container, kubernetes: add rules for device plugins running as spc

Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-10-02 01:44:13 -04:00 · 2022-10-02 01:44:13 -04:00 · 3b3d3715c9
commit 3b3d3715c9
parent 6c2124d5ae
2 changed files with 26 additions and 1 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -865,7 +865,8 @@ fs_mount_xattr_fs(spc_t)
 fs_unmount_xattr_fs(spc_t)
 fs_mount_cgroup(spc_t)
 fs_mounton_cgroup(spc_t)
-fs_list_cgroup_dirs(spc_t)
+fs_manage_cgroup_dirs(spc_t)
+fs_manage_cgroup_files(spc_t)
 fs_mount_bpf(spc_t)
 fs_create_bpf_dirs(spc_t)
 fs_manage_bpf_files(spc_t)
@ -934,6 +935,9 @@ optional_policy(`

 	# Calico runs as a privileged container
 	kubernetes_run_engine_bpf(spc_t)
+
+	# for device plugins
+	kubernetes_stream_connect_kubelet(spc_t)
 ')

 optional_policy(`
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@ -114,6 +114,27 @@ interface(`kubernetes_run_kubelet',`
 	kubernetes_domtrans_kubelet($1)
 ')

+########################################
+## <summary>
+##	Connect to kubelet over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_stream_connect_kubelet',`
+	gen_require(`
+		type kubelet_t;
+		type kubernetes_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, kubernetes_runtime_t, kubernetes_runtime_t, kubelet_t)
+	allow $1 kubernetes_runtime_t:sock_file read_sock_file_perms;
+')
+
 #######################################
 ## <summary>
 ##	Read the process state (/proc/pid)