patches for nspawn policy (#721)

* patches to nspawn policy.

Allow it netlink operations and creating udp sockets

Allow remounting and reading sysfs

Allow stat cgroup filesystem

Make it create fifos and sock_files in the right context

Allow mounting the selinux fs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Use the new mounton_dir_perms and mounton_file_perms macros

Signed-off-by: Russell Coker <russell@coker.com.au>

* Corrected macro name

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed description of files_mounton_kernel_symbol_table

Signed-off-by: Russell Coker <russell@coker.com.au>

* systemd: Move lines in nspawn.

No rule changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>

policy/modules/kernel/devices.if

@@ -4386,6 +4386,24 @@ interface(`dev_remount_sysfs',`
 	allow $1 sysfs_t:filesystem remount;
 ')
 
+########################################
+## <summary>
+##     unmount a sysfs filesystem
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_unmount_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem unmount;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit getting the attributes of sysfs filesystem

policy/modules/kernel/files.if

@@ -542,8 +542,8 @@ interface(`files_mounton_non_security',`
 		attribute non_security_file_type;
 	')
 
-	allow $1 non_security_file_type:dir { getattr search mounton };
-	allow $1 non_security_file_type:file { getattr mounton };
+	allow $1 non_security_file_type:dir { search mounton_dir_perms };
+	allow $1 non_security_file_type:file mounton_file_perms;
 ')
 
 ########################################
@@ -1783,7 +1783,7 @@ interface(`files_mounton_all_mountpoints',`
 	')
 
 	allow $1 mountpoint:dir { search_dir_perms mounton };
-	allow $1 mountpoint:file { getattr mounton };
+	allow $1 mountpoint:file mounton_file_perms;
 
 	kernel_mounton_unlabeled_dirs($1)
 ')
@@ -5748,6 +5748,25 @@ interface(`files_delete_kernel_symbol_table',`
 	delete_files_pattern($1, boot_t, system_map_t)
 ')
 
+########################################
+## <summary>
+##	Mount on a system.map in the /boot directory (for bind mounts).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_mounton_kernel_symbol_table',`
+	gen_require(`
+		type boot_t, system_map_t;
+	')
+
+	allow $1 boot_t:dir search_dir_perms;
+	allow $1 system_map_t:file mounton_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search the contents of /var.
@@ -7628,7 +7647,7 @@ interface(`files_polyinstantiate_all',`
 
 	# Need to give access to parent directories where original
 	# is remounted for polyinstantiation aware programs (like gdm)
-	allow $1 polyparent:dir { getattr mounton };
+	allow $1 polyparent:dir mounton_dir_perms;
 
 	# Need to give permission to create directories where applicable
 	allow $1 self:process setfscreate;

policy/modules/kernel/kernel.if

@@ -1440,7 +1440,7 @@ interface(`kernel_mounton_message_if',`
 	')
 
 	allow $1 proc_t:dir list_dir_perms;
-	allow $1 proc_kmsg_t:file { getattr mounton };
+	allow $1 proc_kmsg_t:file mounton_file_perms;
 ')
 
 ########################################
@@ -1792,7 +1792,7 @@ interface(`kernel_mounton_sysctl_dirs',`
 	')
 
 	allow $1 proc_t:dir list_dir_perms;
-	allow $1 sysctl_t:dir { getattr mounton };
+	allow $1 sysctl_t:dir mounton_dir_perms;
 ')
 
 ########################################
@@ -1832,7 +1832,7 @@ interface(`kernel_mounton_sysctl_files',`
 	')
 
 	allow $1 { proc_t sysctl_t }:dir list_dir_perms;
-	allow $1 sysctl_t:file { getattr mounton };
+	allow $1 sysctl_t:file mounton_file_perms;
 ')
 
 ########################################
@@ -2298,7 +2298,7 @@ interface(`kernel_mounton_kernel_sysctl_files',`
 	')
 
 	allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
-	allow $1 sysctl_kernel_t:file { getattr mounton };
+	allow $1 sysctl_kernel_t:file mounton_file_perms;
 ')
 
