From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1362816-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 947F7158087
	for <garchives@archives.gentoo.org>; Sun, 30 Jan 2022 01:22:50 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6B34B2BC003;
	Sun, 30 Jan 2022 01:22:49 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id E37DD2BC002
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:48 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 955FE343375
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:46 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id DAC9A2B2
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Jan 2022 01:22:44 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1643505162.7312b188899d6ea718be9c885eb4a6f15ccd8aa7.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/container.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 7312b188899d6ea718be9c885eb4a6f15ccd8aa7
X-VCS-Branch: master
Date: Sun, 30 Jan 2022 01:22:44 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: c6010662-d249-44e7-86ed-5c4c2260f421
X-Archives-Hash: 8f5e8aca985f1a87ee0f54c67aaa4263

commit:     7312b188899d6ea718be9c885eb4a6f15ccd8aa7
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Dec 23 15:55:53 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7312b188

container: add policy for privileged containers

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 86 ++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 7ab2765e..483cdcb2 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -22,6 +22,9 @@ attribute container_engine_user_domain;
 # containers which require network access
 attribute container_net_domain;
 
+# containers considered privileged
+attribute privileged_container_domain;
+
 attribute container_engine_exec_type;
 
 attribute container_mountpoint_type;
@@ -43,6 +46,13 @@ ifdef(`enable_mls',`
 ')
 mls_trusted_object(container_engine_t)
 
+type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain;
+domain_type(spc_t)
+role system_r types spc_t;
+
+type spc_user_t, container_domain, container_net_domain, container_user_domain, privileged_container_domain;
+domain_type(spc_user_t)
+
 type container_unit_t;
 init_unit_file(container_unit_t)
 
@@ -562,3 +572,79 @@ filetrans_pattern(container_engine_user_domain, container_data_home_t, container
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-images")
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_file_t, dir, "volumes")
+
+########################################
+#
+# Common privileged container local policy
+#
+
+allow privileged_container_domain container_file_t:file entrypoint;
+allow privileged_container_domain container_ro_file_t:file entrypoint;
+allow privileged_container_domain container_var_lib_t:file entrypoint;
+
+optional_policy(`
+	systemd_dbus_chat_machined(privileged_container_domain)
+	systemd_dbus_chat_logind(privileged_container_domain)
+')
+
+########################################
+#
+# spc local policy
+#
+# spc_t is the default type for containers created
+# with the --privileged (or similar) argument
+#
+
+# Containers run from an engine with the --privileged argument are not
+# restricted by the engine. One of these restrictions is a manual
+# transition to the default context for containers, usually container_t.
+# Instead of performing a manual transition when creating a restricted
+# container (default), we do an automatic transition to spc_t when
+# restrictions are disabled.
+domtrans_pattern(container_engine_system_domain, container_file_t, spc_t)
+domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
+domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
+
+allow container_engine_system_domain spc_t:process { setsched signal_perms };
+
+allow spc_t container_engine_system_domain:fifo_file rw_fifo_file_perms;
+
+init_dbus_chat(spc_t)
+
+optional_policy(`
+	dbus_system_bus_client(spc_t)
+	dbus_all_session_bus_client(spc_t)
+')
+
+optional_policy(`
+# If unconfined domains are enabled, spc is also unconfined
+	unconfined_domain_noaudit(spc_t)
+	domain_ptrace_all_domains(spc_t)
+')
+
+########################################
+#
+# spc user local policy
+#
+
+# Similar to above, automatically transition to spc_user_t when a
+# container engine runs a container with the --privileged argument
+domtrans_pattern(container_engine_user_domain, container_file_t, spc_user_t)
+domtrans_pattern(container_engine_user_domain, container_ro_file_t, spc_user_t)
+domtrans_pattern(container_engine_user_domain, container_var_lib_t, spc_user_t)
+fs_fusefs_domtrans(container_engine_user_domain, spc_user_t)
+
+allow container_engine_user_domain spc_user_t:process { setsched signal_perms };
+
+allow spc_user_t container_engine_user_domain:fifo_file rw_fifo_file_perms;
+
+optional_policy(`
+       dbus_system_bus_client(spc_user_t)
+       dbus_all_session_bus_client(spc_user_t)
+')
+
+optional_policy(`
+       # If unconfined domains are enabled, spc is also unconfined
+       unconfined_domain_noaudit(spc_user_t)
+       domain_ptrace_all_domains(spc_user_t)
+')