diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch new file mode 100644 index 00000000000..29cd63e12d5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch @@ -0,0 +1,501 @@ +From 5293e66fafd5f5cf2872abc03d8b49ed5bc81b9a Mon Sep 17 00:00:00 2001 +From: Krzesimir Nowak +Date: Mon, 4 Dec 2023 12:17:25 +0100 +Subject: [PATCH] Flatcar modifications + +--- + policy/modules/admin/netutils.te | 20 ++++ + policy/modules/kernel/corenetwork.if.in | 26 ++++ + policy/modules/kernel/corenetwork.te.in | 12 +- + policy/modules/kernel/files.if | 45 +++++++ + policy/modules/kernel/kernel.te | 73 ++++++++++++ + policy/modules/services/container.fc | 6 + + policy/modules/services/container.te | 150 +++++++++++++++++++++++- + policy/modules/system/init.te | 8 ++ + policy/modules/system/locallogin.te | 9 +- + policy/modules/system/logging.te | 9 ++ + 10 files changed, 355 insertions(+), 3 deletions(-) + +diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te +index 3c43a1d84..429c67220 100644 +--- a/refpolicy/policy/modules/admin/netutils.te ++++ b/refpolicy/policy/modules/admin/netutils.te +@@ -128,6 +128,16 @@ corenet_raw_sendrecv_generic_if(ping_t) + corenet_raw_sendrecv_generic_node(ping_t) + corenet_tcp_sendrecv_generic_node(ping_t) + corenet_raw_bind_generic_node(ping_t) ++# ++# FLATCAR: ++# ++# This is to fix ping -I with some IP or network interface. ++# ++# Based on https://github.com/fedora-selinux/selinux-policy/pull/403 ++# ++# TODO: What AVC does this fix? ++# ++corenet_icmp_bind_generic_node(ping_t) + + dev_read_urand(ping_t) + +@@ -212,6 +222,16 @@ corenet_udp_bind_traceroute_port(traceroute_t) + corenet_tcp_connect_all_ports(traceroute_t) + corenet_sendrecv_all_client_packets(traceroute_t) + corenet_sendrecv_traceroute_server_packets(traceroute_t) ++# ++# FLATCAR: ++# ++# This is to fix ping -I with some IP or network interface. ++# ++# Based on https://github.com/fedora-selinux/selinux-policy/pull/403 ++# ++# TODO: What AVC does this fix? ++# ++corenet_icmp_bind_generic_node(traceroute_t) + + dev_read_rand(traceroute_t) + dev_read_urand(traceroute_t) +diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in +index d1038d742..a675c8e28 100644 +--- a/refpolicy/policy/modules/kernel/corenetwork.if.in ++++ b/refpolicy/policy/modules/kernel/corenetwork.if.in +@@ -877,6 +877,32 @@ interface(`corenet_sctp_bind_generic_node',` + allow $1 node_t:sctp_socket node_bind; + ') + ++# ++# FLATCAR: ++# ++# This is to fix ping -I with some IP or network interface. Added ++# icmp_socket here. ++# ++# Based on https://github.com/fedora-selinux/selinux-policy/pull/403 ++# ++######################################## ++## ++## Bind ICMP sockets to generic nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_icmp_bind_generic_node',` ++ gen_require(` ++ type node_t; ++ ') ++ ++ allow $1 node_t:icmp_socket node_bind; ++') ++ + ######################################## + ## + ## Bind TCP sockets to generic nodes. +diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in +index 53bf7849c..9edac05e8 100644 +--- a/refpolicy/policy/modules/kernel/corenetwork.te.in ++++ b/refpolicy/policy/modules/kernel/corenetwork.te.in +@@ -381,7 +381,17 @@ allow corenet_unconfined_type port_type:sctp_socket { name_connect }; + + # Bind to any network address. + allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind; +-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind; ++# ++# FLATCAR: ++# ++# This is to fix ping -I with some IP or network interface. Added ++# icmp_socket here. ++# ++# Based on https://github.com/fedora-selinux/selinux-policy/pull/403 ++# ++# TODO: What AVC does this fix? ++# ++allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; + + # Infiniband + corenet_ib_access_all_pkeys(corenet_unconfined_type) +diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if +index 370ac0931..098d0cd6c 100644 +--- a/refpolicy/policy/modules/kernel/files.if ++++ b/refpolicy/policy/modules/kernel/files.if +@@ -7911,3 +7911,48 @@ interface(`files_relabel_all_pidfiles',` + relabel_files_pattern($1, pidfile, pidfile) + relabel_lnk_files_pattern($1, pidfile, pidfile) + ') ++ ++# ++# FLATCAR: ++# ++# It's a part of our relabeling effort. Not finished, not yet used. ++# ++# Upstream PR: https://github.com/SELinuxProject/refpolicy/pull/515 ++# ++# Second part of this change: https://github.com/flatcar/coreos-overlay/blob/f9a9943cb7ebfcb6fa625b06eb808a65572f54ff/sec-policy/selinux-base-policy/files/systemd-relabel.patch ++# ++######################################## ++## ++## Relabel all files on the filesystem, except ++## policy_config_t and exceptions. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The types to be excluded. Each type or attribute ++## must be negated by the caller. ++## ++## ++## ++# ++interface(`files_relabel_all_non_policy_files',` ++ gen_require(` ++ attribute file_type; ++ type policy_config_t; ++ ') ++ ++ allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms; ++ relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ # this is only relabelfrom since there should be no ++ # device nodes with file types. ++ relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++') +diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te +index 8156ac087..72a07e753 100644 +--- a/refpolicy/policy/modules/kernel/kernel.te ++++ b/refpolicy/policy/modules/kernel/kernel.te +@@ -369,6 +369,79 @@ files_mounton_default(kernel_t) + + mcs_process_set_categories(kernel_t) + ++# ++# FLATCAR: ++# ++# TODO: What AVCs does this fix? ++# ++allow kernel_t self:user_namespace create; ++ ++# ++# FLATCAR: ++# ++# Occurs in coreos.tls.fetch-urls tests. Haven't pinpointed the cause yet: ++# ++# avc: denied { add_name } for pid=[0-9]* comm="bash" name="63" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0 ++# ++# Occurs in kubeadm.v.calico.base and ++# kubeadm.v.calico.cgroupv1.base: ++# ++# avc: denied { add_name } for pid=[0-9]* comm="tee" name="63" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0 ++# ++allow kernel_t self:dir { add_name }; ++ ++# ++# FLATCAR: ++# ++# Occurs in coreos.tls.fetch-urls tests. Haven't pinpointed the cause yet: ++# ++# avc: denied { create } for pid=[0-9]* comm="bash" name="63" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=file permissive=0 ++# ++# Occurs in kubeadm.v.calico.base and ++# kubeadm.v.calico.cgroupv1.base: ++# ++# avc: denied { create } for pid=[0-9]* comm="tee" name="63" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:kernel_t:s0 tclass=file permissive=0 ++# ++allow kernel_t self:file { create }; ++ ++# ++# FLATCAR: ++# ++# Occurs in coreos.tls.fetch-urls tests. Haven't pinpointed the cause ++# yet: ++# ++# avc: denied { write } for pid=[0-9]* comm="bash" name="fd" dev="proc" ino=[0-9]* scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0 ++# ++# This one occurs a lot in kubeadm.v.calico.base and ++# kubeadm.v.calico.cgroupv1.base, is this from mantle's ++# kola/tests/kubeadm/templates.go? ++# ++# avc: denied { write } for pid=[0-9]* comm="tee" name="fd" dev="proc" ino=[0-9]* scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0 ++# ++allow kernel_t self:dir { write }; ++ ++# ++# FLATCAR: ++# ++# This one happens a lot in kubeadm.v..cgroupv1.base. No ++# idea what is this, but looks like a vestige of cgroupv1 support. ++# ++# avc: denied { audit_read } for pid=[0-9]* comm="systemd" capability=37 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 ++# ++allow kernel_t self:capability2 { audit_read }; ++ ++# ++# FLATCAR: ++# ++# This one happens a lot in kubeadm.v..cgroupv1.base and ++# kubeadm.v..base for cilium and calico. ++# ++# avc: denied { watch_reads } for pid=[0-9]* comm="systemd" path="/run/mount/utab.lock" dev="tmpfs" ino=[0-9]* scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=file permissive=0 ++# ++optional_policy(` ++ mount_watch_reads_runtime_files(kernel_t) ++') ++ + mls_process_read_all_levels(kernel_t) + mls_process_write_all_levels(kernel_t) + mls_file_write_all_levels(kernel_t) +diff --git a/refpolicy/policy/modules/services/container.fc b/refpolicy/policy/modules/services/container.fc +index 49e5d59bb..3769ad311 100644 +--- a/refpolicy/policy/modules/services/container.fc ++++ b/refpolicy/policy/modules/services/container.fc +@@ -38,6 +38,12 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0) + /etc/cni(/.*)? gen_context(system_u:object_r:container_config_t,s0) + /etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0) + /etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) ++# ++# FLATCAR: ++# ++# We keep containerd config in /usr/share, so label it as container_config_t too. ++# ++/usr/share/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) + + /run/containers(/.*)? gen_context(system_u:object_r:container_runtime_t,s0) + /run/libpod(/.*)? gen_context(system_u:object_r:container_runtime_t,s0) +diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te +index a5ad4686d..ceaeb2dfc 100644 +--- a/refpolicy/policy/modules/services/container.te ++++ b/refpolicy/policy/modules/services/container.te +@@ -58,6 +58,52 @@ gen_tunable(container_use_dri, false) + ## + gen_tunable(container_use_ecryptfs, false) + ++# FLATCAR: ++# ++# Turned to be true by default to address following AVCs: ++# ++# This one comes from cl.internet (DockerPing?): ++# ++# For ping inside docker container. ++# ++# Boolean container_use_host_all_caps also allows this. Maybe this ++# should be turned on by default then? ++# ++# avc: denied { net_raw } for pid=[0-9]* comm="ping" capability=13 scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=capability permissive=0 ++# ++# This one comes from docker.base: ++# ++# avc: denied { setuid } for pid=[0-9]* comm="ping" capability=7 scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=capability permissive=0 ++# ++# This one happens in kubeadm.v..base for cilium and calico ++# ++# avc: denied { chown } for pid=[0-9]* comm="nginx" capability=0 scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=capability permissive=0 ++# ++# Boolean container_use_host_all_caps also allows this. Maybe this ++# should be turned on by default then? ++# ++# This one happens in kubeadm.v..base for cilium and calico ++# ++# avc: denied { dac_override } for pid=[0-9]* comm="rpcbind" capability=1 scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=capability permissive=0 ++# ++# This comes from the same place: ++# ++# avc: denied { dac_override } for pid=[0-9]* comm="systemd-tmpfile" capability=1 scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=capability permissive=0 ++# ++# Boolean container_use_host_all_caps also allows this. Maybe this ++# should be turned on by default then? ++# ++# This one happens in kubeadm.v..base for cilium and calico ++# ++# avc: denied { dac_read_search } for pid=[0-9]* comm="rpcbind" capability=2 scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=capability permissive=0 ++# ++# This comes from the same place: ++# ++# avc: denied { dac_read_search } for pid=[0-9]* comm="systemd-tmpfile" capability=2 scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tclass=capability permissive=0 ++# ++# Boolean container_use_host_all_caps also allows this. Maybe this ++# should be turned on by default then? ++# + ## + ##

+ ## Allow containers to use all capabilities in a +@@ -65,7 +111,7 @@ gen_tunable(container_use_ecryptfs, false) + ## directly on the host. + ##

+ ## +-gen_tunable(container_use_host_all_caps, false) ++gen_tunable(container_use_host_all_caps, true) + + ## + ##

+@@ -1088,3 +1134,105 @@ optional_policy(` + unconfined_domain_noaudit(spc_user_t) + domain_ptrace_all_domains(spc_user_t) + ') ++ ++# ++# FLATCAR: ++# ++# The rules below were added long time ago. ++# ++# TODO: Would be nice to document what they were trying to fix. And ++# maybe document what AVCs they were trying to address? I suspect that ++# a lot of them are not necessary now or won't be necessary when whole ++# image will be labeled. ++# ++ ++allow container_domain self:socket_class_set { accept ioctl read getattr lock write append getopt setopt }; ++allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt shutdown }; ++ ++# required for sharing /run for the etcd-wrapper ++files_mounton_runtime_dirs(container_engine_domain) ++ ++# this is a hack while the system is not labelled. we need to authorize transition from kernel_t ++require { ++ type kernel_t; ++ type tmpfs_t; ++ type var_lib_t; ++ type unconfined_t; ++} ++allow kernel_t container_t:process transition; ++allow initrc_t container_t:process transition; ++allow kernel_t container_t:process2 nnp_transition; ++allow kernel_t unconfined_t:process transition; ++fs_manage_tmpfs_chr_files(container_t) ++fs_manage_tmpfs_dirs(container_t) ++fs_manage_tmpfs_files(container_t) ++fs_manage_tmpfs_sockets(container_t) ++fs_manage_tmpfs_symlinks(container_t) ++fs_remount_tmpfs(container_t) ++kernel_read_messages(container_t) ++kernel_sigchld(container_t) ++kernel_use_fds(container_t) ++allow container_t self:process getcap; ++files_read_var_lib_files(container_t) ++files_read_var_lib_symlinks(container_t) ++term_use_generic_ptys(container_t) ++term_setattr_generic_ptys(container_t) ++allow container_t tmpfs_t:chr_file { read write open }; ++allow container_t container_file_t:chr_file { manage_file_perms }; ++allow container_t self:process getpgid; ++allow container_t container_file_t:file { entrypoint mounton }; ++allow container_t var_lib_t:file { entrypoint execute execute_no_trans }; ++allow container_t kernel_t:fifo_file { getattr ioctl read write open append }; ++allow container_t initrc_t:fifo_file { getattr ioctl read write open append }; ++filetrans_pattern(kernel_t, etc_t, container_file_t, dir, "cni") ++ ++# this is required by flanneld ++allow container_t kernel_t:system { module_request }; ++ ++# required by flanneld to write into /run/flannel/subnet.env ++filetrans_pattern(kernel_t, var_run_t, container_file_t, dir, "flannel") ++ ++# required for cilium ++allow kernel_t spc_t:process transition; ++# required for using cilium cgroup v1 ++allow kernel_t self:perf_event { open cpu kernel read }; ++allow unconfined_t container_file_t:file { entrypoint }; ++ ++# ++# These ones come from kubeadm.v..base for cilium and calico: ++# ++# avc: denied { watch } for pid=[0-9]* comm="kube-apiserver" path="/etc/kubernetes/pki/apiserver.crt" dev="overlay" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ++# ++# avc: denied { watch } for pid=[0-9]* comm="kube-apiserver" path="/etc/kubernetes/pki/ca.crt" dev="overlay" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ++# ++# avc: denied { watch } for pid=[0-9]* comm="kube-apiserver" path="/etc/kubernetes/pki/front-proxy-ca.crt" dev="overlay" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ++# ++# avc: denied { watch } for pid=[0-9]* comm="kube-apiserver" path="/etc/kubernetes/pki/front-proxy-client.crt" dev="overlay" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ++# ++# avc: denied { watch } for pid=[0-9]* comm="kube-controller" path="/etc/kubernetes/pki/ca.crt" dev="overlay" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ++# ++# avc: denied { watch } for pid=[0-9]* comm="kube-controller" path="/etc/kubernetes/pki/front-proxy-ca.crt" dev="overlay" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 ++# ++allow container_t etc_t:file watch; ++ ++# ++# This one comes from kubeadm.v..base for cilium and calico: ++# ++# avc: denied { watch } for pid=[0-9]* comm="kube-controller" path="/opt/libexec/kubernetes/kubelet-plugins/volume/exec" dev="vda9" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 ++# ++# This one comes from kubeadm.v.calico.base: ++# ++# avc: denied { watch } for pid=[0-9]* comm="kube-controller" path="/opt/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds" dev="vda9" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 ++# ++allow container_t usr_t:dir { watch }; ++ ++# ++# These ones come from kubeadm.v.calico.base: ++# ++# avc: denied { execute } for pid=[0-9]* comm="kube-controller" name="uds" dev="vda9" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 ++# ++# avc: denied { execute_no_trans } for pid=[0-9]* comm="kube-controller" path="/opt/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds" dev="vda9" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 ++# ++# avc: denied { map } for pid=[0-9]* comm="uds" path="/opt/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds" dev="vda9" ino=[0-9]* scontext=system_u:system_r:container_t:s0:c[0-9]*,c[0-9]* tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 ++# ++allow container_t usr_t:file { execute execute_no_trans map }; +diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te +index c83d88b74..b55afabc0 100644 +--- a/refpolicy/policy/modules/system/init.te ++++ b/refpolicy/policy/modules/system/init.te +@@ -1658,3 +1658,11 @@ optional_policy(` + userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) + userdom_dontaudit_write_user_tmp_files(systemprocess) + ') ++ ++# ++# FLATCAR: ++# ++# TODO: What AVC does this fix? ++# ++require { type unconfined_t; } ++allow init_t unconfined_t:file exec_file_perms; +diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te +index 4dc9981bc..ee68ba624 100644 +--- a/refpolicy/policy/modules/system/locallogin.te ++++ b/refpolicy/policy/modules/system/locallogin.te +@@ -34,7 +34,14 @@ role system_r types sulogin_t; + + allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; + dontaudit local_login_t self:capability net_admin; +-allow local_login_t self:process { getcap setcap setexec setrlimit setsched }; ++# ++# FLATCAR: ++# ++# Added setpgid here. ++# ++# TODO: What AVC does this fix? ++# ++allow local_login_t self:process { setpgid getcap setcap setexec setrlimit setsched }; + allow local_login_t self:fd use; + allow local_login_t