mirror of
https://passt.top/passt
synced 2025-07-26 03:27:59 +02:00
selinux: Transition to pasta_t in containers
Currently, pasta runs in the container_runtime_exec_t context when running in a container. This is not ideal since it means that pasta runs with more privileges than strictly necessary. This commit updates the SELinux policy to have pasta transition to the pasta_t context when started from the container_runtime_t context, adds the appropriate labels to $XDG_RUNTIME_DIR/netns and $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the necessary permissions to the pasta_t context. Link: https://bugs.passt.top/show_bug.cgi?id=81 Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 Signed-off-by: Max Chernoff <git@maxchernoff.ca> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
3262c9b088
commit
7aeda16a78
2 changed files with 49 additions and 5 deletions
|
@ -8,7 +8,9 @@
|
|||
# Copyright (c) 2022 Red Hat GmbH
|
||||
# Author: Stefano Brivio <sbrivio@redhat.com>
|
||||
|
||||
/usr/bin/pasta system_u:object_r:pasta_exec_t:s0
|
||||
/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0
|
||||
/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0
|
||||
/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
|
||||
/usr/bin/pasta system_u:object_r:pasta_exec_t:s0
|
||||
/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0
|
||||
/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0
|
||||
/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0
|
||||
/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0
|
||||
/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0
|
||||
|
|
|
@ -89,6 +89,15 @@ require {
|
|||
class capability { sys_tty_config setuid setgid };
|
||||
class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin };
|
||||
class user_namespace create;
|
||||
|
||||
# Container requires
|
||||
attribute_role usernetctl_roles;
|
||||
role container_user_r;
|
||||
role staff_r;
|
||||
role user_r;
|
||||
type container_runtime_t;
|
||||
type container_t;
|
||||
type systemd_user_runtimedir_t;
|
||||
}
|
||||
|
||||
type pasta_t;
|
||||
|
@ -113,6 +122,9 @@ init_daemon_domain(pasta_t, pasta_exec_t)
|
|||
|
||||
allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid };
|
||||
allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service };
|
||||
# pasta only calls setuid and setgid with the current UID and GID, so this
|
||||
# denial is harmless. See https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10
|
||||
dontaudit pasta_t self:cap_userns { setgid setuid };
|
||||
allow pasta_t self:user_namespace create;
|
||||
|
||||
auth_read_passwd(pasta_t)
|
||||
|
@ -130,7 +142,7 @@ allow pasta_t user_home_t:file { open read getattr setattr execute execute_no_tr
|
|||
allow pasta_t user_home_dir_t:dir { search getattr open add_name read write };
|
||||
allow pasta_t user_home_dir_t:file { create open read write };
|
||||
allow pasta_t tmp_t:dir { add_name mounton remove_name write };
|
||||
allow pasta_t tmpfs_t:filesystem mount;
|
||||
allow pasta_t tmpfs_t:filesystem { getattr mount };
|
||||
allow pasta_t fs_t:filesystem unmount;
|
||||
allow pasta_t root_t:dir mounton;
|
||||
manage_files_pattern(pasta_t, pasta_pid_t, pasta_pid_t)
|
||||
|
@ -156,6 +168,11 @@ allow pasta_t tmp_t:sock_file { create unlink write };
|
|||
allow pasta_t self:tcp_socket create_stream_socket_perms;
|
||||
corenet_tcp_sendrecv_generic_node(pasta_t)
|
||||
corenet_tcp_bind_generic_node(pasta_t)
|
||||
allow pasta_t container_runtime_t:dir { open read search };
|
||||
allow pasta_t container_runtime_t:fifo_file { getattr write };
|
||||
allow pasta_t container_runtime_t:file read;
|
||||
allow pasta_t container_runtime_t:lnk_file read;
|
||||
allow pasta_t container_t:lnk_file read;
|
||||
allow pasta_t pasta_port_t:tcp_socket { name_bind name_connect };
|
||||
allow pasta_t pasta_port_t:udp_socket { name_bind };
|
||||
allow pasta_t http_port_t:tcp_socket { name_bind name_connect };
|
||||
|
@ -213,3 +230,28 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh };
|
|||
allow pasta_t ping_t:process { noatsecure rlimitinh siginh };
|
||||
allow pasta_t user_tty_device_t:chr_file { append read write };
|
||||
allow pasta_t user_devpts_t:chr_file { append read write };
|
||||
|
||||
# Allow network administration commands for non-privileged users
|
||||
roleattribute container_user_r usernetctl_roles;
|
||||
roleattribute staff_r usernetctl_roles;
|
||||
roleattribute user_r usernetctl_roles;
|
||||
role usernetctl_roles types pasta_t;
|
||||
|
||||
# Make pasta in a container run under the pasta_t context
|
||||
type_transition container_runtime_t pasta_exec_t : process pasta_t;
|
||||
allow container_runtime_t pasta_t:process transition;
|
||||
|
||||
# Label the user network namespace files
|
||||
type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns";
|
||||
type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns";
|
||||
allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write };
|
||||
allow pasta_t ifconfig_var_run_t:file { create open write };
|
||||
allow systemd_user_runtimedir_t ifconfig_var_run_t:dir rmdir;
|
||||
|
||||
# Allow pasta to bind to any port
|
||||
bool pasta_bind_all_ports true;
|
||||
if (pasta_bind_all_ports) {
|
||||
allow pasta_t port_type:icmp_socket { accept getopt name_bind };
|
||||
allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect };
|
||||
allow pasta_t port_type:udp_socket { accept getopt name_bind };
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue