container: add tunables to allow containers to access public content

Note that container engines only need read access to these files even if manage access is enabled. Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-31 15:09:25 -04:00 · 2022-03-31 15:09:25 -04:00 · 53e708e724
parent 5dbc5aa25d
commit 53e708e724
1 changed files with 30 additions and 0 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -16,6 +16,20 @@ gen_tunable(container_manage_cgroup, false)
 ## </desc>
 gen_tunable(container_mounton_non_security, false)

+## <desc>
+##	<p>
+##	Allow containers to manage all read-writable public content.
+##	</p>
+## </desc>
+gen_tunable(container_manage_public_content, false)
+
+## <desc>
+##	<p>
+##	Allow containers to read all public content.
+##	</p>
+## </desc>
+gen_tunable(container_read_public_content, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use NFS filesystems.
@ -232,6 +246,14 @@ tunable_policy(`container_manage_cgroup',`
 	fs_manage_cgroup_files(container_domain)
 ')

+tunable_policy(`container_manage_public_content',`
+	miscfiles_manage_public_files(container_domain)
+')
+
+tunable_policy(`container_read_public_content',`
+	miscfiles_read_public_files(container_domain)
+')
+
 tunable_policy(`container_use_nfs',`
 	fs_manage_nfs_dirs(container_domain)
 	fs_manage_nfs_files(container_domain)
@ -515,6 +537,14 @@ ifdef(`init_systemd',`
 	init_run_bpf(container_engine_domain)
 ')

+tunable_policy(`container_manage_public_content',`
+	miscfiles_read_public_files(container_engine_domain)
+')
+
+tunable_policy(`container_read_public_content',`
+	miscfiles_read_public_files(container_engine_domain)
+')
+
 tunable_policy(`container_mounton_non_security',`
 	files_mounton_non_security(container_engine_domain)
 ')