self:fifo_file rw_fifo_file_perms; + allow local_login_t self:sock_file read_sock_file_perms; +diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te +index a7b6173d8..343ef1abc 100644 +--- a/refpolicy/policy/modules/system/logging.te ++++ b/refpolicy/policy/modules/system/logging.te +@@ -507,6 +507,15 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t) + + ifdef(`init_systemd',` + # for systemd-journal ++ ++ # ++ # FLATCAR: ++ # ++ # TODO: What AVC does this fix? ++ # ++ require { type kernel_t; } ++ allow syslogd_t kernel_t:netlink_audit_socket getattr; ++ + allow syslogd_t self:capability audit_control; + allow syslogd_t self:netlink_audit_socket connected_socket_perms; + allow syslogd_t self:capability2 audit_read; +-- +2.34.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-policy-modules-kernel-all-more-actions-for-kernel.patch deleted file mode 100644 index 883720831e7..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-policy-modules-kernel-all-more-actions-for-kernel.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te -index 56dbd5af5..b5cf0e3c0 100644 ---- a/refpolicy/policy/modules/kernel/kernel.te -+++ b/refpolicy/policy/modules/kernel/kernel.te -@@ -363,6 +363,11 @@ files_list_home(kernel_t) - files_read_usr_files(kernel_t) - - mcs_process_set_categories(kernel_t) -+mcs_killall(kernel_t) -+mcs_file_read_all(kernel_t) -+mcs_file_write_all(kernel_t) -+mcs_ptrace_all(kernel_t) -+allow kernel_t self:user_namespace create; - - mls_process_read_all_levels(kernel_t) - mls_process_write_all_levels(kernel_t) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/README.md b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/README.md new file mode 100644 index 00000000000..26a0617e7fa --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/README.md @@ -0,0 +1,17 @@ +The following steps were needed to make these patches: + +- Clone the refpolicy repo: + - https://github.com/SELinuxProject/refpolicy.git +- Checkout the appropriate tag: + - For example `RELEASE_2_20231002`. +- Apply the Gentoo patch: + - See the sec-policy/selinux-base ebuild in portage-stable for the + patch tarball URL. +- Apply our changes. +- Generate the patch: + - Since sec-policy/selinux- packages set their source directory to + work directory (in Gentooese: `S=${WORKDIR}/`), the user patches + are applied from the parent directory of the refpolicy sources. In + order to generate proper patches, do `git format-patch + --src-prefix=a/refpolicy/ --dst-prefix=b/refpolicy/ + ` diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/container.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/container.patch deleted file mode 100644 index 912bafb3ef8..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/container.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff -p -r -u work/refpolicy/policy/modules/services/container.fc work2/refpolicy/policy/modules/services/container.fc ---- work/refpolicy/policy/modules/services/container.fc 2023-10-02 17:11:39.000000000 -0000 -+++ work2/refpolicy/policy/modules/services/container.fc 2023-11-30 11:01:57.674590785 -0000 -@@ -117,3 +117,5 @@ HOME_DIR/\.docker(/.*)? gen_context(sys - /var/log/kube-controller-manager(/.*)? gen_context(system_u:object_r:container_log_t,s0) - /var/log/kube-proxy(/.*)? gen_context(system_u:object_r:container_log_t,s0) - /var/log/kube-scheduler(/.*)? gen_context(system_u:object_r:container_log_t,s0) -+ -+/usr/share/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) -diff -p -r -u work/refpolicy/policy/modules/services/container.te work2/refpolicy/policy/modules/services/container.te ---- work/refpolicy/policy/modules/services/container.te 2023-10-02 17:11:39.000000000 -0000 -+++ work2/refpolicy/policy/modules/services/container.te 2023-11-30 11:03:31.875742024 -0000 -@@ -1088,3 +1088,65 @@ optional_policy(` - unconfined_domain_noaudit(spc_user_t) - domain_ptrace_all_domains(spc_user_t) - ') -+ -+allow container_domain self:socket_class_set { accept ioctl read getattr lock write append getopt setopt }; -+allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt shutdown }; -+ -+# required for sharing /run for the etcd-wrapper -+files_mounton_runtime_dirs(container_engine_domain) -+ -+# this is a hack while the system is not labelled. we need to authorize transition from kernel_t -+require { -+ type kernel_t; -+ type tmpfs_t; -+ type var_lib_t; -+ type unconfined_t; -+} -+allow kernel_t container_t:process transition; -+allow initrc_t container_t:process transition; -+allow kernel_t container_t:process2 nnp_transition; -+allow kernel_t unconfined_t:process transition; -+fs_manage_tmpfs_chr_files(container_t) -+fs_manage_tmpfs_dirs(container_t) -+fs_manage_tmpfs_files(container_t) -+fs_manage_tmpfs_sockets(container_t) -+fs_manage_tmpfs_symlinks(container_t) -+fs_remount_tmpfs(container_t) -+kernel_read_messages(container_t) -+kernel_sigchld(container_t) -+kernel_use_fds(container_t) -+allow container_t self:process getcap; -+files_read_var_lib_files(container_t) -+files_read_var_lib_symlinks(container_t) -+term_use_generic_ptys(container_t) -+term_setattr_generic_ptys(container_t) -+allow container_t tmpfs_t:chr_file { read write open }; -+allow container_t container_file_t:chr_file { manage_file_perms }; -+allow container_t self:capability sys_chroot; -+allow container_t self:process getpgid; -+allow container_t container_file_t:file { entrypoint mounton }; -+allow container_t var_lib_t:file { entrypoint execute execute_no_trans }; -+allow container_t kernel_t:fifo_file { getattr ioctl read write open append }; -+allow container_t initrc_t:fifo_file { getattr ioctl read write open append }; -+filetrans_pattern(kernel_t, etc_t, container_file_t, dir, "cni"); -+ -+# for ping inside docker -+allow container_t self:capability net_raw; -+ -+# this is required by flanneld -+allow container_t kernel_t:system { module_request }; -+ -+# required by flanneld to write into /run/flannel/subnet.env -+filetrans_pattern(kernel_t, var_run_t, container_file_t, dir, "flannel"); -+ -+# required for cilium -+allow kernel_t spc_t:process transition; -+# required for cilium, can be upstreamed -+# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { open } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1 -+# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { kernel } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1 -+# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { cpu } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1 -+# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { read } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1 -+allow spc_t self:perf_event { open cpu kernel read }; -+# required for using cilium cgroup v1 -+allow kernel_t self:perf_event { open cpu kernel read }; -+allow unconfined_t container_file_t:file { entrypoint }; diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/files-relabel.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/files-relabel.patch deleted file mode 100644 index dd1090a7abe..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/files-relabel.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 495cbe2f4..a5605f866 100644 ---- a/refpolicy/policy/modules/kernel/files.if -+++ b/refpolicy/policy/modules/kernel/files.if -@@ -7892,3 +7892,39 @@ interface(`files_unconfined',` - - typeattribute $1 files_unconfined_type; - ') -+ -+######################################## -+##

-+## Relabel all files on the filesystem, except -+## policy_config_t and exceptions. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The types to be excluded. Each type or attribute -+## must be negated by the caller. -+## -+## -+## -+# -+interface(`files_relabel_all_non_policy_files',` -+ gen_require(` -+ attribute file_type; -+ type policy_config_t; -+ ') -+ -+ allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms; -+ relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) -+ relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) -+ relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) -+ relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) -+ relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) -+ # this is only relabelfrom since there should be no -+ # device nodes with file types. -+ relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) -+ relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) -+') diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/icmp-bind.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/icmp-bind.patch deleted file mode 100644 index 1b4bb314673..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/icmp-bind.