New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TCP and Unix Socket permissions #144

Open

FabienGhd wants to merge 1 commit into containers:main from FabienGhd:add-tcp-unix-socket-permissions

FabienGhd commented Jul 8, 2024 •

edited

Loading

Hi,

This PR fixes issue #130.
This blog also raises the same caveat when using Udica with the kata-monitor daemonset in Kata Containers, stating that:

While udica can create a good baseline policy from the container.json file, sometimes it might not be sufficient, and you will need customisations.
[...]
The kata-monitor daemonset required permissions to listen on a TCP socket and connect to a Unix socket. We had to redo the policy generation and enable network access.

I've added support for specifying additional TCP and UNIX socket permissions.

Implemented the --tcp-connect option to specify additional TCP port permissions.
Implemented the --unix-connect option to allow UNIX domain socket connect permissions.
Modified policy generation logic to include these additional permissions in the generated policy file.

To easily test the changes:

# Add TCP and UNIX socket permissions to 'tests/test_basic.podman.json'
$ sudo udica -j test_basic.podman.json --tcp-connect 5432,636 --unix-connect test-container

# Verify that the new policies are added
$ cat test-container.cil | grep -E "(allow process (container_runtime_t|postgresql_port_t|ldap_port_t) \( (unix_stream_socket|tcp_socket) \( (connectto|name_connect) \)\))"

Thank you!
Fabien


          Add TCP and Unix Socket permissions

7ab8838

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet