CBL-Mariner/SPECS/selinux-policy/0004-Add-compatibility-for-container-selinux.patch

From 5b3643784bc2edef690fbd971305e68528f17876 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Mon, 18 Apr 2022 15:15:34 +0000
Subject: [PATCH 04/35] Add compatibility for container-selinux

MSFT_TAG: Not upstreamable
---
 policy/modules/services/container.if        | 337 ++++++++++++++++++++
 policy/modules/services/container_compat.fc |   1 +
 policy/modules/services/container_compat.if |   1 +
 policy/modules/services/container_compat.te | 202 ++++++++++++
 4 files changed, 541 insertions(+)
 create mode 100644 policy/modules/services/container_compat.fc
 create mode 100644 policy/modules/services/container_compat.if
 create mode 100644 policy/modules/services/container_compat.te

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 16b146022..86aff4734 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -847,6 +847,65 @@ interface(`container_manage_dirs',`
 	manage_dirs_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	relabel from and to container file directory type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_relabel_dirs',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	relabel_dirs_pattern($1, container_file_t, container_file_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to mmap executable
+##	container files with text relocations.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_textrel_mmap_exec_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+  	mmap_exec_files_pattern($1, container_file_t, container_file_t)
+	allow $1 container_file_t:file execmod;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute
+##	container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_exec_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+  	can_exec($1, container_file_t)
+')
+
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -866,6 +925,44 @@ interface(`container_manage_files',`
 	manage_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	relabel from and to container file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_relabel_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	relabel_files_pattern($1, container_file_t, container_file_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to use container files
+##	as an entrypoint.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_file_entrypoint',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:file entrypoint;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -923,6 +1020,44 @@ interface(`container_manage_sock_files',`
 	manage_sock_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to set
+##	the attributes of container block files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_setattr_blk_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:blk_file setattr;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	and write container block files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_blk_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:blk_file rw_blk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read
@@ -980,6 +1115,102 @@ interface(`container_manage_chr_files',`
 	manage_chr_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	list read-only container file directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_list_ro_dirs',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+  	list_dirs_pattern($1, container_ro_file_t, container_ro_file_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	read read-only container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_ro_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+  	read_files_pattern($1, container_ro_file_t, container_ro_file_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to mmap executable
+##	read-only container files with text relocations.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_textrel_mmap_exec_ro_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+  	mmap_exec_files_pattern($1, container_ro_file_t, container_ro_file_t)
+	allow $1 container_ro_file_t:file execmod;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to execute
+##	read-only container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_exec_ro_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+  	can_exec($1, container_ro_file_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	read read-only container symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_ro_symlinks',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+  	read_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1408,6 +1639,25 @@ interface(`container_search_var_lib',`
 	allow $1 container_var_lib_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	container files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_var_lib_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	read_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -1465,6 +1715,37 @@ interface(`container_manage_var_lib_sock_files',`
 	manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in container /var/lib directories with
+##	an automatic type transition to the
+##	specified type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_var_lib_filetrans',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	filetrans_pattern($1, container_var_lib_t, $2, $3, $4)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to create
@@ -1518,6 +1799,62 @@ interface(`container_start_units',`
 	allow $1 container_unit_t:service start;
 ')
 
+########################################
+## <summary>
+##	Write pipes inherited from dockerd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_write_inherited_dockerd_pipes',`
+        gen_require(`
+                type dockerd_t;
+        ')
+
+        allow $1 dockerd_t:fd use;
+        allow $1 dockerd_t:fifo_file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to privileged containers using an abstract stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_abstract_connect_privileged',`
+        gen_require(`
+                type spc_t;
+        ')
+
+        allow $1 spc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Write pipes inherited from privileged containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_write_inherited_privileged_pipes',`
+        gen_require(`
+                type spc_t;
+        ')
+
+        allow $1 spc_t:fd use;
+        allow $1 spc_t:fifo_file write_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
diff --git a/policy/modules/services/container_compat.fc b/policy/modules/services/container_compat.fc
new file mode 100644
index 000000000..4a06a34d0
--- /dev/null
+++ b/policy/modules/services/container_compat.fc
@@ -0,0 +1 @@
+# No file contexts for this module.
