Add separate label for cgroup's memory.pressure files

Required to enable notifications on memory pressure events, need to write to the file to start receiving them. This will be used by all systemd daemons, and eventually external daemons that subscribe to the same interface too. See: https://github.com/systemd/systemd/blob/main/docs/MEMORY_PRESSURE.md Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
2023-03-15 20:39:28 +00:00 · 2023-03-15 20:39:28 +00:00 · 6dd2c3bcd1
commit 6dd2c3bcd1
parent 8e8f5e3ca3
3 changed files with 105 additions and 41 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -725,10 +725,10 @@ interface(`fs_manage_bpf_files',`
 #
 interface(`fs_mount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	allow $1 cgroup_t:filesystem mount;
+	allow $1 cgroup_types:filesystem mount;
 ')

 ########################################
@ -743,10 +743,10 @@ interface(`fs_mount_cgroup', `
 #
 interface(`fs_remount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	allow $1 cgroup_t:filesystem remount;
+	allow $1 cgroup_types:filesystem remount;
 ')

 ########################################
@ -761,10 +761,10 @@ interface(`fs_remount_cgroup', `
 #
 interface(`fs_unmount_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	allow $1 cgroup_t:filesystem unmount;
+	allow $1 cgroup_types:filesystem unmount;
 ')

 ########################################
@ -779,10 +779,10 @@ interface(`fs_unmount_cgroup', `
 #
 interface(`fs_getattr_cgroup',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	allow $1 cgroup_t:filesystem getattr;
+	allow $1 cgroup_types:filesystem getattr;
 ')

 ########################################
@ -797,10 +797,10 @@ interface(`fs_getattr_cgroup',`
 #
 interface(`fs_search_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	search_dirs_pattern($1, cgroup_t, cgroup_t)
+	search_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -816,10 +816,10 @@ interface(`fs_search_cgroup_dirs',`
 #
 interface(`fs_list_cgroup_dirs', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	list_dirs_pattern($1, cgroup_t, cgroup_t)
+	list_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -873,10 +873,10 @@ interface(`fs_create_cgroup_dirs',`
 #
 interface(`fs_delete_cgroup_dirs', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	delete_dirs_pattern($1, cgroup_t, cgroup_t)
+	delete_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -892,11 +892,11 @@ interface(`fs_delete_cgroup_dirs', `
 #
 interface(`fs_manage_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;

 	')

-	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+	manage_dirs_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -912,10 +912,10 @@ interface(`fs_manage_cgroup_dirs',`
 #
 interface(`fs_relabel_cgroup_dirs',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+	relabel_dirs_pattern($1, cgroup_types, cgroup_types)
 ')

 ########################################
@ -930,10 +930,10 @@ interface(`fs_relabel_cgroup_dirs',`
 #
 interface(`fs_getattr_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	getattr_files_pattern($1, cgroup_t, cgroup_t)
+	getattr_files_pattern($1, cgroup_types, cgroup_types)
 	fs_search_tmpfs($1)
 	dev_search_sysfs($1)
 ')
@ -950,12 +950,12 @@ interface(`fs_getattr_cgroup_files',`
 #
 interface(`fs_read_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;

 	')

-	read_files_pattern($1, cgroup_t, cgroup_t)
-	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	read_files_pattern($1, cgroup_types, cgroup_types)
+	read_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -991,11 +991,11 @@ interface(`fs_create_cgroup_files',`
 #
 interface(`fs_watch_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;

 	')

-	allow $1 cgroup_t:file watch;
+	allow $1 cgroup_types:file watch;
 ')

