commit: a223ccaf9ede7fc52fdb9d5ba5a62b0c8d72ae30
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 1 16:08:42 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:44:59 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a223ccaf
systemd-nspawn again
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-03-29
policy/modules/kernel/devices.if | 36 ++++++++++
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/files.if | 18 +++++
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/filesystem.if | 18 +++++
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/kernel/kernel.if | 135 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/kernel.te | 2 +-
policy/modules/kernel/terminal.if | 18 +++++
policy/modules/kernel/terminal.te | 2 +-
policy/modules/system/init.if | 48 +++++++------
policy/modules/system/init.te | 2 +-
policy/modules/system/systemd.te | 119 ++++++++++++++++++++++++++++++-
13 files changed, 375 insertions(+), 29 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c5af9342..1f1fbca6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4064,6 +4064,24 @@ interface(`dev_getattr_sysfs',`
########################################
## <summary>
+## mount a sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Do not audit getting the attributes of sysfs filesystem
## </summary>
## <param name="domain">
@@ -4082,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',`
########################################
## <summary>
+## mounton sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e15c26c3..277a6a19 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.5)
+policy_module(devices, 1.20.6)
########################################
#
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 9d7a929a..9f9fdded 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6340,6 +6340,24 @@ interface(`files_dontaudit_getattr_pid_dirs',`
########################################
## <summary>
+## mounton a /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of the /var/run directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 10001b15..33c92c70 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.8)
+policy_module(files, 1.23.9)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index bba3e389..cfaa3e85 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4160,6 +4160,24 @@ interface(`fs_mounton_tmpfs',`
########################################
## <summary>
+## Mount on tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:file mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of tmpfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te
b/policy/modules/kernel/filesystem.te
index 3194b0e0..11ada353 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.5)
+policy_module(filesystem, 1.22.6)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6887b00d..cecf5d86 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -828,6 +828,42 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
+## mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## remount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_remount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem remount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
@@ -864,6 +900,25 @@ interface(`kernel_getattr_proc',`
########################################
## <summary>
+## Mount on proc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the
## attributes of directories in /proc.
## </summary>
@@ -1306,6 +1361,26 @@ interface(`kernel_dontaudit_getattr_message_if',`
########################################
## <summary>
+## Mount on kernel message interfaces files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_message_if',`
+ gen_require(`
+ type proc_t, proc_kmsg_t;
+ ')
+
+ allow $1 proc_t:dir list_dir_perms;
+ allow $1 proc_kmsg_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
## Do not audit attempts to search the network
## state directory.
## </summary>
@@ -1557,6 +1632,26 @@ interface(`kernel_dontaudit_search_sysctl',`
########################################
## <summary>
+## Mount on sysctl_t dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_dirs',`
+ gen_require(`
+ type proc_t, sysctl_t;
+ ')
+
+ allow $1 proc_t:dir list_dir_perms;
+ allow $1 sysctl_t:dir { getattr mounton };
+')
+
+########################################
+## <summary>
## Allow access to read sysctl directories.
## </summary>
## <param name="domain">
@@ -1577,6 +1672,26 @@ interface(`kernel_read_sysctl',`
########################################
## <summary>
+## Mount on sysctl files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_files',`
+ gen_require(`
+ type proc_t, sysctl_t;
+ ')
+
+ allow $1 { proc_t sysctl_t }:dir list_dir_perms;
+ allow $1 sysctl_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
## Allow caller to read the device sysctls.
## </summary>
## <param name="domain">
@@ -2021,6 +2136,26 @@ interface(`kernel_rw_kernel_sysctl',`
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
')
+#######################################
+## <summary>
+## Mount on kernel sysctl files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kernel_sysctl_files',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+ allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
+ allow $1 sysctl_kernel_t:file { getattr mounton };
+')
+
########################################
## <summary>
## Search filesystem sysctl directories.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 034d6a0b..639b8454 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.22.0)
+policy_module(kernel, 1.22.1)
########################################
#
diff --git a/policy/modules/kernel/terminal.if
b/policy/modules/kernel/terminal.if
index 05be0475..d72775c0 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -133,6 +133,24 @@ interface(`term_user_tty',`
########################################
## <summary>
+## mount a devpts_t filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to mount it
+## </summary>
+## </param>
+#
+interface(`term_mount_devpts',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Create a pty in the /dev/pts directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/terminal.te
b/policy/modules/kernel/terminal.te
index b77752b5..a1fca0da 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.16.1)
