container, kubernetes: add support for cilium

Cilium is a kubernetes CNI powered by BPF. Its daemon pods run as super privileged containers which require various accesses in order to load BPF programs and modify the host network. Signed-off-by: Kenton Groombridge <[email protected]>
SELinuxProject · Dec 18, 2023 · 759de96 · 759de96
1 parent b247ab4
commit 759de96
Show file tree

Hide file tree

Showing 6 changed files with 226 additions and 2 deletions.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
@@ -713,6 +713,24 @@ interface(`fs_manage_bpf_files',`
 	manage_files_pattern($1, bpf_t, bpf_t)
 ')
 
+########################################
+## <summary>
+##	Manage bpf symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_bpf_symlinks',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	manage_lnk_files_pattern($1, bpf_t, bpf_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount cgroup filesystems.

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
@@ -2017,6 +2017,25 @@ interface(`kernel_rw_net_sysctls',`
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
+########################################
+## <summary>
+##	Allow caller to mount on network sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_net_sysctl_dirs',`
+	gen_require(`
+		type sysctl_net_t;
+	')
+
+	allow $1 sysctl_net_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read unix domain
@@ -2181,6 +2200,25 @@ interface(`kernel_dontaudit_read_kernel_sysctl',`
 	dontaudit $1 sysctl_kernel_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow caller to mount on kernel sysctl directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kernel_sysctl_dirs',`
+	gen_require(`
+		type sysctl_kernel_t;
+	')
+
+	allow $1 sysctl_kernel_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Read generic crypto sysctls.

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
@@ -1847,6 +1847,25 @@ interface(`container_getattr_runtime_sock_files',`
 	allow $1 container_runtime_t:sock_file getattr;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	runtime container directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_runtime_dirs',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	create_dirs_pattern($1, container_runtime_t, container_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
@@ -530,6 +530,8 @@ fs_rw_cgroup_files(container_t)
 # for metallb BGP speakers
 fs_read_nsfs_files(container_t)
 
+kernel_get_sysvipc_info(container_t)
+kernel_read_fs_sysctls(container_t)
 kernel_read_vm_overcommit_sysctl(container_t)
 
 auth_use_nsswitch(container_t)
@@ -955,13 +957,14 @@ domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
 
 allow spc_t self:process { getcap setrlimit };
-allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid sys_admin sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid net_admin net_raw sys_admin sys_chroot sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow spc_t self:alg_socket create_stream_socket_perms;
 allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow spc_t self:netlink_generic_socket create_socket_perms;
 allow spc_t self:netlink_netfilter_socket create_socket_perms;
-allow spc_t self:netlink_xfrm_socket create_socket_perms;
+allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow spc_t self:perf_event { cpu kernel open read };
 
 allow container_engine_system_domain spc_t:process { setsched signal_perms };
@@ -985,6 +988,9 @@ allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
 allow spc_t container_runtime_t:file manage_file_perms;
 allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
 
+dev_mount_sysfs(spc_t)
+dev_unmount_sysfs(spc_t)
+dev_remount_sysfs(spc_t)
 dev_mounton_sysfs_dirs(spc_t)
 dev_read_sysfs(spc_t)
 
@@ -998,18 +1004,24 @@ fs_manage_cgroup_files(spc_t)
 fs_mount_bpf(spc_t)
 fs_create_bpf_dirs(spc_t)
 fs_manage_bpf_files(spc_t)
+fs_manage_bpf_symlinks(spc_t)
+fs_unmount_nsfs(spc_t)
 fs_list_tmpfs(spc_t)
 fs_watch_tmpfs_dirs(spc_t)
 
 kernel_load_module(spc_t)
 kernel_request_load_module(spc_t)
 kernel_read_network_state(spc_t)
 kernel_read_vm_overcommit_sysctl(spc_t)
+kernel_rw_kernel_sysctl(spc_t)
 kernel_dontaudit_list_unlabeled(spc_t)
 
 storage_raw_rw_fixed_disk(spc_t)
 
+files_manage_etc_files(spc_t)
+
 init_read_state(spc_t)
+init_write_runtime_socket(spc_t)
 
 iptables_read_runtime_files(spc_t)
 
@@ -1018,6 +1030,8 @@ modutils_read_module_deps(spc_t)
 # for kubernetes debug pods
 term_use_generic_ptys(spc_t)
 
+container_manage_config_files(spc_t)
+
 container_list_plugin_dirs(spc_t)
 container_manage_plugin_files(spc_t)
 
