From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1433195-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 4BB1D158094
	for <garchives@archives.gentoo.org>; Sat,  3 Sep 2022 19:10:25 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A393CE0831;
	Sat,  3 Sep 2022 19:10:21 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 88012E0837
	for <gentoo-commits@lists.gentoo.org>; Sat,  3 Sep 2022 19:10:21 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 8E183340F8E
	for <gentoo-commits@lists.gentoo.org>; Sat,  3 Sep 2022 19:10:20 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id CB8F65D7
	for <gentoo-commits@lists.gentoo.org>; Sat,  3 Sep 2022 19:10:16 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1662230515.04b08d98853038ae67ee57607755fb8ac1b7f7a0.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/container.if
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 04b08d98853038ae67ee57607755fb8ac1b7f7a0
X-VCS-Branch: master
Date: Sat,  3 Sep 2022 19:10:16 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 60a4de11-2f9c-4310-84bd-ac2d53e125a0
X-Archives-Hash: 9e79c6341888830582538376fbd0e35d

commit:     04b08d98853038ae67ee57607755fb8ac1b7f7a0
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Apr 27 22:47:57 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04b08d98

container: add unconfined role

Add a specific template for unconfined role access. This is mostly
identical to the user role except container engines will run in the
caller domain.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 217 +++++++++++++++++++++++++++--------
 1 file changed, 171 insertions(+), 46 deletions(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 07ef8873..bc4a12f4 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -130,7 +130,6 @@ interface(`container_user_engine',`
 #
 template(`container_base_role',`
 	gen_require(`
-		type container_file_t, container_ro_file_t;
 		type container_config_t;
 	')
 
@@ -143,19 +142,8 @@ template(`container_base_role',`
 	files_search_etc($2)
 	read_files_pattern($2, container_config_t, container_config_t)
 
-	allow $2 container_file_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_file_t:file { manage_file_perms relabel_file_perms };
-	allow $2 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $2 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $2 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $2 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-
-	allow $2 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_ro_file_t:file { manage_file_perms relabel_file_perms };
-	allow $2 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $2 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $2 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $2 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+	container_admin_all_files($2)
+	container_admin_all_ro_files($2)
 ')
 
 ########################################
@@ -230,10 +218,6 @@ template(`container_user_role',`
 	gen_require(`
 		attribute container_user_domain;
 		attribute container_engine_user_domain;
-		type container_file_t, container_ro_file_t;
-		type container_user_runtime_t;
-		type container_cache_home_t, container_conf_home_t;
-		type container_data_home_t;
 	')
 
 	role $4 types container_user_domain;
@@ -245,34 +229,8 @@ template(`container_user_role',`
 	allow $3 container_user_domain:process { ptrace signal_perms };
 	ps_process_pattern($3, container_user_domain)
 
-	allow $2 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
-	allow $2 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $2 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
-	allow $2 container_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_cache_home_t:file { manage_file_perms relabel_file_perms };
-	xdg_cache_filetrans($2, container_cache_home_t, dir, "containers")
-
-	allow $2 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_conf_home_t:file { manage_file_perms relabel_file_perms };
-	xdg_config_filetrans($2, container_conf_home_t, dir, "containers")
-
-	allow $2 container_data_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_data_home_t:file { manage_file_perms relabel_file_perms };
-	allow $2 container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $2 container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $2 container_data_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $2 container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $2 container_data_home_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-	xdg_data_filetrans($2, container_data_home_t, dir, "containers")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay-images")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay-layers")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2-images")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
-	filetrans_pattern($2, container_data_home_t, container_file_t, dir, "volumes")
+	container_admin_all_home_content($2)
+	container_admin_all_user_runtime_content($2)
 
 	optional_policy(`
 		systemd_read_user_manager_state($1, container_engine_user_domain)
@@ -293,6 +251,60 @@ template(`container_user_role',`
 	')
 ')
 
+########################################
+## <summary>
+##	Unconfined role access for containers.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+template(`container_unconfined_role',`
+	gen_require(`
+		attribute container_domain;
+		type container_config_t;
+	')
+
+	role $4 types container_domain;
+
+	allow $3 container_domain:process transition;
+	allow $3 container_domain:process2 { nnp_transition nosuid_transition };
+	allow container_domain $3:fd use;
+	allow container_domain $3:unix_stream_socket rw_stream_socket_perms;
+
+	allow $3 self:cap_userns { kill sys_ptrace };
+
+	allow $3 container_domain:process { ptrace signal_perms };
+	ps_process_pattern($3, container_domain)
+
+	files_search_etc($2)
+	read_files_pattern($2, container_config_t, container_config_t)
+
+	container_admin_all_files($2)
+	container_admin_all_ro_files($2)
+
+	container_admin_all_home_content($2)
+	container_admin_all_user_runtime_content($2)
+')
+
 ########################################
 ## <summary>
 ##	Execute generic container engines in the
@@ -1079,6 +1091,119 @@ interface(`container_manage_home_data_sock_files',`
 	manage_sock_files_pattern($1, container_data_home_t, container_data_home_t)
 ')
 
+########################################
+## <summary>
+##	Administrate all container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin_all_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_file_t:file { manage_file_perms relabel_file_perms };
+	allow $1 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $1 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	allow $1 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+	allow $1 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+')
+
+########################################
+## <summary>
+##	Administrate all container read-only files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin_all_ro_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+	allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_ro_file_t:file { manage_file_perms relabel_file_perms };
+	allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $1 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	allow $1 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+	allow $1 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+')
+
+########################################
+## <summary>
+##	All of the rules necessary for a user
+##	to manage user container runtime data
+##	in their user runtime directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin_all_user_runtime_content',`
+	gen_require(`
+		type container_user_runtime_t;
+	')
+
+	allow $1 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
+	allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+')
+
+########################################
+## <summary>
+##	All of the rules necessary for a user
+##	to manage container data in their home
+##	directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin_all_home_content',`
+	gen_require(`
+		type container_file_t, container_ro_file_t;
+		type container_cache_home_t, container_conf_home_t;
+		type container_data_home_t;
+	')
+
+	allow $1 container_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_cache_home_t:file { manage_file_perms relabel_file_perms };
+	xdg_cache_filetrans($1, container_cache_home_t, dir, "containers")
+
+	allow $1 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_conf_home_t:file { manage_file_perms relabel_file_perms };
+	xdg_config_filetrans($1, container_conf_home_t, dir, "containers")
+
+	allow $1 container_data_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_data_home_t:file { manage_file_perms relabel_file_perms };
+	allow $1 container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $1 container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $1 container_data_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	allow $1 container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+	allow $1 container_data_home_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+	xdg_data_filetrans($1, container_data_home_t, dir, "containers")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay-images")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay-layers")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2-images")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
+	filetrans_pattern($1, container_data_home_t, container_file_t, dir, "volumes")
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to