container, docker: add initial support for docker

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-12-31 14:20:49 -05:00 · 2021-12-31 14:20:49 -05:00 · 29ac8a3fcf
commit 29ac8a3fcf
parent 81d26ac72e
5 changed files with 283 additions and 0 deletions
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@ -13,13 +13,24 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.*		gen_context(system_u
 /usr/bin/crun	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 /usr/bin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)

+/usr/lib/systemd/system/docker.*	--	gen_context(system_u:object_r:container_unit_t,s0)
+/usr/lib/systemd/system/containerd.*	--	gen_context(system_u:object_r:container_unit_t,s0)
+
 /etc/containers(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /etc/cni(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/containerd(/.*)?		gen_context(system_u:object_r:container_config_t,s0)

 /run/containers(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 /run/libpod(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 /run/runc(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)

+/run/docker(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+/run/docker\.pid	--	gen_context(system_u:object_r:container_runtime_t,s0)
+/run/docker\.sock	-s	gen_context(system_u:object_r:container_runtime_t,s0)
+/run/containerd(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+/run/containerd/[^/]+/sandboxes/[^/]+/shm(/.*)?		gen_context(system_u:object_r:container_engine_tmpfs_t,s0)
+
 /run/user/%{USERID}/netns(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)

 /var/cache/containers(/.*)?		gen_context(system_u:object_r:container_engine_cache_t,s0)
@ -42,5 +53,19 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.*		gen_context(system_u
 /var/lib/containers/storage/overlay2-images(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)

+/var/lib/docker(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker/.*/config\.env	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/containers/.*/.*\.log	--	gen_context(system_u:object_r:container_log_t,s0)
+/var/lib/docker/containers/.*/hostname	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/containers/.*/hosts	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/overlay(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/overlay2(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/containerd(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/containerd/[^/]+/sandboxes(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containerd/[^/]+/snapshots(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+
 /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@ -423,6 +423,27 @@ interface(`container_engine_dbus_chat',`
 	allow container_engine_domain $1:dbus send_msg;
 ')

+########################################
+## <summary>
+##	Allow the specified domain to be started
+##	by systemd socket activation using a
+##	named socket labeled the container
+##	runtime type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_runtime_named_socket_activation',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	init_named_socket_activation($1, container_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@ -572,6 +593,28 @@ interface(`container_domtrans',`
 	allow $1 container_domain:process transition;
 ')

+########################################
+## <summary>
+##	Connect to a system container domain
+##	over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_stream_connect_system_containers',`
+	gen_require(`
+		attribute container_system_domain;
+		type container_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_system_domain)
+	allow $1 container_runtime_t:sock_file read_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to a container domain
@ -591,6 +634,7 @@ interface(`container_stream_connect_all_containers',`

 	files_search_runtime($1)
 	stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_domain)
+	allow $1 container_runtime_t:sock_file read_sock_file_perms;
 ')

 ########################################
@ -650,6 +694,25 @@ interface(`container_mountpoint',`
 	typeattribute $1 container_mountpoint_type;
 ')

+########################################
+## <summary>
+##	Allow the specified domain to
+##	manage container config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_config_files',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	manage_files_pattern($1, container_config_t, container_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@ -1166,6 +1229,39 @@ interface(`container_manage_var_lib_sock_files',`
 	manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t)
 ')

+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in unlabeled directories with
+##	an automatic type transition to the
+##	container var lib type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_unlabeled_var_lib_filetrans',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	# This access is to workaround an issue in Docker
+	# See: https://github.com/moby/moby/issues/43088
+	kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
--- a/policy/modules/services/docker.fc
+++ b/policy/modules/services/docker.fc
@ -0,0 +1,8 @@
+/usr/bin/docker	--	gen_context(system_u:object_r:dockerc_exec_t,s0)
+/usr/bin/dockerd	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/docker-proxy	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd-shim	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd-shim-runc-v1	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd-shim-runc-v2	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd-stress	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
--- a/policy/modules/services/docker.if
+++ b/policy/modules/services/docker.if
@ -0,0 +1,69 @@
+## <summary>Policy for docker</summary>
+
+########################################
+## <summary>
+##	Execute docker CLI in the docker CLI domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`docker_domtrans_cli',`
+	gen_require(`
+		type dockerc_t, dockerc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dockerc_exec_t, dockerc_t)
+')
+
+########################################
+## <summary>
+##	Execute docker CLI in the docker CLI
+##	domain, and allow the specified role
+##	the docker CLI domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the docker domain.
+##	</summary>
+## </param>
+#
+interface(`docker_run_cli',`
+	gen_require(`
+		type dockerc_t;
+	')
+
+	role $2 types dockerc_t;
+
+	docker_domtrans_cli($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate a docker
+##	environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`docker_admin',`
+	docker_run_cli($1, $2)
+')
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@ -0,0 +1,85 @@
+policy_module(docker)
+
+########################################
+#
+# Declarations
+#
+
+container_engine_domain_template(dockerd)
+container_system_engine(dockerd_t)
+type dockerd_exec_t;
+container_engine_executable_file(dockerd_exec_t)
+application_domain(dockerd_t, dockerd_exec_t)
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(dockerd_t, dockerd_exec_t, s0 - mls_systemhigh)
+')
+mls_trusted_object(dockerd_t)
+
+type dockerc_t;
+type dockerc_exec_t;
+container_engine_executable_file(dockerc_t)
+application_domain(dockerc_t, dockerc_exec_t)
+
+########################################
+#
+# Docker daemon local policy
+#
+
+allow dockerd_t self:netlink_netfilter_socket create_socket_perms;
+allow dockerd_t self:netlink_xfrm_socket create_socket_perms;
+
+init_write_runtime_socket(dockerd_t)
+container_runtime_named_socket_activation(dockerd_t)
+
+# docker fails to start if /proc/kallsyms is unreadable,
+# but only when btrfs support is disabled
+files_read_kernel_symbol_table(dockerd_t)
+files_dontaudit_write_usr_dirs(dockerd_t)
+
+kernel_relabelfrom_unlabeled_dirs(dockerd_t)
+# docker wants to load binfmt_misc
+kernel_request_load_module(dockerd_t)
+kernel_dontaudit_search_fs_sysctls(dockerd_t)
+
+logging_send_syslog_msg(dockerd_t)
+
+container_stream_connect_system_containers(dockerd_t)
+
+# docker manages key.json in /etc/docker
+container_manage_config_files(dockerd_t)
+
+# In btrfs mode, docker creates subvolumes which are unlabeled
+# in /var/lib/docker/btrfs/subvolumes. The files inside will
+# become labeled with a file transition, but the subvolume
+# root will always be unlabeled.
+container_unlabeled_var_lib_filetrans(dockerd_t, dir)
+
+ifdef(`init_systemd',`
+	init_dbus_chat(dockerd_t)
+	init_get_generic_units_status(dockerd_t)
+	init_start_generic_units(dockerd_t)
+	init_start_system(dockerd_t)
+	init_stop_system(dockerd_t)
+')
+
+########################################
+#
+# Docker CLI local policy
+#
+
+allow dockerc_t self:process { getsched signal };
+allow dockerc_t self:fifo_file rw_fifo_file_perms;
+
+allow dockerc_t dockerd_t:unix_stream_socket connectto;
+
+corecmd_dontaudit_search_bin(dockerc_t)
+
+domain_use_interactive_fds(dockerc_t)
+
+auth_use_nsswitch(dockerc_t)
+
+miscfiles_read_localization(dockerc_t)
+
+userdom_use_user_ptys(dockerc_t)
+
+container_stream_connect_system_containers(dockerc_t)