Add container types

Signed-off-by: Daniel J Walsh <[email protected]>
sandrobonazzola · Feb 7, 2023 · 503ae0d · 503ae0d
1 parent eb58ce9
commit 503ae0d
Showing 1 changed file with 103 additions and 4 deletions.
diff --git a/qm.te b/qm.te
@@ -5,6 +5,9 @@ gen_require(`
 
 	attribute container_domain;
 	attribute filesystem_type;
+	attribute container_init_domain;
+	attribute container_net_domain;
+	attribute container_user_domain;
 
 	type cgroup_t;
 	type container_runtime_t;
@@ -30,22 +33,21 @@ role system_r types qm_t;
 init_initrc_domain(qm_t)
 
 attribute qm_file_type;
+allow qm_file_type self:filesystem associate;
 
 type qm_file_t, qm_file_type;
 files_type(qm_file_t)
 files_mountpoint(qm_file_t)
-files_mountpoint(qm_file_t)
 
 type qm_container_var_lib_t, qm_file_type;
 files_mountpoint(qm_container_var_lib_t)
 
 type qm_container_ro_file_t, qm_file_type;
 files_mountpoint(qm_container_ro_file_t)
 
-allow qm_t qm_container_ro_file_t:file execmod;
+allow qm_t qm_file_type:file { execmod relabelfrom relabelto map entrypoint mounton };
 manage_files_pattern(qm_t, qm_file_type, qm_file_type)
 can_exec(qm_t, qm_file_type)
-allow qm_t qm_file_type:file { map entrypoint mounton };
 allow qm_t qm_file_type:chr_file mounton;
 manage_blk_files_pattern(qm_t, qm_file_type, qm_file_type)
 manage_chr_files_pattern(qm_t, qm_file_type, qm_file_type)
@@ -56,7 +58,8 @@ manage_sock_files_pattern(qm_t, qm_file_type, qm_file_type)
 fs_tmpfs_filetrans(qm_t, qm_file_t, { dir file lnk_file })
 allow qm_t qm_file_type:chr_file { watch watch_reads };
 allow qm_t qm_file_type:dir { mounton relabelfrom relabelto };
-allow qm_t qm_file_type:filesystem { getattr remount unmount };
+allow qm_t qm_file_type:filesystem { relabelto relabelfrom getattr remount unmount };
+allow qm_t qm_file_type:service all_service_perms;
 
 manage_blk_files_pattern(init_t, qm_file_type, qm_file_type)
 manage_chr_files_pattern(init_t, qm_file_type, qm_file_type)
@@ -95,6 +98,7 @@ allow systemd_logind_t qm_t:unix_stream_socket { connectto rw_stream_socket_perm
 
 allow system_dbusd_t qm_file_type:chr_file { read write };
 
+allow qm_t self:system status;
 allow qm_t self:user_namespace create;
 allow qm_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow qm_t self:cap_userns { audit_write chown dac_override dac_read_search fowner fsetid kill net_bind_service net_admin net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace sys_resource };
@@ -209,6 +213,7 @@ unconfined_dgram_send(qm_t)
 
 selinux_dontaudit_get_fs_mount(qm_t)
 selinux_dontaudit_search_fs(qm_t)
+selinux_setcheckreqprot(qm_t)
 dontaudit qm_t security_t:file write;
 
 sysnet_read_config(qm_t)
@@ -234,3 +239,97 @@ allow container_runtime_t qm_t:process2 { nnp_transition nosuid_transition };
 dontaudit container_runtime_t qm_t:process { noatsecure rlimitinh siginh };
 
 read_files_pattern(iptables_t, qm_file_type, qm_file_type)
+
+# ===================================================================
+#  QM Containers
+#
+
+attribute qm_container_domain;
+
+type qm_container_t,  qm_container_domain;
+domain_type(qm_container_t)
+domain_user_exemption_target(qm_container_t)
+container_manage_files_template(qm_container, qm_container)
+
+type qm_container_file_t, qm_file_type;
+files_type(qm_file_t)
+files_mountpoint(qm_file_t)
+
+# QM Container kvm - Policy for running kata containers
+type qm_container_kvm_t,  qm_container_domain;
+domain_type(qm_container_kvm_t)
+domain_user_exemption_target(qm_container_kvm_t)
+typeattribute qm_container_kvm_t container_net_domain, container_user_domain;
+container_manage_files_template(qm_container_kvm, qm_container)
+
+type qm_container_kvm_var_run_t;
+files_pid_file(qm_container_kvm_var_run_t)
+filetrans_pattern(qm_container_kvm_t, container_var_run_t, qm_container_kvm_var_run_t, {file sock_file dir})
+filetrans_pattern(qm_t, container_var_run_t, qm_container_kvm_var_run_t, dir, "kata-containers")
+
+manage_dirs_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
+manage_files_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
+manage_fifo_files_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
+manage_sock_files_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
+manage_lnk_files_pattern(qm_container_kvm_t, qm_container_kvm_var_run_t, qm_container_kvm_var_run_t)
+files_pid_filetrans(qm_container_kvm_t, qm_container_kvm_var_run_t, { dir file lnk_file sock_file })
+files_pid_filetrans(qm_container_kvm_t, qm_container_kvm_var_run_t, { dir file lnk_file sock_file })
+allow qm_container_kvm_t qm_container_kvm_var_run_t:{file dir} mounton;
+
+allow qm_container_kvm_t qm_t:unix_stream_socket rw_stream_socket_perms;
+
+container_stream_connect(qm_container_kvm_t)
+
+allow qm_container_kvm_t qm_t:tun_socket attach_queue;
+
+dev_rw_inherited_vhost(qm_container_kvm_t)
+dev_rw_vfio_dev(qm_container_kvm_t)
+
+corenet_rw_inherited_tun_tap_dev(qm_container_kvm_t)
+corecmd_exec_shell(qm_container_kvm_t)
+corecmd_exec_bin(qm_container_kvm_t)
+corecmd_bin_entry_type(qm_container_kvm_t)
+
+# virtiofs causes these AVC messages.
+kernel_mount_proc(qm_container_kvm_t)
+kernel_mounton_proc(qm_container_kvm_t)
+kernel_unmount_proc(qm_container_kvm_t)
+kernel_dgram_send(qm_container_kvm_t)
+files_mounton_rootfs(qm_container_kvm_t)
+
+auth_read_passwd(qm_container_kvm_t)
+logging_send_syslog_msg(qm_container_kvm_t)
+
+optional_policy(`
+	qemu_entry_type(qm_container_kvm_t)
+	qemu_exec(qm_container_kvm_t)
+')
+
+manage_sock_files_pattern(qm_container_kvm_t, qm_container_file_t, qm_container_file_t)
+
+dev_rw_kvm(qm_container_kvm_t)
+
+sssd_read_public_files(qm_container_kvm_t)
+
+# Container init - Policy for running systemd based containers
+type qm_container_init_t,  qm_container_domain;
+domain_type(qm_container_init_t)
+domain_user_exemption_target(qm_container_init_t)
+typeattribute qm_container_init_t container_init_domain, container_net_domain, container_user_domain;
+
+corenet_unconfined(qm_container_init_t)
+logging_send_syslog_msg(qm_container_init_t)
+
+allow qm_container_init_t proc_t:filesystem remount;
+
+optional_policy(`
+	virt_default_capabilities(qm_container_init_t)
+')
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
+	allow qm_container_init_t self:capability sys_admin;
+	allow qm_container_init_t self:cap_userns sys_admin;
+')
+
+allow qm_container_init_t self:netlink_audit_socket nlmsg_relay;
+container_manage_files_template(qm_container_init, qm_container)