From cf704e467c9b421f0c803f437b716e0b0315c1b6 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Fri, 22 Apr 2022 09:49:49 -0400
Subject: [PATCH] Create policy for a container_device_t

Also create policy for container_device_plugin_t and
container_device_plugin_init_t.

This policy can be used for kubernetes/container plugins which add
devices to containers.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 container.fc |  8 +++----
 container.if | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++
 container.te | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 133 insertions(+), 5 deletions(-)

diff --git a/container.fc b/container.fc
index 31872a3..f182a91 100644
--- a/container.fc
+++ b/container.fc
@@ -5,10 +5,10 @@
 /usr/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/libexec/docker/docker.*	--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/kubelet.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
-/usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
+/usr/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/kubelet.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
+/usr/local/s?bin/hyperkube.*		--	gen_context(system_u:object_r:kubelet_exec_t,s0)
 /usr/local/s?bin/docker.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
 /usr/local/s?bin/containerd.*		--	gen_context(system_u:object_r:container_runtime_exec_t,s0)
diff --git a/container.if b/container.if
index a77e673..5c15ce3 100644
--- a/container.if
+++ b/container.if
@@ -881,3 +881,67 @@ interface(`container_spc_rw_pipes',`
 
 	allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms;
 ')
+
+########################################
+## <summary>
+##	Execute container in the container domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`container_kubelet_domtrans',`
+	gen_require(`
+		type kubelet_t, kubelet_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, kubelet_exec_t, kubelet_t)
+')
+
+########################################
+## <summary>
+##	Execute kubelet_exec_t in the kubelet_t domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`container_kubelet_run',`
+	gen_require(`
+		type kubelet_t;
+		class dbus send_msg;
+	')
+
+	container_kubelet_domtrans($1)
+	role $2 types kubelet_t;
+')
+
+########################################
+## <summary>
+##	Connect to kubelet over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_kubelet_stream_connect',`
+	gen_require(`
+		type kubelet_t, container_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, container_var_run_t, container_var_run_t, kubelet_t)
+')
diff --git a/container.te b/container.te
index 52714ec..2c88875 100644
--- a/container.te
+++ b/container.te
@@ -1,4 +1,4 @@
-policy_module(container, 2.184.0)
+policy_module(container, 2.185.0)
 
 gen_require(`
 	class passwd rootok;
@@ -1298,3 +1298,67 @@ kernel_mounton_core_if(container_engine_t)
 kernel_mounton_proc(container_engine_t)
 kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
 term_mount_pty_fs(container_engine_t)
+
+type kubelet_t, container_runtime_domain;
+domain_type(kubelet_t)
+
+optional_policy(`
+	gen_require(`
+		role unconfined_r;
+	')
+	role unconfined_r types kubelet_t;
+	unconfined_domain(kubelet_t)
+')
+
+
+type kubelet_exec_t;
+application_executable_file(kubelet_exec_t)
+can_exec(container_runtime_t, kubelet_exec_t)
+allow kubelet_t kubelet_exec_t:file entrypoint;
+
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh)
+')
+mls_trusted_object(kubelet_t)
+
+init_daemon_domain(kubelet_t, kubelet_exec_t)
+
+admin_pattern(kubelet_t, kubernetes_file_t)
+
+optional_policy(`
+	gen_require(`
+		type sysadm_t;
+		role sysadm_r;
+		attribute userdomain;
+		role unconfined_r;
+	')
+
+	container_kubelet_run(sysadm_t, sysadm_r)
+
+	unconfined_run_to(kubelet_t, kubelet_exec_t)
+	role_transition unconfined_r kubelet_exec_t system_r;
+')
+
+# Standard container which needs to be allowed to use any device
+container_domain_template(container_device)
+allow container_device_t device_node:chr_file rw_chr_file_perms;
+
+# Standard container which needs to be allowed to use any device and
+# communicate with kubelet
+container_domain_template(container_device_plugin)
+allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
+dev_rw_sysfs(container_device_plugin_t)
+container_kubelet_stream_connect(container_device_plugin_t)
+
+# Standard container which needs to be allowed to use any device and
+# modify kubelet configuration
+container_domain_template(container_device_plugin_init)
+allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms;
+dev_rw_sysfs(container_device_plugin_init_t)
+manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
+manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
+manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)