container, init: allow init to remount container filesystems

Allow init to remount container filesystems. This is in support of other services starting with NoNewPrivileges while already running containers have mounted filesystems. Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-31 15:04:26 -04:00 · 2022-03-31 15:04:26 -04:00 · 0e3ce95c94
parent 4fd2a2ecbc
commit 0e3ce95c94
2 changed files with 23 additions and 0 deletions
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@ -1099,6 +1099,25 @@ interface(`container_relabel_all_content',`
 	allow $1 container_file_t:dir_file_class_set { relabelfrom relabelto };
 ')

+########################################
+## <summary>
+##	Allow the specified domain to
+##	remount container filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_remount_fs',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:filesystem remount;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -543,6 +543,10 @@ ifdef(`init_systemd',`
 		clock_read_adjtime(init_t)
 	')

+	optional_policy(`
+		container_remount_fs(init_t)
+	')
+
 	optional_policy(`
 		systemd_dbus_chat_logind(init_t)
 		systemd_search_all_user_keys(init_t)