Skip to content

Commit

Permalink
Create policy for a container_device_t
Browse files Browse the repository at this point in the history
Also create policy for container_device_plugin_t and
container_device_plugin_init_t.

This policy can be used for kubernetes/container plugins which add
devices to containers.

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
rhatdan committed Apr 27, 2022
1 parent 34e62c8 commit b849706
Show file tree
Hide file tree
Showing 3 changed files with 131 additions and 5 deletions.
8 changes: 4 additions & 4 deletions container.fc
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kublet_exec_t,s0)
/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kublet_exec_t,s0)
/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kublet_exec_t,s0)
/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kublet_exec_t,s0)
/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
Expand Down
64 changes: 64 additions & 0 deletions container.if
Original file line number Diff line number Diff line change
Expand Up @@ -881,3 +881,67 @@ interface(`container_spc_rw_pipes',`

allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms;
')

########################################
## <summary>
## Execute container in the container domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`container_kublet_domtrans',`
gen_require(`
type kublet_t, kublet_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, kublet_exec_t, kublet_t)
')

########################################
## <summary>
## Execute kublet_exec_t in the kublet_t domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`container_kublet_run',`
gen_require(`
type kublet_t;
class dbus send_msg;
')

container_kublet_domtrans($1)
role $2 types kublet_t;
')

########################################
## <summary>
## Connect to kublet over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_kublet_stream_connect',`
gen_require(`
type kublet_t, container_var_run_t;
')

files_search_pids($1)
stream_connect_pattern($1, container_var_run_t, container_var_run_t, kublet_t)
')
64 changes: 63 additions & 1 deletion container.te
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
policy_module(container, 2.183.0)
policy_module(container, 2.184.0)

gen_require(`
class passwd rootok;
Expand Down Expand Up @@ -1297,3 +1297,65 @@ kernel_mounton_core_if(container_engine_t)
kernel_mounton_proc(container_engine_t)
kernel_mounton_systemd_ProtectKernelTunables(container_engine_t)
term_mount_pty_fs(container_engine_t)

type kublet_t, container_runtime_domain;
domain_type(kublet_t)

optional_policy(`
gen_require(`
role unconfined_r;
')
role unconfined_r types kublet_t;
unconfined_domain(kublet_t)
')


type kublet_exec_t;
application_executable_file(kublet_exec_t)
can_exec(container_runtime_t, kublet_exec_t)
allow kublet_t kublet_exec_t:file entrypoint;

ifdef(`enable_mcs',`
init_ranged_daemon_domain(kublet_t, kublet_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
init_ranged_daemon_domain(kublet_t, kublet_exec_t, s0 - mls_systemhigh)
')
mls_trusted_object(kublet_t)

init_daemon_domain(kublet_t, kublet_exec_t)

admin_pattern(kublet_t, kubernetes_file_t)

optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
attribute userdomain;
role unconfined_r;
')

container_kublet_run(sysadm_t, sysadm_r)

unconfined_run_to(kublet_t, kublet_exec_t)
role_transition unconfined_r kublet_exec_t system_r;
')

# Standard container which needs to be allowed to use any device
container_domain_template(container_device)
allow container_device_t device_node:chr_file rw_chr_file_perms;

# Standard container which needs to be allowed to use any device and communicate with kublet
container_domain_template(container_device_plugin)
allow container_device_plugin_t device_node:chr_file rw_chr_file_perms;
container_kublet_stream_connect(container_device_plugin_t)

# Standard container which needs to be allowed to use any device,communicate with kublet
# modify kublet configuration
allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms;
container_kublet_stream_connect(container_device_plugin_init_t)
container_domain_template(container_device_plugin_init)
manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)
manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t)

0 comments on commit b849706

Please sign in to comment.