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in ---- a/refpolicy/policy/modules/kernel/corenetwork.if.in 2022-01-12 16:59:47.572670384 -0000 -+++ b/refpolicy2/policy/modules/kernel/corenetwork.if.in 2022-01-12 17:01:54.974858982 -0000 -@@ -879,6 +879,24 @@ - - ######################################## - ## -+## Bind ICMP sockets to generic nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_icmp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ allow $1 node_t:icmp_socket node_bind; -+') -+ -+######################################## -+## - ## Bind TCP sockets to generic nodes. - ## - ## -diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in ---- a/refpolicy/policy/modules/kernel/corenetwork.te.in 2022-01-12 16:59:47.573670362 -0000 -+++ b/refpolicy2/policy/modules/kernel/corenetwork.te.in 2022-01-12 17:03:12.754142616 -0000 -@@ -373,7 +373,7 @@ - - # Bind to any network address. - allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind; --allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind; -+allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; - - # Infiniband - corenet_ib_access_all_pkeys(corenet_unconfined_type) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/init.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/init.patch deleted file mode 100644 index 35b00b1b64f..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/init.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dbd39cf8f..563559ca7 100644 ---- a/refpolicy/policy/modules/system/init.te -+++ b/refpolicy/policy/modules/system/init.te -@@ -1503,3 +1503,6 @@ optional_policy(` - userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) - userdom_dontaudit_write_user_tmp_files(systemprocess) - ') -+ -+require { type unconfined_t; } -+allow init_t unconfined_t:file exec_file_perms; diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/locallogin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/locallogin.patch deleted file mode 100644 index 6b688e26fda..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/locallogin.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 109980e79..d5c4a5d95 100644 ---- a/refpolicy/policy/modules/system/locallogin.te -+++ b/refpolicy/policy/modules/system/locallogin.te -@@ -34,7 +34,7 @@ role system_r types sulogin_t; - - allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; - dontaudit local_login_t self:capability net_admin; --allow local_login_t self:process { getcap setcap setexec setrlimit setsched }; -+allow local_login_t self:process { setpgid getcap setcap setexec setrlimit setsched }; - allow local_login_t self:fd use; - allow local_login_t self:fifo_file rw_fifo_file_perms; - allow local_login_t self:sock_file read_sock_file_perms; diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/logging.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/logging.patch deleted file mode 100644 index 7e760b6dbab..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/logging.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index abd61e6bd..fb5d69366 100644 ---- a/refpolicy/policy/modules/system/logging.te -+++ b/refpolicy/policy/modules/system/logging.te -@@ -525,11 +525,13 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t) - - ifdef(`init_systemd',` - # for systemd-journal -+ require { type kernel_t; } - allow syslogd_t self:capability audit_control; - allow syslogd_t self:netlink_audit_socket connected_socket_perms; - allow syslogd_t self:capability2 audit_read; - allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; - allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; -+ allow syslogd_t kernel_t:netlink_audit_socket getattr; - - # remove /run/log/journal when switching to permanent storage - allow syslogd_t var_log_t:dir rmdir; diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/ping.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/ping.patch deleted file mode 100644 index ee99de5b771..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/ping.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te ---- a/refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:28:26.850809330 -0000 -+++ b/refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:29:50.323880882 -0000 -@@ -117,6 +117,7 @@ - corenet_raw_sendrecv_generic_node(ping_t) - corenet_tcp_sendrecv_generic_node(ping_t) - corenet_raw_bind_generic_node(ping_t) -+corenet_icmp_bind_generic_node(ping_t) - - dev_read_urand(ping_t) - -@@ -189,6 +190,7 @@ - corenet_tcp_connect_all_ports(traceroute_t) - corenet_sendrecv_all_client_packets(traceroute_t) - corenet_sendrecv_traceroute_server_packets(traceroute_t) -+corenet_icmp_bind_generic_node(traceroute_t) - - dev_read_rand(traceroute_t) - dev_read_urand(traceroute_t)