Merge pull request #607 from bluca/mempressure

Add support for memory pressure notifications protocol

policy/modules/kernel/filesystem.if

@@ -725,10 +725,10 @@ interface(`fs_manage_bpf_files',`
 #
 interface(`fs_mount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:filesystem mount;
+	allow $1 cgroup_types:filesystem mount;
 ')
 
 ########################################
@@ -743,10 +743,10 @@ interface(`fs_mount_cgroup', `
 #
 interface(`fs_remount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:filesystem remount;
+	allow $1 cgroup_types:filesystem remount;
 ')
 
 ########################################
@@ -761,10 +761,10 @@ interface(`fs_remount_cgroup', `
 #
 interface(`fs_unmount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:filesystem unmount;
+	allow $1 cgroup_types:filesystem unmount;
 ')
 
 ########################################
@@ -779,10 +779,10 @@ interface(`fs_unmount_cgroup', `
 #
 interface(`fs_getattr_cgroup',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:filesystem getattr;
+	allow $1 cgroup_types:filesystem getattr;
 ')
 
 ########################################
@@ -797,10 +797,10 @@ interface(`fs_getattr_cgroup',`
 #
 interface(`fs_search_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	search_dirs_pattern($1, cgroup_t, cgroup_t)
+	search_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -816,10 +816,10 @@ interface(`fs_search_cgroup_dirs',`
 #
 interface(`fs_list_cgroup_dirs', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	list_dirs_pattern($1, cgroup_t, cgroup_t)
+	list_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -873,10 +873,10 @@ interface(`fs_create_cgroup_dirs',`
 #
 interface(`fs_delete_cgroup_dirs', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	delete_dirs_pattern($1, cgroup_t, cgroup_t)
+	delete_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -892,11 +892,11 @@ interface(`fs_delete_cgroup_dirs', `
 #
 interface(`fs_manage_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 
 	')
 
-	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+	manage_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -912,10 +912,10 @@ interface(`fs_manage_cgroup_dirs',`
 #
 interface(`fs_relabel_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+	relabel_dirs_pattern($1, cgroup_types, cgroup_types)
 ')
 
 ########################################
@@ -930,10 +930,10 @@ interface(`fs_relabel_cgroup_dirs',`
 #
 interface(`fs_getattr_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	getattr_files_pattern($1, cgroup_t, cgroup_t)
+	getattr_files_pattern($1, cgroup_types, cgroup_types)
 	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
@@ -950,12 +950,12 @@ interface(`fs_getattr_cgroup_files',`
 #
 interface(`fs_read_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 
 	')
 
-	read_files_pattern($1, cgroup_t, cgroup_t)
+	read_files_pattern($1, cgroup_types, cgroup_types)
-	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	read_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -991,11 +991,11 @@ interface(`fs_create_cgroup_files',`
 #
 interface(`fs_watch_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 
 	')
 
-	allow $1 cgroup_t:file watch;
+	allow $1 cgroup_types:file watch;
 ')
 
 ########################################
@@ -1010,11 +1010,11 @@ interface(`fs_watch_cgroup_files',`
 #
 interface(`fs_create_cgroup_links',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	create_lnk_files_pattern($1, cgroup_types, cgroup_types)
-	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	rw_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -1030,10 +1030,10 @@ interface(`fs_create_cgroup_links',`
 #
 interface(`fs_write_cgroup_files', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	write_files_pattern($1, cgroup_t, cgroup_t)
+	write_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -1049,11 +1049,11 @@ interface(`fs_write_cgroup_files', `
 #
 interface(`fs_rw_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	rw_files_pattern($1, cgroup_t, cgroup_t)
+	rw_files_pattern($1, cgroup_types, cgroup_types)
-	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	read_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -1071,10 +1071,10 @@ interface(`fs_rw_cgroup_files',`
 #
 interface(`fs_dontaudit_rw_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	dontaudit $1 cgroup_t:file rw_file_perms;
+	dontaudit $1 cgroup_types:file rw_file_perms;
 ')
 
 ########################################
@@ -1089,11 +1089,11 @@ interface(`fs_dontaudit_rw_cgroup_files',`
 #
 interface(`fs_manage_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 
 	')
 
-	manage_files_pattern($1, cgroup_t, cgroup_t)
+	manage_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')
 
@@ -1109,10 +1109,10 @@ interface(`fs_manage_cgroup_files',`
 #
 interface(`fs_relabel_cgroup_symlinks',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	relabel_lnk_files_pattern($1, cgroup_types, cgroup_types)
 ')
 
 ########################################
@@ -1145,10 +1145,28 @@ interface(`fs_watch_cgroup_dirs', `
 #
 interface(`fs_mounton_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')
 
-	allow $1 cgroup_t:dir mounton;
+	allow $1 cgroup_types:dir mounton;
+')
+
+########################################
+## <summary>
+##	Mount on cgroup files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_cgroup_files', `
+	gen_require(`
+		attribute cgroup_types;
+	')
+
+	allow $1 cgroup_types:file mounton;
 ')
 
 ########################################
@@ -1187,6 +1205,53 @@ interface(`fs_cgroup_filetrans',`
 	dev_search_sysfs($1)
 ')
 
