container: allow containers to manipulate own fds

Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-04-29 21:36:10 -04:00 · 2022-04-29 21:36:10 -04:00 · 3560273d54
commit 3560273d54
parent 1a0acc9c0d
1 changed files with 3 additions and 0 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -165,6 +165,8 @@ corenet_port(container_port_t)
 allow container_domain self:capability { dac_override kill setgid setuid sys_boot sys_chroot };
 allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid };
 allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms };
+allow container_domain self:dir rw_dir_perms;
+allow container_domain self:file create_file_perms;
 allow container_domain self:fifo_file manage_fifo_file_perms;
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
@ -192,6 +194,7 @@ can_exec(container_domain, container_file_t)

 kernel_getattr_proc(container_domain)
 kernel_list_all_proc(container_domain)
+kernel_associate_proc(container_domain)
 kernel_read_kernel_sysctls(container_domain)
 kernel_rw_net_sysctls(container_domain)
 kernel_read_system_state(container_domain)