From fcb295578e419d50b1c22bc6d26fba0724c5af2f Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Thu, 31 Mar 2022 14:44:24 -0400
Subject: [PATCH] container, podman: allow containers to interact with conmon

Allow containers to use inherited conmon file descriptors and read and
write unnamed conmon pipes.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/services/container.te |  5 ++++
 policy/modules/services/podman.if    | 41 ++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index d5f79b158..3d623229e 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -248,6 +248,11 @@ tunable_policy(`container_use_samba',`
 	fs_exec_cifs_files(container_domain)
 ')
 
+optional_policy(`
+	podman_rw_conmon_pipes(container_domain)
+	podman_use_conmon_fds(container_domain)
+')
+
 optional_policy(`
 	udev_read_runtime_files(container_domain)
 ')
diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
index 3d03884e2..7523e33de 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -188,6 +188,47 @@ interface(`podman_run_conmon_user',`
 	podman_domtrans_conmon_user($1)
 ')
 
+########################################
+## <summary>
+##	Read and write conmon unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`podman_rw_conmon_pipes',`
+	gen_require(`
+		type podman_conmon_t;
+		type podman_conmon_user_t;
+	')
+
+	allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
+	allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to inherit
+##	file descriptors from conmon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`podman_use_conmon_fds',`
+	gen_require(`
+		type podman_conmon_t;
+		type podman_conmon_user_t;
+	')
+
+	allow $1 podman_conmon_t:fd use;
+	allow $1 podman_conmon_user_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Role access for rootless podman.