container, podman: allow containers to interact with conmon

Allow containers to use inherited conmon file descriptors and read and write unnamed conmon pipes. Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-31 14:44:24 -04:00 · 2022-03-31 14:44:24 -04:00 · fcb295578e
parent 8fee419513
commit fcb295578e
2 changed files with 46 additions and 0 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -248,6 +248,11 @@ tunable_policy(`container_use_samba',`
 	fs_exec_cifs_files(container_domain)
 ')
 optional_policy(`
 	podman_rw_conmon_pipes(container_domain)
 	podman_use_conmon_fds(container_domain)
 ')
 optional_policy(`
 	udev_read_runtime_files(container_domain)
 ')
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@ -188,6 +188,47 @@ interface(`podman_run_conmon_user',`
 	podman_domtrans_conmon_user($1)
 ')
 ########################################
 ## <summary>
 ##	Read and write conmon unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`podman_rw_conmon_pipes',`
 	gen_require(`
 		type podman_conmon_t;
 		type podman_conmon_user_t;
 	')
 	allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
 	allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;
 ')
 ########################################
 ## <summary>
 ##	Allow the specified domain to inherit
 ##	file descriptors from conmon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`podman_use_conmon_fds',`
 	gen_require(`
 		type podman_conmon_t;
 		type podman_conmon_user_t;
 	')
 	allow $1 podman_conmon_t:fd use;
 	allow $1 podman_conmon_user_t:fd use;
 ')
 ########################################
 ## <summary>
 ##	Role access for rootless podman.