container, kubernetes: add rules for device plugins running as spc

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-10-02 01:44:13 -04:00
parent 6c2124d5ae
commit 3b3d3715c9
2 changed files with 26 additions and 1 deletions

View File

@ -865,7 +865,8 @@ fs_mount_xattr_fs(spc_t)
fs_unmount_xattr_fs(spc_t)
fs_mount_cgroup(spc_t)
fs_mounton_cgroup(spc_t)
fs_list_cgroup_dirs(spc_t)
fs_manage_cgroup_dirs(spc_t)
fs_manage_cgroup_files(spc_t)
fs_mount_bpf(spc_t)
fs_create_bpf_dirs(spc_t)
fs_manage_bpf_files(spc_t)
@ -934,6 +935,9 @@ optional_policy(`
# Calico runs as a privileged container
kubernetes_run_engine_bpf(spc_t)
# for device plugins
kubernetes_stream_connect_kubelet(spc_t)
')
optional_policy(`

View File

@ -114,6 +114,27 @@ interface(`kubernetes_run_kubelet',`
kubernetes_domtrans_kubelet($1)
')
########################################
## <summary>
## Connect to kubelet over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kubernetes_stream_connect_kubelet',`
gen_require(`
type kubelet_t;
type kubernetes_runtime_t;
')
files_search_runtime($1)
stream_connect_pattern($1, kubernetes_runtime_t, kubernetes_runtime_t, kubelet_t)
allow $1 kubernetes_runtime_t:sock_file read_sock_file_perms;
')
#######################################
## <summary>
## Read the process state (/proc/pid)