diff --git a/policy/modules/services/container_compat.if b/policy/modules/services/container_compat.if
new file mode 100644
index 000000000..0afc9662b
--- /dev/null
+++ b/policy/modules/services/container_compat.if
@@ -0,0 +1 @@
+## <summary>Compatibility policy for container-selinux.</summary>
diff --git a/policy/modules/services/container_compat.te b/policy/modules/services/container_compat.te
new file mode 100644
index 000000000..945d86562
--- /dev/null
+++ b/policy/modules/services/container_compat.te
@@ -0,0 +1,202 @@
+policy_module(container_compat)
+
+gen_require(`
+        class passwd rootok;
+')
+
+# kubevirt expects these attributes in the policy module it deploys
+attribute sandbox_net_domain;
+attribute svirt_sandbox_domain;
+
+########################################
+#
+# sandbox_net_domain local policy
+#
+# This is derived from the Fedora SELinux policy,
+# revised for Reference Policy types and interfaces.
+
+kernel_read_network_state(sandbox_net_domain)
+
+allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service };
+allow sandbox_net_domain self:cap_userns { net_raw net_admin net_bind_service };
+
+allow sandbox_net_domain self:udp_socket create_socket_perms;
+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
+allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms;
+allow sandbox_net_domain self:packet_socket create_socket_perms;
+allow sandbox_net_domain self:socket create_socket_perms;
+allow sandbox_net_domain self:rawip_socket create_stream_socket_perms;
+allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(sandbox_net_domain)
+corenet_udp_bind_generic_node(sandbox_net_domain)
+corenet_raw_bind_generic_node(sandbox_net_domain)
+corenet_udp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_connect_all_ports(sandbox_net_domain)
+
+optional_policy(`
+        sssd_stream_connect(sandbox_net_domain)
+')
+
+optional_policy(`
+        systemd_dbus_chat_logind(sandbox_net_domain)
+')
+
+########################################
+#
+# svirt_sandbox_domain local policy
+#
+# This is derived from the Fedora SELinux policy,
+# revised for Reference Policy types and interfaces.
+
+allow svirt_sandbox_domain self:key manage_key_perms;
+dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
+
+allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
+allow svirt_sandbox_domain self:fifo_file manage_file_perms;
+allow svirt_sandbox_domain self:msg all_msg_perms;
+allow svirt_sandbox_domain self:sem create_sem_perms;
+allow svirt_sandbox_domain self:shm create_shm_perms;
+allow svirt_sandbox_domain self:msgq create_msgq_perms;
+allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+allow svirt_sandbox_domain self:passwd rootok;
+allow svirt_sandbox_domain self:filesystem associate;
+allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_rw_net_sysctls(svirt_sandbox_domain)
+kernel_rw_unix_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+#kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+#kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain)
+#kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
+#domain_dontaudit_link_all_domains_keyrings(svirt_sandbox_domain)
+#domain_dontaudit_search_all_domains_keyrings(svirt_sandbox_domain)
+
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
+files_search_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
+
+#files_entrypoint_all_mountpoint(svirt_sandbox_domain)
+#corecmd_entrypoint_all_executables(svirt_sandbox_domain)
+
+files_search_all(svirt_sandbox_domain)
+files_read_usr_symlinks(svirt_sandbox_domain)
+files_search_locks(svirt_sandbox_domain)
+#files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
+#fs_rw_cephfs_files(svirt_sandbox_domain)
+
+fs_getattr_all_fs(svirt_sandbox_domain)
+#fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
+#fs_read_hugetlbfs_files(svirt_sandbox_domain)
+fs_read_tmpfs_symlinks(svirt_sandbox_domain)
+fs_search_tmpfs(svirt_sandbox_domain)