 ########################################

policy/modules/kernel/selinux.if

@@ -157,6 +157,24 @@ interface(`selinux_unmount_fs',`
 	allow $1 security_t:filesystem unmount;
 ')
 
+########################################
+## <summary>
+##	Mount on the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`selinux_mounton_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir mounton_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the selinuxfs filesystem

policy/modules/system/systemd.te

@@ -1241,6 +1241,9 @@ allow systemd_nspawn_t self:capability2 wake_alarm;
 allow systemd_nspawn_t self:user_namespace create;
 allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
 allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms;
+allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms;
+allow systemd_nspawn_t self:udp_socket create_socket_perms;
 
 allow systemd_nspawn_t systemd_journal_t:dir search;
 
@@ -1277,6 +1280,9 @@ dev_getattr_fs(systemd_nspawn_t)
 dev_manage_sysfs_dirs(systemd_nspawn_t)
 dev_mounton_sysfs_dirs(systemd_nspawn_t)
 dev_mount_sysfs(systemd_nspawn_t)
+dev_remount_sysfs(systemd_nspawn_t)
+dev_unmount_sysfs(systemd_nspawn_t)
+dev_read_sysfs(systemd_nspawn_t)
 dev_read_rand(systemd_nspawn_t)
 dev_read_urand(systemd_nspawn_t)
 
@@ -1289,6 +1295,7 @@ files_mounton_tmp(systemd_nspawn_t)
 files_read_kernel_symbol_table(systemd_nspawn_t)
 files_setattr_runtime_dirs(systemd_nspawn_t)
 
+fs_getattr_cgroup(systemd_nspawn_t)
 fs_getattr_tmpfs(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
@@ -1317,9 +1324,17 @@ miscfiles_manage_localization(systemd_nspawn_t)
 # for writing inside chroot
 sysnet_manage_config(systemd_nspawn_t)
 
+udev_read_runtime_files(systemd_nspawn_t)
+
 userdom_manage_user_home_dirs(systemd_nspawn_t)
 
 tunable_policy(`systemd_nspawn_labeled_namespace',`
+	allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms;
+	files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file)
+
+	allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms;
+	fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file)
+
 	corecmd_exec_bin(systemd_nspawn_t)
 	corecmd_exec_shell(systemd_nspawn_t)
 
@@ -1329,6 +1344,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
 	# manage etc symlinks for /etc/localtime
 	files_manage_etc_symlinks(systemd_nspawn_t)
 	files_mounton_runtime_dirs(systemd_nspawn_t)
+	files_mounton_kernel_symbol_table(systemd_nspawn_t)
 	files_search_home(systemd_nspawn_t)
 
 	fs_getattr_cgroup(systemd_nspawn_t)
@@ -1348,6 +1364,7 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
 	selinux_getattr_fs(systemd_nspawn_t)
 	selinux_remount_fs(systemd_nspawn_t)
 	selinux_search_fs(systemd_nspawn_t)
+	selinux_mounton_fs(systemd_nspawn_t)
 
 	init_domtrans(systemd_nspawn_t)
 

policy/support/obj_perm_sets.spt

@@ -142,6 +142,7 @@ define(`manage_dir_perms',`{ create open getattr setattr read write link unlink
 define(`relabelfrom_dir_perms',`{ getattr relabelfrom }')
 define(`relabelto_dir_perms',`{ getattr relabelto }')
 define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+define(`mounton_dir_perms',`{ getattr mounton }')
 
 #
 # Regular file (file)
@@ -171,6 +172,7 @@ define(`mmap_manage_file_perms',`{ create open map getattr setattr read write ap
 define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
 define(`relabelto_file_perms',`{ getattr relabelto }')
 define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')
+define(`mounton_file_perms',`{ getattr mounton }')
 
 #
 # Symbolic link (lnk_file)