Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Support for --device /dev/XXX #78

Merged
merged 1 commit into from
Nov 25, 2020
Merged

Add Support for --device /dev/XXX #78

merged 1 commit into from
Nov 25, 2020

Conversation

wrabcak
Copy link
Member

@wrabcak wrabcak commented Nov 24, 2020
edited
Loading

Commit adds functionality to generate allow rules when --device switch
is used for podman e.g: # podman run --device /dev/tty0 fedora /bin/bash

The output policy should looks like:

(block devtest
    (blockinherit container)
    (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot )))

    (allow process tty_device_t ( blk_file ( getattr read write append ioctl lock open )))
    (allow process tty_device_t ( chr_file ( getattr read write append ioctl lock open )))
)

TODO: CRI-O functionality is missing

@wrabcak wrabcak requested a review from JAORMX November 24, 2020 20:26
@wrabcak
Copy link
Member Author

wrabcak commented Nov 24, 2020

@JAORMX , is this applicable for CRI-O?

@wrabcak wrabcak mentioned this pull request Nov 24, 2020
Closed
@JAORMX
Copy link
Collaborator

JAORMX commented Nov 25, 2020

@JAORMX , is this applicable for CRI-O?

Currently, there doesn't seem to be similar support for this in CRI-O or Kubernetes [1]. But what folks tend to do is bind-mount the device on to the container.

With the current mount parsing, will udica still attach the appropriate policy for a device?

[1] kubernetes/kubernetes#60748

@wrabcak
Copy link
Member Author

wrabcak commented Nov 25, 2020

Yes, bind-mount will work for container for both podman and CRI-O.

Okay, Thank you for update, I'll drop TODO for CRI-O and move "Draft PR" to "PR".

@wrabcak
Support '--device /dev/XXX' podman parameter
28b44e5 
Commit adds functionality to generate allow rules when --device switch
is used for podman e.g: podman run --device /dev/tty0 fedora /bin/bash

The output policy should looks like:
(block devtest
    (blockinherit container)
    (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot )))

    (allow process tty_device_t ( blk_file ( getattr read write append ioctl lock open )))
    (allow process tty_device_t ( chr_file ( getattr read write append ioctl lock open )))
)

The feature is applicable for podman and docker engines, CRI-O uses
bind-mount solution.
@wrabcak wrabcak marked this pull request as ready for review November 25, 2020 12:52
@wrabcak
Copy link
Member Author

wrabcak commented Nov 25, 2020

@JAORMX Thank you.

@wrabcak wrabcak merged commit 31bccb3 into containers:master Nov 25, 2020
@jaywryan jaywryan mentioned this pull request Sep 3, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JAORMX JAORMX JAORMX approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wrabcak @JAORMX