container: allow containers various userns capabilities

Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-01-16 15:04:50 -05:00 · 2022-01-16 15:04:50 -05:00 · 10262cdae8
commit 10262cdae8
parent d098ffc59d
1 changed files with 2 additions and 0 deletions
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -109,6 +109,7 @@ corenet_port(container_port_t)
 #

 allow container_domain self:capability { dac_override kill setgid setuid sys_boot sys_chroot };
+allow container_domain self:cap_userns { chown dac_override fowner setgid setuid };
 allow container_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
 allow container_domain self:fifo_file manage_fifo_file_perms;
 allow container_domain self:sem create_sem_perms;
@ -204,6 +205,7 @@ optional_policy(`
 #

 allow container_net_domain self:capability { net_admin net_raw };
+allow container_net_domain self:cap_userns { net_admin net_raw };
 allow container_net_domain self:tcp_socket create_stream_socket_perms;
 allow container_net_domain self:udp_socket create_socket_perms;
 allow container_net_domain self:tun_socket create_socket_perms;