container, podman, systemd: initial support for rootless podman

Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-12-23 08:57:59 -05:00 · 2021-12-23 08:57:59 -05:00 · 526dd08ff3
commit 526dd08ff3
parent e55a346fc2
5 changed files with 308 additions and 0 deletions
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@ -1,3 +1,15 @@
+HOME_DIR/\.cache/containers(/.*)?		gen_context(system_u:object_r:container_cache_home_t,s0)
+HOME_DIR/\.config/containers(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
+HOME_DIR/\.config/cni(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
+HOME_DIR/\.local/share/containers(/.*)?		gen_context(system_u:object_r:container_data_home_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)
+
 /usr/bin/crun	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 /usr/bin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)

@ -8,6 +20,8 @@
 /run/libpod(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 /run/runc(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)

+/run/user/%{USERID}/netns(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+
 /var/cache/containers(/.*)?		gen_context(system_u:object_r:container_engine_cache_t,s0)

 /var/lib/cni(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@ -155,6 +155,12 @@ files_read_usr_symlinks(container_domain)

 fs_getattr_all_fs(container_domain)
 fs_list_inotifyfs(container_domain)
+# for rootless containers
+fs_manage_fusefs_dirs(container_domain)
+fs_manage_fusefs_files(container_domain)
+fs_manage_fusefs_symlinks(container_domain)
+fs_exec_fusefs_files(container_domain)
+fs_fusefs_entry_type(container_domain)

 # fs_rw_inherited_tmpfs_files(container_domain)
 # fs_rw_inherited_cifs_files(container_domain)
@ -304,6 +310,8 @@ corecmd_exec_bin(container_engine_domain)
 # needed when spawning interactive shells inside containers
 corecmd_exec_shell(container_engine_domain)
 corecmd_search_bin(container_engine_domain)
+# podman unshare causes most of this noise
+corecmd_dontaudit_exec_all_executables(container_engine_domain)

 corenet_tcp_bind_generic_node(container_engine_domain)
 corenet_tcp_connect_http_port(container_engine_domain)
@ -324,6 +332,8 @@ dev_remount_sysfs(container_engine_domain)
 dev_mounton_sysfs_dirs(container_engine_domain)

 domain_use_interactive_fds(container_engine_domain)
+# podman unshare causes most of this noise
+domain_dontaudit_search_all_domains_state(container_engine_domain)

 files_read_etc_files(container_engine_domain)
 files_read_usr_files(container_engine_domain)
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@ -46,6 +46,97 @@ interface(`podman_run',`
 	podman_domtrans($1)
 ')

+########################################
+## <summary>
+##	Execute podman in the podman user
+##	domain (rootless podman).
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`podman_domtrans_user',`
+	gen_require(`
+		type podman_user_t, podman_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, podman_exec_t, podman_user_t)
+')
+
+########################################
+## <summary>
+##	Execute podman in the podman user
+##	domain, and allow the specified role
+##	the podman user domain (rootless
+##	podman).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the podman domain.
+##	</summary>
+## </param>
+#
+interface(`podman_run_user',`
+	gen_require(`
+		type podman_user_t;
+	')
+
+	role $2 types podman_user_t;
+
+	podman_domtrans_user($1)
+')
+
+########################################
+## <summary>
+##	Role access for rootless podman.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`podman_user_role',`
+	gen_require(`
+		type podman_user_t;
+	')
+
+	podman_run_user($3, $4)
+
+	optional_policy(`
+		dbus_spec_session_bus_client($1, podman_user_t)
+	')
+
+	optional_policy(`
+		systemd_user_app_status($1, podman_user_t)
+	')
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@ -16,6 +16,10 @@ ifdef(`enable_mls',`
 ')
 mls_trusted_object(podman_t)

