From af0b40824672cf044ee980bf15b5e604e9eb47f8 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 9 Aug 2024 15:21:18 -0400
Subject: [PATCH] container: allow spc various rules for kubevirt

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/kernel/devices.if     | 18 ++++++++++++++++++
 policy/modules/services/container.te | 13 +++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index cae0b55c0..5d3f9b06d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5465,6 +5465,24 @@ interface(`dev_relabelfrom_vfio_dev',`
 	relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
 ')
 
+############################
+## <summary>
+##	Get the attributes of the vhost devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_vhost_dev',`
+	gen_require(`
+		type device_t, vhost_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
 ############################
 ## <summary>
 ##	Allow read/write the vhost devices
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 0f84b2827..938446471 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -978,7 +978,7 @@ allow spc_t self:process { getcap setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
-allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid ipc_lock mknod net_admin net_raw setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow spc_t self:key manage_key_perms;
@@ -1004,14 +1004,19 @@ allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
 allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
 # for rook-ceph
 allow spc_t container_engine_tmpfs_t:blk_file rw_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_engine_tmpfs_t:chr_file { relabelfrom setattr };
 
 # for kubernetes storage class providers
 allow spc_t container_file_t:{ dir file } mounton;
 allow spc_t container_file_t:dir_file_class_set relabel_blk_file_perms;
 # for rook-ceph
 allow spc_t container_file_t:blk_file manage_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_file_t:chr_file setattr;
+allow spc_t container_file_t:filesystem unmount;
 
-allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
+allow spc_t container_runtime_t:dir { manage_dir_perms mounton watch };
 allow spc_t container_runtime_t:file manage_file_perms;
 allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
 
@@ -1034,6 +1039,10 @@ dev_filetrans(spc_t, container_device_t, blk_file)
 dev_dontaudit_getattr_all_chr_files(spc_t)
 dev_dontaudit_setattr_generic_symlinks(spc_t)
 dev_dontaudit_relabelto_generic_blk_files(spc_t)
+# for multus and kubevirt
+dev_getattr_kvm_dev(spc_t)
+dev_getattr_vhost_dev(spc_t)
+dev_watch_dev_dirs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)