Skip to content

Commit

Permalink
Merge pull request #178 from rhatdan/main
Browse files Browse the repository at this point in the history
Create policy for a container_device_t
  • Loading branch information
rhatdan authored May 4, 2022
2 parents 687cc50 + cf704e4 commit 15c20d7
Show file tree
Hide file tree
Showing 3 changed files with 133 additions and 5 deletions.
8 changes: 4 additions & 4 deletions container.fc
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0)
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
Expand Down
64 changes: 64 additions & 0 deletions container.if
Original file line number Diff line number Diff line change
Expand Up @@ -881,3 +881,67 @@ interface(`container_spc_rw_pipes',`

allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms;
')

########################################
## <summary>
## Execute container in the container domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`container_kubelet_domtrans',`
gen_require(`
type kubelet_t, kubelet_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, kubelet_exec_t, kubelet_t)
')

########################################
## <summary>
## Execute kubelet_exec_t in the kubelet_t domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`container_kubelet_run',`
gen_require(`
type kubelet_t;
class dbus send_msg;
')

container_kubelet_domtrans($1)
role $2 types kubelet_t;
')

########################################
## <summary>
## Connect to kubelet over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_kubelet_stream_connect',`
gen_require(`
type kubelet_t, container_var_run_t;
')

files_search_pids($1)
stream_connect_pattern($1, container_var_run_t, container_var_run_t, kubelet_t)
')
66 changes: 65 additions & 1 deletion container.te
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.184.0)
policy_module(container, 2.185.0)

gen_require(`
class passwd rootok;
Expand Down Expand Up @@ -1298,3 +1298,67 @@ kernel_mounton_core_if(container_engine_t)
kernel_mounton_proc(container_engine_t)
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
term_mount_pty_fs(container_engine_t)

type kubelet_t, container_runtime_domain;
domain_type(kubelet_t)

optional_policy(`
gen_require(`
role unconfined_r;
')
role unconfined_r types kubelet_t;
unconfined_domain(kubelet_t)
')


type kubelet_exec_t;
application_executable_file(kubelet_exec_t)
can_exec(container_runtime_t, kubelet_exec_t)
allow kubelet_t kubelet_exec_t:file entrypoint;

ifdef(`enable_mcs',`
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh)
')
mls_trusted_object(kubelet_t)

init_daemon_domain(kubelet_t, kubelet_exec_t)

admin_pattern(kubelet_t, kubernetes_file_t)

optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
attribute userdomain;
role unconfined_r;
')

container_kubelet_run(sysadm_t, sysadm_r)

unconfined_run_to(kubelet_t, kubelet_exec_t)
role_transition unconfined_r kubelet_exec_t system_r;
')

# Standard container which needs to be allowed to use any device
container_domain_template(container_device)
allow container_device_t device_node:chr_file rw_chr_file_perms;

# Standard container which needs to be allowed to use any device and
# communicate with kubelet
container_domain_template(container_device_plugin)
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_t)
container_kubelet_stream_connect(container_device_plugin_t)

# Standard container which needs to be allowed to use any device and
# modify kubelet configuration
container_domain_template(container_device_plugin_init)
allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms;
dev_rw_sysfs(container_device_plugin_init_t)
manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)

0 comments on commit 15c20d7

Please sign in to comment.