From 3c9e306369cbfed3af15ddd1fafd990973925b55 Mon Sep 17 00:00:00 2001 From: Francesco Romani Date: Sun, 19 Mar 2023 11:26:10 +0100 Subject: [PATCH] openshift: per-version policies OCP requires more granular policies. We originally thought we need just two policies: - <= 4.10 - >= 4.11 but we need more of them so this PR enables the granularity level we need. Signed-off-by: Francesco Romani --- pkg/assets/rte/assets.go | 46 +++++++++++++------ .../ocp_v4.10.cil} | 0 .../ocp_v4.11.cil} | 0 pkg/assets/rte/selinuxpolicy/ocp_v4.12.cil | 21 +++++++++ pkg/assets/rte/selinuxpolicy/ocp_v4.13.cil | 21 +++++++++ pkg/deployer/platform/version.go | 2 +- 6 files changed, 74 insertions(+), 16 deletions(-) rename pkg/assets/rte/{selinuxpolicy-ocp410.cil => selinuxpolicy/ocp_v4.10.cil} (100%) rename pkg/assets/rte/{selinuxpolicy-ocp411.cil => selinuxpolicy/ocp_v4.11.cil} (100%) create mode 100644 pkg/assets/rte/selinuxpolicy/ocp_v4.12.cil create mode 100644 pkg/assets/rte/selinuxpolicy/ocp_v4.13.cil diff --git a/pkg/assets/rte/assets.go b/pkg/assets/rte/assets.go index 86a6446b..ff4467e7 100644 --- a/pkg/assets/rte/assets.go +++ b/pkg/assets/rte/assets.go @@ -1,23 +1,28 @@ package rte import ( - _ "embed" + "embed" + "path/filepath" "github.com/k8stopologyawareschedwg/deployer/pkg/deployer/platform" ) const ( + // OCPVersion4.11 is DEPRECATED and will be removed in the next versions OCPVersion411 = "v4.11" ) -//go:embed selinuxinstall.service.template -var SELinuxInstallSystemdServiceTemplate []byte +const ( + selinuxPolicyDir = "selinuxpolicy" -//go:embed selinuxpolicy-ocp410.cil -var SELinuxPolicyOCP410 []byte + ocpVersion410 = "v4.10" + // TODO: demote public constant here once we can remove from the public API + ocpVersion412 = "v4.12" + ocpVersion413 = "v4.13" +) -//go:embed selinuxpolicy-ocp411.cil -var SELinuxPolicyOCP411 []byte +//go:embed selinuxinstall.service.template +var SELinuxInstallSystemdServiceTemplate []byte //go:embed hookconfigrtenotifier.json.template var HookConfigRTENotifier []byte @@ -25,14 +30,25 @@ var HookConfigRTENotifier []byte //go:embed rte-notifier.sh var NotifierScript []byte +//go:embed selinuxpolicy +var selinuxpolicy embed.FS + func GetSELinuxPolicy(ver platform.Version) ([]byte, error) { - // error should never happen: we control the input here - ok, err := ver.AtLeastString(OCPVersion411) - if err != nil { - return nil, err - } - if ok { - return SELinuxPolicyOCP411, nil + // keep it ordered from most recent supported to the oldest supported + for _, cand := range []string{ocpVersion413, ocpVersion412, OCPVersion411, ocpVersion410} { + // error should never happen: we control the input here + ok, err := ver.AtLeastString(cand) + if err != nil { + return nil, err + } + if ok { + return selinuxpolicy.ReadFile(policyPathFromVer(cand)) + } } - return SELinuxPolicyOCP410, nil + // just in case we end up here first supported version is 4.10, hence this is a safe fallback + return selinuxpolicy.ReadFile(policyPathFromVer(ocpVersion410)) +} + +func policyPathFromVer(ver string) string { + return filepath.Join(selinuxPolicyDir, "ocp_"+ver+".cil") } diff --git a/pkg/assets/rte/selinuxpolicy-ocp410.cil b/pkg/assets/rte/selinuxpolicy/ocp_v4.10.cil similarity index 100% rename from pkg/assets/rte/selinuxpolicy-ocp410.cil rename to pkg/assets/rte/selinuxpolicy/ocp_v4.10.cil diff --git a/pkg/assets/rte/selinuxpolicy-ocp411.cil b/pkg/assets/rte/selinuxpolicy/ocp_v4.11.cil similarity index 100% rename from pkg/assets/rte/selinuxpolicy-ocp411.cil rename to pkg/assets/rte/selinuxpolicy/ocp_v4.11.cil diff --git a/pkg/assets/rte/selinuxpolicy/ocp_v4.12.cil b/pkg/assets/rte/selinuxpolicy/ocp_v4.12.cil new file mode 100644 index 00000000..32dff5df --- /dev/null +++ b/pkg/assets/rte/selinuxpolicy/ocp_v4.12.cil @@ -0,0 +1,21 @@ +(block rte + (type process) + (roletype system_r process) + (typeattributeset domain (process)) + ; + ; Giving rte.process the same attributes as container_t + (typeattributeset container_domain (process)) + (typeattributeset container_net_domain (process)) + (typeattributeset svirt_sandbox_domain (process)) + (typeattributeset sandbox_net_domain (process)) + + ; + ; Allow to RTE pod access to /run/rte directory + (allow process container_var_run_t (dir (add_name write))) + (allow process container_var_run_t (file (create read write open))) + + ; + ; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock + (allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append))) + (allow process kubelet_t (unix_stream_socket (connectto))) +) diff --git a/pkg/assets/rte/selinuxpolicy/ocp_v4.13.cil b/pkg/assets/rte/selinuxpolicy/ocp_v4.13.cil new file mode 100644 index 00000000..32dff5df --- /dev/null +++ b/pkg/assets/rte/selinuxpolicy/ocp_v4.13.cil @@ -0,0 +1,21 @@ +(block rte + (type process) + (roletype system_r process) + (typeattributeset domain (process)) + ; + ; Giving rte.process the same attributes as container_t + (typeattributeset container_domain (process)) + (typeattributeset container_net_domain (process)) + (typeattributeset svirt_sandbox_domain (process)) + (typeattributeset sandbox_net_domain (process)) + + ; + ; Allow to RTE pod access to /run/rte directory + (allow process container_var_run_t (dir (add_name write))) + (allow process container_var_run_t (file (create read write open))) + + ; + ; Allow to RTE pod connect, read and write permissions to /var/lib/kubelet/pod-resource/kubelet.sock + (allow process container_var_lib_t (sock_file (open getattr read write ioctl lock append))) + (allow process kubelet_t (unix_stream_socket (connectto))) +) diff --git a/pkg/deployer/platform/version.go b/pkg/deployer/platform/version.go index f1262dff..13fdb4f6 100644 --- a/pkg/deployer/platform/version.go +++ b/pkg/deployer/platform/version.go @@ -43,7 +43,7 @@ func (v Version) AtLeastString(other string) (bool, error) { if err != nil { return false, err } - return ser.Compare(ref) >= 0, nil + return ser.GreaterThanOrEqual(ref), nil } func (v Version) AtLeast(other Version) (bool, error) {