read_cgroup_symlinks',` + gen_require(` + type cgroup_t; + ') + + read_lnk_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + +######################################## +## <summary> ## Create cgroup lnk_files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 39c07aec..5024f302 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -100,6 +100,10 @@ neverallow ~{ can_dump_kernel kern_unconfined } proc_kcore_t:file ~{ getattr mou genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) optional_policy(` + container_mountpoint(proc_kcore_t) +') + +optional_policy(` init_mountpoint(proc_kcore_t) ') diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 0b798993..096d6c23 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -606,6 +606,9 @@ allow container_engine_domain self:icmp_socket create_socket_perms; allow container_engine_domain self:netlink_route_socket create_netlink_socket_perms; allow container_engine_domain self:packet_socket create_socket_perms; +allow container_engine_domain container_devpts_t:chr_file { rw_chr_file_perms setattr }; +term_create_pty(container_engine_domain, container_devpts_t) + allow container_engine_domain container_port_t:tcp_socket name_bind; dontaudit container_engine_domain container_domain:process { noatsecure rlimitinh siginh }; @@ -670,6 +673,7 @@ fs_mount_xattr_fs(container_engine_domain) fs_remount_xattr_fs(container_engine_domain) fs_unmount_xattr_fs(container_engine_domain) fs_relabelfrom_xattr_fs(container_engine_domain) +fs_get_xattr_fs_quotas(container_engine_domain) fs_getattr_cgroup(container_engine_domain) fs_manage_cgroup_dirs(container_engine_domain) @@ -678,6 +682,7 @@ fs_watch_cgroup_files(container_engine_domain) fs_mount_cgroup(container_engine_domain) fs_remount_cgroup(container_engine_domain) fs_mounton_cgroup(container_engine_domain) +fs_read_cgroup_symlinks(container_engine_domain) fs_getattr_fusefs(container_engine_domain) fs_remount_fusefs(container_engine_domain) @@ -692,6 +697,7 @@ kernel_read_network_state(container_engine_domain) kernel_read_system_state(container_engine_domain) kernel_rw_net_sysctls(container_engine_domain) kernel_dontaudit_search_kernel_sysctl(container_engine_domain) +kernel_getattr_core_if(container_engine_domain) selinux_get_fs_mount(container_engine_domain) selinux_mount_fs(container_engine_domain) @@ -700,7 +706,6 @@ selinux_unmount_fs(container_engine_domain) seutil_read_config(container_engine_domain) seutil_read_default_contexts(container_engine_domain) -term_create_pty(container_engine_domain, container_devpts_t) term_mount_devpts(container_engine_domain) term_relabel_pty_fs(container_engine_domain) |