+########################################
+## <summary>
+##	Create an object in a cgroup tmpfs filesystem, with the memory_pressure_t
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_cgroup_filetrans_memory_pressure',`
+	gen_require(`
+		type memory_pressure_t;
+	')
+
+	fs_cgroup_filetrans($1, memory_pressure_t, $2, $3)
+')
+
+########################################
+## <summary>
+##      Allow managing a cgroup's memory.pressure file to get notifications
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`fs_watch_memory_pressure',`
+	gen_require(`
+		type memory_pressure_t;
+	')
+
+	allow $1 memory_pressure_t:file { rw_file_perms setattr };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read

policy/modules/kernel/filesystem.te

@@ -86,12 +86,20 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
 
+attribute cgroup_types;
 type cgroup_t;
+typeattribute cgroup_t cgroup_types;
 fs_type(cgroup_t)
 files_mountpoint(cgroup_t)
 dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
+# When running under systemd, the cgroup file memory.pressure will have this
+# separate label, to allow unprivileged process to access it without accessing
+# the rest of the cgroup tree.
+type memory_pressure_t;
+typeattribute memory_pressure_t cgroup_types;
+dev_associate_sysfs(memory_pressure_t)
 
 type configfs_t;
 fs_type(configfs_t)

policy/modules/services/ntp.te

@@ -156,6 +156,7 @@ ifdef(`init_systemd',`
 	allow ntpd_t self:capability { fowner setpcap };
 	init_read_state(ntpd_t)
 	init_reload(ntpd_t)
+	fs_watch_memory_pressure(ntpd_t)
 
 	# for /var/lib/systemd/clock
 	init_list_var_lib_dirs(ntpd_t)

policy/modules/system/init.te

@@ -1171,6 +1171,16 @@ ifdef(`init_systemd',`
 	systemd_start_power_units(initrc_t)
 	systemd_watch_networkd_runtime_dirs(initrc_t)
 
+	# Ensures the memory.pressure cgroup file is labelled differently, so
+	# that processes can manage it without having access to the rest of the
+	# cgroup tree. This is a special file so each open is an independent,
+	# separate instance that cannot affect already opened ones, so it is not
+	# necessary to lock it down on a process-by-process base. This is useful
+	# to allow receiving notifications when memory pressure is high, see:
+	# https://systemd.io/MEMORY_PRESSURE/
+	fs_cgroup_filetrans_memory_pressure(init_t, file, "memory.pressure")
+	fs_mounton_cgroup_files(init_t)
+
 	optional_policy(`
 		# create /var/lock/lvm/
 		lvm_create_lock_dirs(initrc_t)

policy/modules/system/logging.te

@@ -549,6 +549,7 @@ ifdef(`init_systemd',`
 	domain_read_all_domains_state(syslogd_t)
 
 	fs_list_cgroup_dirs(syslogd_t)
+	fs_watch_memory_pressure(syslogd_t)
 
 	init_create_runtime_dirs(syslogd_t)
 	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")

policy/modules/system/systemd.te

@@ -873,6 +873,7 @@ fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 fs_getattr_xattr_fs(systemd_logind_t)
+fs_watch_memory_pressure(systemd_logind_t)
 
 selinux_use_status_page(systemd_logind_t)
 
@@ -1020,6 +1021,7 @@ fs_getattr_cgroup(systemd_machined_t)
 fs_getattr_tmpfs(systemd_machined_t)
 fs_getattr_xattr_fs(systemd_machined_t)
 fs_read_nsfs_files(systemd_machined_t)
+fs_watch_memory_pressure(systemd_machined_t)
 
 selinux_getattr_fs(systemd_machined_t)
 
@@ -1126,6 +1128,7 @@ files_list_runtime(systemd_networkd_t)
 fs_getattr_all_fs(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)
+fs_watch_memory_pressure(systemd_networkd_t)
 
 auth_use_nsswitch(systemd_networkd_t)
 
@@ -1248,6 +1251,7 @@ fs_mount_tmpfs(systemd_nspawn_t)
 fs_remount_tmpfs(systemd_nspawn_t)
 fs_remount_xattr_fs(systemd_nspawn_t)
 fs_read_cgroup_files(systemd_nspawn_t)
+fs_watch_memory_pressure(systemd_nspawn_t)
 
 term_getattr_generic_ptys(systemd_nspawn_t)
 term_getattr_pty_fs(systemd_nspawn_t)
@@ -1505,6 +1509,7 @@ fs_getattr_all_fs(systemd_resolved_t)
 fs_search_cgroup_dirs(systemd_resolved_t)
 fs_search_tmpfs(systemd_resolved_t)
 fs_search_ramfs(systemd_resolved_t)
+fs_watch_memory_pressure(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
 

policy/modules/system/udev.te

@@ -143,6 +143,7 @@ fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
 fs_search_tracefs(udev_t)
 fs_manage_efivarfs_files(udev_t)
+fs_watch_memory_pressure(udev_t)
 
 mls_file_read_all_levels(udev_t)
 mls_file_write_all_levels(udev_t)