@@ -1032,6 +1046,11 @@ container_manage_var_lib_dirs(spc_t)
 container_manage_var_lib_files(spc_t)
 container_map_var_lib_files(spc_t)
 
+# for cilium
+allow spc_t container_config_t:dir watch;
+allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms;
+allow spc_t container_runtime_t:file watch;
+
 ifdef(`init_systemd',`
 	init_dbus_chat(spc_t)
 	init_run_bpf(spc_t)
@@ -1070,6 +1089,14 @@ optional_policy(`
 
 	# for device plugins
 	kubernetes_stream_connect_kubelet(spc_t)
+
+	# for cilium
+	kubernetes_manage_runtime_dirs(spc_t)
+	kubernetes_mounton_runtime_dirs(spc_t)
+	kubernetes_manage_runtime_files(spc_t)
+	kubernetes_watch_runtime_files(spc_t)
+	kubernetes_manage_runtime_symlinks(spc_t)
+	kubernetes_manage_runtime_sock_files(spc_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
@@ -549,6 +549,114 @@ interface(`kubernetes_manage_plugin_files',`
 	manage_files_pattern($1, kubernetes_plugin_t, kubernetes_plugin_t)
 ')
 
+########################################
+## <summary>
+##	Manage kubernetes runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_runtime_dirs',`
+	gen_require(`
+		type kubernetes_runtime_t;
+	')
+
+	allow $1 kubernetes_runtime_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Mount on kubernetes runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_mounton_runtime_dirs',`
+	gen_require(`
+		type kubernetes_runtime_t;
+	')
+
+	allow $1 kubernetes_runtime_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Manage kubernetes runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_runtime_files',`
+	gen_require(`
+		type kubernetes_runtime_t;
+	')
+
+	allow $1 kubernetes_runtime_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Watch kubernetes runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_watch_runtime_files',`
+	gen_require(`
+		type kubernetes_runtime_t;
+	')
+
+	allow $1 kubernetes_runtime_t:file watch;
+')
+
+########################################
+## <summary>
+##	Manage kubernetes runtime symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_runtime_symlinks',`
+	gen_require(`
+		type kubernetes_runtime_t;
+	')
+
+	allow $1 kubernetes_runtime_t:lnk_file manage_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage kubernetes runtime sock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_manage_runtime_sock_files',`
+	gen_require(`
+		type kubernetes_runtime_t;
+	')
+
+	allow $1 kubernetes_runtime_t:sock_file manage_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	List the contents of kubernetes tmpfs

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
@@ -94,6 +94,9 @@ fs_relabelfrom_tmpfs_dirs(kubernetes_container_engine_domain)
 # for relabeling newly provisioned persistent volumes
 kernel_list_unlabeled(kubernetes_container_engine_domain)
 kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain)
+# for cilium
+kernel_mounton_net_sysctl_dirs(kubernetes_container_engine_domain)
+kernel_mounton_kernel_sysctl_dirs(kubernetes_container_engine_domain)
 
 iptables_getattr_runtime_files(kubernetes_container_engine_domain)
 
@@ -112,8 +115,16 @@ container_watch_log_dirs(kubernetes_container_engine_domain)
 container_var_lib_filetrans_file(kubernetes_container_engine_domain, dir, "calico")
 container_var_lib_filetrans_file(kubernetes_container_engine_domain, dir, "etcd")
 
+# for cilium
+container_stream_connect_spc(kubernetes_container_engine_domain)
+
 kubernetes_search_plugin_dirs(kubernetes_container_engine_domain)
 
+allow kubernetes_container_engine_domain kubernetes_runtime_t:sock_file rw_sock_file_perms;
+
+manage_dirs_pattern(kubernetes_container_engine_domain, kubernetes_runtime_t, kubernetes_runtime_t)
+manage_files_pattern(kubernetes_container_engine_domain, kubernetes_runtime_t, kubernetes_runtime_t)
+
 ifdef(`init_systemd',`
 	init_dbus_chat(kubernetes_container_engine_domain)
 
@@ -358,6 +369,9 @@ container_manage_log_symlinks(kubelet_t)
 container_watch_log_files(kubelet_t)
 container_log_filetrans(kubelet_t, { dir file })
 
+# for cilium
+container_create_runtime_dirs(kubelet_t)
+
 kubernetes_manage_tmpfs_dirs(kubelet_t)
 kubernetes_manage_tmpfs_files(kubelet_t)
 kubernetes_manage_tmpfs_symlinks(kubelet_t)