+container_engine_domain_template(podman_user)
+application_domain(podman_user_t, podman_exec_t)
+mls_trusted_object(podman_user_t)
+
 ########################################
 #
 # Podman local policy
@ -48,3 +52,61 @@ ifdef(`init_systemd',`
 	systemd_list_journal_dirs(podman_t)
 	systemd_read_journal_files(podman_t)
 ')
+
+########################################
+#
+# Rootless Podman local policy
+#
+
+# required by slirp4netns
+files_mounton_etc_dirs(podman_user_t)
+# required by slirp4netns
+files_mounton_runtime_dirs(podman_user_t)
+
+# FUSE access is required for rootless containers
+fs_getattr_fusefs(podman_user_t)
+fs_mount_fusefs(podman_user_t)
+fs_unmount_fusefs(podman_user_t)
+fs_remount_fusefs(podman_user_t)
+fs_manage_fusefs_dirs(podman_user_t)
+fs_manage_fusefs_files(podman_user_t)
+fs_manage_fusefs_symlinks(podman_user_t)
+fs_exec_fusefs_files(podman_user_t)
+fs_mounton_fusefs(podman_user_t)
+
+kernel_read_fs_sysctls(podman_user_t)
+# to read kernel.unprivileged_userns_clone, if present
+kernel_read_sysctl(podman_user_t)
+
+logging_send_syslog_msg(podman_user_t)
+
+init_write_runtime_socket(podman_user_t)
+
+mount_exec(podman_user_t)
+
+storage_rw_fuse(podman_user_t)
+
+# allow podman to relabel content mounted inside containers
+# when run in rootless mode
+userdom_relabel_generic_user_home_dirs(podman_user_t)
+userdom_relabel_generic_user_home_files(podman_user_t)
+
+ifdef(`init_systemd',`
+	# podman queries the cgroup manager (systemd) over the session bus socket
+	dbus_getattr_session_runtime_socket(podman_user_t)
+	dbus_write_session_runtime_socket(podman_user_t)
+
+	# rootless podman must be able to get login state of the user
+	systemd_dbus_chat_logind(podman_user_t)
+
+	# containers are created as transient user units
+	systemd_start_user_runtime_units(podman_user_t)
+	systemd_stop_user_runtime_units(podman_user_t)
+	systemd_status_user_runtime_units(podman_user_t)
+
+	# podman can read logs from containers which are
+	# sent to the user journal
+	logging_search_logs(podman_user_t)
+	systemd_list_journal_dirs(podman_user_t)
+	systemd_read_journal_files(podman_user_t)
+')
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@ -96,6 +96,14 @@ template(`systemd_role_template',`
 	init_linkable_keyring($1_systemd_t)
 	init_list_unit_dirs($1_systemd_t)
 	init_read_generic_units_files($1_systemd_t)
+	# container engines will move container processes to different slices
+	init_dbus_chat($1_systemd_t)
+
+	# the user@.service unit is restarted when containers are created
+	systemd_start_user_manager_units($1_systemd_t)
+	systemd_stop_user_manager_units($1_systemd_t)
+	systemd_reload_user_manager_units($1_systemd_t)
+	systemd_status_user_manager_units($1_systemd_t)

 	miscfiles_watch_localization($1_systemd_t)

@ -116,6 +124,7 @@ template(`systemd_role_template',`

 	dbus_system_bus_client($1_systemd_t)
 	dbus_spec_session_bus_client($1, $1_systemd_t)
+	dbus_connect_spec_session_bus($1, $1_systemd_t)

 	# userdomain rules
 	allow $3 $1_systemd_t:process signal;
@ -286,6 +295,128 @@ template(`systemd_user_app_status',`
 	allow $2 $1_systemd_t:process sigchld;
 ')

+########################################
+## <summary>
+##	Read the process state (/proc/pid) of
+##	the specified systemd user instance.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`systemd_read_user_manager_state',`
+	gen_require(`
+		type $1_systemd_t;
+	')
+
+	ps_process_pattern($2, $1_systemd_t)
+')
+
+########################################
+## <summary>
+##	Send a start request to the specified
+##	systemd user instance system object.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`systemd_user_manager_system_start',`
+	gen_require(`
+		type $1_systemd_t;
+	')
+
+	allow $2 $1_systemd_t:system start;
+')
+
+########################################
+## <summary>
+##	Send a stop request to the specified
+##	systemd user instance system object.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`systemd_user_manager_system_stop',`
+	gen_require(`
+		type $1_systemd_t;
+	')
+
+	allow $2 $1_systemd_t:system stop;
+')
+
+########################################
+## <summary>
+##	Get the status of the specified
+##	systemd user instance system object.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`systemd_user_manager_system_status',`
+	gen_require(`
+		type $1_systemd_t;
+	')
+
+	allow $2 $1_systemd_t:system status;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from the
+##	specified systemd user instance over dbus.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`systemd_user_manager_dbus_chat',`
+	gen_require(`
+		type $1_systemd_t;
+		class dbus send_msg;
+	')
+
+	allow $2 $1_systemd_t:dbus send_msg;
+	allow $1_systemd_t $2:dbus send_msg;
+')
+
 ######################################
 ## <summary>
 ##   Allow the specified domain to search systemd config home