+policy_module(terminal, 1.16.2)
########################################
#
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9b07a6e7..e42a7db5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -828,6 +828,7 @@ interface(`init_dgram_send',`
dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
+ allow $1 init_t:unix_stream_socket getattr;
')
########################################
@@ -1111,21 +1112,6 @@ interface(`init_relabel_var_lib_dirs',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
interface(`init_manage_var_lib_files',`
gen_require(`
@@ -1513,6 +1499,24 @@ interface(`init_script_file_domtrans',`
########################################
## <summary>
+## Send a kill signal to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_kill_scripts',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process sigkill;
+')
+
+########################################
+## <summary>
## Allow manage service for initrc_exec_t scripts
## </summary>
## <param name="domain">
@@ -1662,14 +1666,14 @@ interface(`init_startstop_service',`
#
interface(`init_run_daemon',`
gen_require(`
- attribute init_script_file_type;
+ attribute init_script_file_type;
role system_r;
')
allow $2 system_r;
- init_all_labeled_script_domtrans($1)
- role_transition $2 init_script_file_type system_r;
+ init_all_labeled_script_domtrans($1)
+ role_transition $2 init_script_file_type system_r;
')
########################################
@@ -2649,11 +2653,11 @@ interface(`init_delete_pid_files',`
## </param>
#
interface(`init_write_pid_socket',`
- gen_require(`
- type init_var_run_t;
- ')
+ gen_require(`
+ type init_var_run_t;
+ ')
- allow $1 init_var_run_t:sock_file write;
+ allow $1 init_var_run_t:sock_file write;
')
########################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dfde3f39..a0a1723c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.13)
+policy_module(init, 2.2.14)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e1f4c3a7..672d289d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.14)
+policy_module(systemd, 1.3.15)
#########################################
#
@@ -472,6 +472,9 @@ init_service_start(systemd_machined_t)
init_service_status(systemd_machined_t)
init_start_system(systemd_machined_t)
init_stop_system(systemd_machined_t)
+init_get_generic_units_status(systemd_machined_t)
+init_start_generic_units(systemd_machined_t)
+init_stop_generic_units(systemd_machined_t)
logging_send_syslog_msg(systemd_machined_t)
@@ -513,8 +516,122 @@ miscfiles_read_localization(systemd_notify_t)
# Nspawn local policy
#
+allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
+allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin
setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:capability2 wake_alarm;
+allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+
+allow systemd_nspawn_t systemd_journal_t:dir search;
+
+allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
+
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
+allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+# for /run/systemd/nspawn/incoming in chroot
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
+
+kernel_mount_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_dirs(systemd_nspawn_t)
+kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
+kernel_mounton_message_if(systemd_nspawn_t)
+kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_dirs(systemd_nspawn_t)
+kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_system_state(systemd_nspawn_t)
+kernel_remount_proc(systemd_nspawn_t)
+kernel_unconfined(systemd_nspawn_t)
+
+corecmd_exec_shell(systemd_nspawn_t)
+corecmd_search_bin(systemd_nspawn_t)
+
+corenet_rw_tun_tap_dev(systemd_nspawn_t)
+
+dev_getattr_fs(systemd_nspawn_t)
+dev_manage_sysfs_dirs(systemd_nspawn_t)
+dev_mounton_sysfs_dirs(systemd_nspawn_t)
+dev_mount_sysfs(systemd_nspawn_t)
+dev_read_rand(systemd_nspawn_t)
+dev_read_urand(systemd_nspawn_t)
+
+files_getattr_tmp_dirs(systemd_nspawn_t)
+files_manage_etc_files(systemd_nspawn_t)
+files_manage_mnt_dirs(systemd_nspawn_t)
+files_mounton_mnt(systemd_nspawn_t)
+files_mounton_root(systemd_nspawn_t)
+files_mounton_tmp(systemd_nspawn_t)
+files_setattr_pid_dirs(systemd_nspawn_t)
+
+fs_getattr_tmpfs(systemd_nspawn_t)
+fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_tmpfs(systemd_nspawn_t)
+fs_remount_tmpfs(systemd_nspawn_t)
+fs_search_cgroup_dirs(systemd_nspawn_t)
+
+term_getattr_generic_ptys(systemd_nspawn_t)
+term_getattr_pty_fs(systemd_nspawn_t)
+term_mount_devpts(systemd_nspawn_t)
+term_search_ptys(systemd_nspawn_t)
+term_setattr_generic_ptys(systemd_nspawn_t)
+term_use_ptmx(systemd_nspawn_t)
+
+init_domtrans_script(systemd_nspawn_t)
+init_kill_scripts(systemd_nspawn_t)
+init_read_state(systemd_nspawn_t)
+init_search_run(systemd_nspawn_t)
+init_write_pid_socket(systemd_nspawn_t)
+init_spec_domtrans_script(systemd_nspawn_t)
+
+miscfiles_manage_localization(systemd_nspawn_t)
+
+# for writing inside chroot
+sysnet_manage_config(systemd_nspawn_t)
+
+userdom_manage_user_home_dirs(systemd_nspawn_t)
+
+tunable_policy(`systemd_nspawn_labeled_namespace',`
+ corecmd_exec_shell(systemd_nspawn_t)
+
+ dev_mounton(systemd_nspawn_t)
+ dev_setattr_generic_dirs(systemd_nspawn_t)
+
+ files_search_home(systemd_nspawn_t)
+ files_mounton_pid_dirs(systemd_nspawn_t)
+
+ fs_getattr_cgroup(systemd_nspawn_t)
+ fs_manage_cgroup_dirs(systemd_nspawn_t)
+ fs_manage_tmpfs_dirs(systemd_nspawn_t)
+ fs_manage_tmpfs_files(systemd_nspawn_t)
+ fs_manage_tmpfs_symlinks(systemd_nspawn_t)
+ fs_mount_cgroup(systemd_nspawn_t)
+ fs_mounton_cgroup(systemd_nspawn_t)
+ fs_mounton_tmpfs(systemd_nspawn_t)
+ fs_mounton_tmpfs_files(systemd_nspawn_t)
+ fs_remount_cgroup(systemd_nspawn_t)
+ fs_search_tmpfs(systemd_nspawn_t)
+ fs_write_cgroup_files(systemd_nspawn_t)
+
+ selinux_getattr_fs(systemd_nspawn_t)
+ selinux_search_fs(systemd_nspawn_t)
+
+ init_domtrans(systemd_nspawn_t)
+
+ logging_search_logs(systemd_nspawn_t)
+
+ seutil_search_default_contexts(systemd_nspawn_t)
+')
+
+optional_policy(`
+ allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
+
+ dbus_system_bus_client(systemd_nspawn_t)
+')
+
+optional_policy(`
+ virt_manage_virt_content(systemd_nspawn_t)
+')
+
#######################################
#
# systemd_passwd_agent_t local policy
