container, kubernetes: add private type for generic container devices

/dev/termination-log is one such generic file created in containers' /dev filesystems. Add a private type for objects created in /dev for containers instead of using the generic device type. Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-10-01 22:02:10 -04:00 · 2022-10-01 22:02:10 -04:00 · 3ae0575114
commit 3ae0575114
parent 9216a7a7f1
3 changed files with 93 additions and 0 deletions
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@ -856,6 +856,89 @@ interface(`container_signal_all_containers',`
 	allow $1 container_domain:process signal_perms;
 ')

+########################################
+## <summary>
+##	Create objects in /dev with an automatic
+##	transition to the container device type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_dev_filetrans',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	dev_filetrans($1, container_device_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Read and write container device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_device_files',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage container device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_device_files',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Mount on all container devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_mounton_all_devices',`
+	gen_require(`
+		type container_device_t;
+	')
+
+	allow $1 container_device_t:dir_file_class_set mounton;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of container ptys.
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -158,6 +158,10 @@ optional_policy(`
 	kubernetes_mountpoint(container_log_t)
 ')

+# generic devices created in container /dev filesystems
+type container_device_t;
+dev_node(container_device_t)
+
 type container_devpts_t;
 term_pty(container_devpts_t)

@ -289,6 +293,7 @@ miscfiles_read_fonts(container_domain)

 mta_dontaudit_read_spool_symlinks(container_domain)

+container_rw_device_files(container_domain)
 container_use_container_ptys(container_domain)

 tunable_policy(`container_manage_cgroup',`
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@ -91,6 +91,11 @@ kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain)

 iptables_getattr_runtime_files(kubernetes_container_engine_domain)

+# for /dev/termination-log and maybe other device types
+container_dev_filetrans(kubernetes_container_engine_domain, file)
+container_manage_device_files(kubernetes_container_engine_domain)
+container_mounton_all_devices(kubernetes_container_engine_domain)
+
 container_use_container_ptys(kubernetes_container_engine_domain)

 container_exec_plugins(kubernetes_container_engine_domain)