diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-01-12 14:57:11 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:04:39 -0500 |
commit | 407ef76aa75368aa0ec9db5410bf2fe23fba8445 (patch) | |
tree | 63a30e35c666b5a6b3c6bb5a47fc65a9166a49da | |
parent | systemd: add policy for systemd-machine-id-setup (diff) | |
download | hardened-refpolicy-407ef76aa75368aa0ec9db5410bf2fe23fba8445.tar.gz hardened-refpolicy-407ef76aa75368aa0ec9db5410bf2fe23fba8445.tar.bz2 hardened-refpolicy-407ef76aa75368aa0ec9db5410bf2fe23fba8445.zip |
container, kubernetes: allow kubernetes to use fuse-overlayfs
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/kernel/filesystem.if | 18 | ||||
-rw-r--r-- | policy/modules/services/container.if | 20 | ||||
-rw-r--r-- | policy/modules/services/container.te | 2 | ||||
-rw-r--r-- | policy/modules/services/kubernetes.te | 9 |
4 files changed, 49 insertions, 0 deletions
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index d6d3acc2a..5b6b185a1 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2654,6 +2654,24 @@ interface(`fs_mounton_fusefs',` ######################################## ## <summary> +## Mount on files on a FUSEFS filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_mounton_fusefs_files',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:file mounton; +') + +######################################## +## <summary> ## Make FUSEFS files an entrypoint for the ## specified domain. ## </summary> diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 552cecefa..165a73d56 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -669,6 +669,26 @@ interface(`container_domtrans',` ######################################## ## <summary> +## Execute FUSEFS files with a type +## transition to the super privileged +## container type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_fusefs_domtrans_spc',` + gen_require(` + type spc_t; + ') + + fs_fusefs_domtrans($1, spc_t) +') + +######################################## +## <summary> ## Connect to a system container engine ## domain over a unix stream socket. ## </summary> diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index f055b4a33..0e29369e8 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -1037,6 +1037,8 @@ fs_mount_bpf(spc_t) fs_create_bpf_dirs(spc_t) fs_manage_bpf_files(spc_t) fs_manage_bpf_symlinks(spc_t) +fs_mounton_fusefs(spc_t) +fs_mounton_fusefs_files(spc_t) fs_unmount_nsfs(spc_t) fs_mount_tmpfs(spc_t) fs_list_tmpfs(spc_t) diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 598f97af3..84e8ce4bf 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -104,8 +104,17 @@ kernel_relabelfrom_unlabeled_dirs(kubernetes_container_engine_domain) kernel_mounton_net_sysctl_dirs(kubernetes_container_engine_domain) kernel_mounton_kernel_sysctl_dirs(kubernetes_container_engine_domain) +# for using the fuse-overlayfs storage driver +storage_rw_fuse(kubernetes_container_engine_domain) +fs_mount_fusefs(kubernetes_container_engine_domain) +fs_unmount_fusefs(kubernetes_container_engine_domain) +fs_remount_fusefs(kubernetes_container_engine_domain) +container_fusefs_domtrans_spc(kubernetes_container_engine_domain) + iptables_getattr_runtime_files(kubernetes_container_engine_domain) +mount_exec(kubernetes_container_engine_domain) + # for /dev/termination-log and maybe other device types container_dev_filetrans(kubernetes_container_engine_domain, file) container_manage_device_files(kubernetes_container_engine_domain) |