Skip to content
Permalink
Browse files

Label /sys/kernel/ns_last_pid as sysctl_kernel_ns_last_pid_t

CRIU can influence the PID of the threads it wants to create.
CRIU uses /proc/sys/kernel/ns_last_pidto tell the kernel which
PID it wants for the next clone().
So it has to write to that file. This feels like a problematic as
it opens up the container writing to all sysctl_kernel_t.

Using new label container_t will just write to
sysctl_kernel_ns_last_pid_t instad writing to more generic
sysctl_kernel_t files.
  • Loading branch information...
wrabcak committed Apr 4, 2019
1 parent 50cc590 commit f1ba302a9f2b7b249b5ac8df2705be7869575bb6
Showing with 68 additions and 0 deletions.
  1. +60 −0 policy/modules/kernel/kernel.if
  2. +8 −0 policy/modules/kernel/kernel.te
@@ -2172,6 +2172,66 @@ interface(`kernel_rw_kernel_sysctl',`
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
')

########################################
## <summary>
## Read kernel ns lastpid sysctls.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_read_kernel_ns_lastpid_sysctls',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
')

read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)

list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
')

########################################
## <summary>
## Do not audit attempts to write kernel ns lastpid sysctls.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',`
gen_require(`
type sysctl_kernel_ns_last_pid_t;
')

dontaudit $1 sysctl_kernel_ns_last_pid_t:file write;
')

########################################
## <summary>
## Read and write kernel ns lastpid sysctls.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kernel_rw_kernel_sysctl',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t;
')

rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t)

list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t)
')

########################################
## <summary>
## Read filesystem sysctls.
@@ -175,6 +175,11 @@ type sysctl_kernel_t, sysctl_type;
fs_associate(sysctl_kernel_t)
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)

# /sys/kernel/ns_last_pid file
type sysctl_kernel_ns_last_pid_t, sysctl_type;
fs_associate(sysctl_kernel_ns_last_pid_t)
genfscon proc /sys/kernel/ns_last_pid gen_context(system_u:object_r:sysctl_kernel_ns_last_pid_t,s0)

# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
fs_associate(sysctl_net_t)
@@ -272,6 +277,9 @@ allow kernel_t proc_kmsg_t:file getattr;

allow kernel_t sysctl_kernel_t:dir list_dir_perms;
allow kernel_t sysctl_kernel_t:file read_file_perms;

allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms;

allow kernel_t sysctl_t:dir list_dir_perms;

# Other possible mount points for the root fs are in files

0 comments on commit f1ba302

Please sign in to comment.
You can’t perform that action at this time.