+fs_rw_hugetlbfs_files(svirt_sandbox_domain)
+
+#auth_dontaudit_read_passwd(svirt_sandbox_domain)
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
+auth_search_pam_console_data(svirt_sandbox_domain)
+
+#init_dontaudit_read_utmp(svirt_sandbox_domain)
+init_dontaudit_write_utmp(svirt_sandbox_domain)
+
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
+
+#miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
+miscfiles_read_fonts(svirt_sandbox_domain)
+miscfiles_read_hwdata(svirt_sandbox_domain)
+
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+#userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+#userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
+
+tunable_policy(`virt_use_nfs',`
+        fs_manage_nfs_dirs(svirt_sandbox_domain)
+        fs_manage_nfs_files(svirt_sandbox_domain)
+        fs_manage_nfs_named_sockets(svirt_sandbox_domain)
+        fs_manage_nfs_symlinks(svirt_sandbox_domain)
+        fs_mount_nfs(svirt_sandbox_domain)
+        fs_unmount_nfs(svirt_sandbox_domain)
+        fs_exec_nfs_files(svirt_sandbox_domain)
+        kernel_rw_fs_sysctls(svirt_sandbox_domain)
+')
+
+tunable_policy(`virt_use_samba',`
+        fs_manage_cifs_files(svirt_sandbox_domain)
+        fs_manage_cifs_dirs(svirt_sandbox_domain)
+        fs_manage_cifs_named_sockets(svirt_sandbox_domain)
+        fs_manage_cifs_symlinks(svirt_sandbox_domain)
+        fs_exec_cifs_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+        tunable_policy(`virt_sandbox_share_apache_content',`
+                apache_exec_modules(svirt_sandbox_domain)
+                apache_read_sys_content(svirt_sandbox_domain)
+        ')
+')
+
+optional_policy(`
+        allow svirt_sandbox_domain self:capability { audit_write chown fowner fsetid sys_nice };
+        allow svirt_sandbox_domain self:netlink_audit_socket { create read write };
+
+        dev_read_sysfs(svirt_sandbox_domain)
+        dev_getattr_mtrr_dev(svirt_sandbox_domain)
+        #dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
+
+        fs_read_cgroup_files(svirt_sandbox_domain)
+        #fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+
+        container_list_ro_dirs(svirt_sandbox_domain)
+        container_read_ro_files(svirt_sandbox_domain)
+        container_read_ro_symlinks(svirt_sandbox_domain)
+        container_textrel_mmap_exec_ro_files(svirt_sandbox_domain)
+        container_exec_ro_files(svirt_sandbox_domain)
+
+        container_manage_dirs(svirt_sandbox_domain)
+        container_manage_files(svirt_sandbox_domain)
+        container_textrel_mmap_exec_files(svirt_sandbox_domain)
+        container_exec_files(svirt_sandbox_domain)
+        container_manage_lnk_files(svirt_sandbox_domain)
+        container_manage_sock_files(svirt_sandbox_domain)
+        container_manage_fifo_files(svirt_sandbox_domain)
+        container_setattr_blk_files(svirt_sandbox_domain)
+        container_rw_blk_files(svirt_sandbox_domain)
+        container_relabel_dirs(svirt_sandbox_domain)
+        container_relabel_files(svirt_sandbox_domain)
+        container_var_lib_filetrans(svirt_sandbox_domain, container_file_t, sock_file)
+
+        #allow svirt_sandbox_domain container_file_t:dir mounton;
+        #allow svirt_sandbox_domain container_file_t:filesystem { getattr remount };
+
+        container_use_container_ptys(svirt_sandbox_domain)
+        container_file_entrypoint(svirt_sandbox_domain)
+        container_read_var_lib_files(svirt_sandbox_domain)
+        container_write_inherited_dockerd_pipes(svirt_sandbox_domain)
+        container_abstract_connect_privileged(svirt_sandbox_domain)
+        container_write_inherited_privileged_pipes(svirt_sandbox_domain)
+
+        allow spc_t svirt_sandbox_domain:process transition;
+')
+
+optional_policy(`
+        mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
+optional_policy(`
+        udev_read_runtime_files(svirt_sandbox_domain)
+')
-- 
2.34.1