From 5771206e2319d9616db89272c86f99e50a21ee00 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 9 Aug 2024 15:36:57 -0400
Subject: various: rules required for DV manipulation in kubevirt

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
---
 policy/modules/kernel/devices.if      | 18 ++++++++++++++++++
 policy/modules/kernel/kernel.te       |  1 +
 policy/modules/services/container.te  |  3 +++
 policy/modules/services/kubernetes.if | 19 +++++++++++++++++++
 policy/modules/services/kubernetes.te |  1 +
 policy/modules/system/iptables.te     |  5 +++++
 policy/modules/system/mount.te        |  1 +
 7 files changed, 48 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 085bd30f0..aabc1b8e7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -108,6 +108,24 @@ interface(`dev_getattr_fs',`
 	allow $1 device_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Unmount device filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_unmount_fs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem unmount;
+')
+
 ########################################
 ## <summary>
 ##	Remount device filesystems.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b16142608..b791ebc71 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -315,6 +315,7 @@ dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_blk_files(kernel_t)
 dev_rw_generic_chr_files(kernel_t)
 dev_setattr_generic_blk_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index e91cd18f4..e9f59e516 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1071,6 +1071,9 @@ dev_dontaudit_relabelto_generic_blk_files(spc_t)
 dev_getattr_kvm_dev(spc_t)
 dev_getattr_vhost_dev(spc_t)
 dev_watch_dev_dirs(spc_t)
+# for DV upload in kubevirt over rook-ceph
+dev_unmount_fs(spc_t)
+dev_remount_fs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index de14a7b61..2af5b64b3 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -377,6 +377,25 @@ interface(`kubernetes_run_engine_bpf',`
 	allow $1 kubernetes_container_engine_domain:bpf prog_run;
 ')
 
+########################################
+## <summary>
+##	Read and write FIFO files from
+##	kubernetes container engines.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_rw_container_engine_fifo_files',`
+	gen_require(`
+		attribute kubernetes_container_engine_domain;
+	')
+
+	allow $1 kubernetes_container_engine_domain:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search kubernetes config directories.
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 787cdae30..38b3a545e 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -258,6 +258,7 @@ corecmd_exec_bin(kubelet_t)
 corecmd_watch_bin_dirs(kubelet_t)
 
 dev_getattr_mtrr_dev(kubelet_t)
+dev_getattr_generic_blk_files(kubelet_t)
 dev_read_kmsg(kubelet_t)
 dev_read_sysfs(kubelet_t)
 
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 7c401fa50..5dc07b874 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -128,6 +128,11 @@ optional_policy(`
 	firstboot_rw_pipes(iptables_t)
 ')
 
+optional_policy(`
+	# apply firewall rules from multus
+	kubernetes_rw_container_engine_fifo_files(iptables_t)
+')
+
 optional_policy(`
 	modutils_run(iptables_t, iptables_roles)
 ')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 88ffb90f6..01fe24528 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -83,6 +83,7 @@ dev_dontaudit_write_sysfs_dirs(mount_t)
 dev_rw_lvm_control(mount_t)
 dev_rw_loop_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_generic_blk_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 # Early devtmpfs, before udev relabel
-- 
cgit v1.2.3-65-gdbad