container, kubernetes: add rules for device plugins running as spc
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
6c2124d5ae
commit
3b3d3715c9
@ -865,7 +865,8 @@ fs_mount_xattr_fs(spc_t)
|
||||
fs_unmount_xattr_fs(spc_t)
|
||||
fs_mount_cgroup(spc_t)
|
||||
fs_mounton_cgroup(spc_t)
|
||||
fs_list_cgroup_dirs(spc_t)
|
||||
fs_manage_cgroup_dirs(spc_t)
|
||||
fs_manage_cgroup_files(spc_t)
|
||||
fs_mount_bpf(spc_t)
|
||||
fs_create_bpf_dirs(spc_t)
|
||||
fs_manage_bpf_files(spc_t)
|
||||
@ -934,6 +935,9 @@ optional_policy(`
|
||||
|
||||
# Calico runs as a privileged container
|
||||
kubernetes_run_engine_bpf(spc_t)
|
||||
|
||||
# for device plugins
|
||||
kubernetes_stream_connect_kubelet(spc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -114,6 +114,27 @@ interface(`kubernetes_run_kubelet',`
|
||||
kubernetes_domtrans_kubelet($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to kubelet over a unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kubernetes_stream_connect_kubelet',`
|
||||
gen_require(`
|
||||
type kubelet_t;
|
||||
type kubernetes_runtime_t;
|
||||
')
|
||||
|
||||
files_search_runtime($1)
|
||||
stream_connect_pattern($1, kubernetes_runtime_t, kubernetes_runtime_t, kubelet_t)
|
||||
allow $1 kubernetes_runtime_t:sock_file read_sock_file_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read the process state (/proc/pid)
|
||||
|
Loading…
Reference in New Issue
Block a user