 ########################################
@ -1010,11 +1010,11 @@ interface(`fs_watch_cgroup_files',`
 #
 interface(`fs_create_cgroup_links',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	create_lnk_files_pattern($1, cgroup_t, cgroup_t)
-	rw_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	create_lnk_files_pattern($1, cgroup_types, cgroup_types)
+	rw_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -1030,10 +1030,10 @@ interface(`fs_create_cgroup_links',`
 #
 interface(`fs_write_cgroup_files', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	write_files_pattern($1, cgroup_t, cgroup_t)
+	write_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -1049,11 +1049,11 @@ interface(`fs_write_cgroup_files', `
 #
 interface(`fs_rw_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	rw_files_pattern($1, cgroup_t, cgroup_t)
-	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	rw_files_pattern($1, cgroup_types, cgroup_types)
+	read_lnk_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -1071,10 +1071,10 @@ interface(`fs_rw_cgroup_files',`
 #
 interface(`fs_dontaudit_rw_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	dontaudit $1 cgroup_t:file rw_file_perms;
+	dontaudit $1 cgroup_types:file rw_file_perms;
 ')

 ########################################
@ -1089,11 +1089,11 @@ interface(`fs_dontaudit_rw_cgroup_files',`
 #
 interface(`fs_manage_cgroup_files',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;

 	')

-	manage_files_pattern($1, cgroup_t, cgroup_t)
+	manage_files_pattern($1, cgroup_types, cgroup_types)
 	dev_search_sysfs($1)
 ')

@ -1109,10 +1109,10 @@ interface(`fs_manage_cgroup_files',`
 #
 interface(`fs_relabel_cgroup_symlinks',`
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	relabel_lnk_files_pattern($1, cgroup_t, cgroup_t)
+	relabel_lnk_files_pattern($1, cgroup_types, cgroup_types)
 ')

 ########################################
@ -1145,10 +1145,10 @@ interface(`fs_watch_cgroup_dirs', `
 #
 interface(`fs_mounton_cgroup', `
 	gen_require(`
-		type cgroup_t;
+		attribute cgroup_types;
 	')

-	allow $1 cgroup_t:dir mounton;
+	allow $1 cgroup_types:dir mounton;
 ')

 ########################################
@ -1187,6 +1187,53 @@ interface(`fs_cgroup_filetrans',`
 	dev_search_sysfs($1)
 ')

+########################################
+## <summary>
+##	Create an object in a cgroup tmpfs filesystem, with the memory_pressure_t
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_cgroup_filetrans_memory_pressure',`
+	gen_require(`
+		type memory_pressure_t;
+	')
+
+	fs_cgroup_filetrans($1, memory_pressure_t, $2, $3)
+')
+
+########################################
+## <summary>
+##      Allow managing a cgroup's memory.pressure file to get notifications
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`fs_watch_memory_pressure',`
+	gen_require(`
+		type memory_pressure_t;
+	')
+
+	allow $1 memory_pressure_t:file { rw_file_perms setattr };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@ -86,12 +86,20 @@ fs_type(capifs_t)
 files_mountpoint(capifs_t)
 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)

+attribute cgroup_types;
 type cgroup_t;
+typeattribute cgroup_t cgroup_types;
 fs_type(cgroup_t)
 files_mountpoint(cgroup_t)
 dev_associate_sysfs(cgroup_t)
 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
+# When running under systemd, the cgroup file memory.pressure will have this
+# separate label, to allow unprivileged process to access it without accessing
+# the rest of the cgroup tree.
+type memory_pressure_t;
+typeattribute memory_pressure_t cgroup_types;
+dev_associate_sysfs(memory_pressure_t)

 type configfs_t;
 fs_type(configfs_t)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -1171,6 +1171,15 @@ ifdef(`init_systemd',`
 	systemd_start_power_units(initrc_t)
 	systemd_watch_networkd_runtime_dirs(initrc_t)

+	# Ensures the memory.pressure cgroup file is labelled differently, so
+	# that processes can manage it without having access to the rest of the
+	# cgroup tree. This is a special file so each open is an independent,
+	# separate instance that cannot affect already opened ones, so it is not
+	# necessary to lock it down on a process-by-process base. This is useful
+	# to allow receiving notifications when memory pressure is high, see:
+	# https://systemd.io/MEMORY_PRESSURE/
+	fs_cgroup_filetrans_memory_pressure(init_t, file, "memory.pressure")
+
 	optional_policy(`
 		# create /var/lock/lvm/
 		lvm_create_lock_dirs(initrc_t)