container, kubernetes: add private type for generic container devices

/dev/termination-log is one such generic file created in containers'
/dev filesystems. Add a private type for objects created in /dev for
containers instead of using the generic device type.

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-10-01 22:02:10 -04:00
parent 9216a7a7f1
commit 3ae0575114
3 changed files with 93 additions and 0 deletions

View File

@ -856,6 +856,89 @@ interface(`container_signal_all_containers',`
allow $1 container_domain:process signal_perms;
')
########################################
## <summary>
## Create objects in /dev with an automatic
## transition to the container device type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object">
## <summary>
## The object class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`container_dev_filetrans',`
gen_require(`
type container_device_t;
')
dev_filetrans($1, container_device_t, $2, $3)
')
########################################
## <summary>
## Read and write container device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_rw_device_files',`
gen_require(`
type container_device_t;
')
allow $1 container_device_t:file rw_file_perms;
')
########################################
## <summary>
## Manage container device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_manage_device_files',`
gen_require(`
type container_device_t;
')
allow $1 container_device_t:file manage_file_perms;
')
########################################
## <summary>
## Mount on all container devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`container_mounton_all_devices',`
gen_require(`
type container_device_t;
')
allow $1 container_device_t:dir_file_class_set mounton;
')
########################################
## <summary>
## Set the attributes of container ptys.

View File

@ -158,6 +158,10 @@ optional_policy(`
kubernetes_mountpoint(container_log_t)
')
# generic devices created in container /dev filesystems
type container_device_t;
dev_node(container_device_t)
type container_devpts_t;
term_pty(container_devpts_t)
@ -289,6 +293,7 @@ miscfiles_read_fonts(container_domain)
mta_dontaudit_read_spool_symlinks(container_domain)
container_rw_device_files(container_domain)
container_use_container_ptys(container_domain)
tunable_policy(`container_manage_cgroup',`

View File

@ -91,6 +91,11 @@ kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain)
iptables_getattr_runtime_files(kubernetes_container_engine_domain)
# for /dev/termination-log and maybe other device types
container_dev_filetrans(kubernetes_container_engine_domain, file)
container_manage_device_files(kubernetes_container_engine_domain)
container_mounton_all_devices(kubernetes_container_engine_domain)
container_use_container_ptys(kubernetes_container_engine_domain)
container_exec_plugins(kubernetes_container_engine_domain)