From 635431d7bdd7d98724c8d94869fc1d5c73d31431 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 9 Aug 2024 15:08:33 -0400
Subject: [PATCH 1/6] container, kubernetes: add supporting rules for kubevirt
 and multus

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/container.if  | 39 +++++++++++++++++++++++++++
 policy/modules/services/container.te  |  9 +++++++
 policy/modules/services/kubernetes.te |  2 ++
 3 files changed, 50 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index ceb9de817..c9f4aa934 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1207,6 +1207,25 @@ interface(`container_watch_config_dirs',`
 	allow $1 container_config_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	create container config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_config_dirs',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	create_dirs_pattern($1, container_config_t, container_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1607,6 +1626,26 @@ interface(`container_list_ro_dirs',`
 	allow $1 container_ro_file_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to get
+##	the attributes of all read-only
+##	container file character devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_getattr_all_ro_chr_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+	allow $1 container_ro_file_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to get
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 864fae707..0f84b2827 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -224,6 +224,9 @@ container_mountpoint(container_runtime_t)
 type container_tmpfs_t;
 files_tmpfs_file(container_tmpfs_t)
 
+type container_tmp_t;
+files_tmp_file(container_tmp_t)
+
 type container_log_t;
 logging_log_file(container_log_t)
 optional_policy(`
@@ -1093,6 +1096,7 @@ container_manage_config_files(spc_t)
 container_list_plugin_dirs(spc_t)
 container_manage_plugin_files(spc_t)
 
+container_create_config_dirs(spc_t)
 container_create_config_files(spc_t)
 container_rw_config_files(spc_t)
 
@@ -1104,6 +1108,11 @@ container_manage_var_lib_dirs(spc_t)
 container_manage_var_lib_files(spc_t)
 container_map_var_lib_files(spc_t)
 
+manage_dirs_pattern(spc_t, container_tmp_t, container_tmp_t)
+manage_files_pattern(spc_t, container_tmp_t, container_tmp_t)
+files_tmp_filetrans(spc_t, container_tmp_t, { dir file })
+
+files_runtime_filetrans(spc_t, container_runtime_t, dir)
 # for cilium
 allow spc_t container_config_t:dir watch;
 allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms;
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 839635026..de2e56451 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -82,6 +82,7 @@ corenet_tcp_connect_all_ports(kubernetes_container_engine_domain)
 dev_create_generic_blk_files(kubernetes_container_engine_domain)
 
 files_getattr_kernel_modules(kubernetes_container_engine_domain)
+files_mounton_runtime_dirs(kubernetes_container_engine_domain)
 # for replicated storage that may be mounted in /mnt
 files_search_mnt(kubernetes_container_engine_domain)
 
@@ -408,6 +409,7 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
 # for metrics and accounting
 container_getattr_all_files(kubelet_t)
 container_getattr_all_ro_files(kubelet_t)
+container_getattr_all_ro_chr_files(kubelet_t)
 container_getattr_all_var_lib_files(kubelet_t)
 
 ifdef(`init_systemd',`

From 130d8533d69f630892494377992e4895d4fdb329 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 9 Aug 2024 15:21:18 -0400
Subject: [PATCH 2/6] container: allow spc various rules for kubevirt

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/kernel/devices.if     | 18 ++++++++++++++++++
 policy/modules/services/container.te | 13 +++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 6bea5ccf9..085bd30f0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5465,6 +5465,24 @@ interface(`dev_relabelfrom_vfio_dev',`
 	relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
 ')
 
+############################
+## <summary>
+##	Get the attributes of the vhost devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_vhost_dev',`
+	gen_require(`
+		type device_t, vhost_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
 ############################
 ## <summary>
 ##	Allow read/write the vhost devices
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 0f84b2827..938446471 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -978,7 +978,7 @@ allow spc_t self:process { getcap setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
-allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid ipc_lock mknod net_admin net_raw setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow spc_t self:key manage_key_perms;
@@ -1004,14 +1004,19 @@ allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
 allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
 # for rook-ceph
 allow spc_t container_engine_tmpfs_t:blk_file rw_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_engine_tmpfs_t:chr_file { relabelfrom setattr };
 
 # for kubernetes storage class providers
 allow spc_t container_file_t:{ dir file } mounton;
 allow spc_t container_file_t:dir_file_class_set relabel_blk_file_perms;
 # for rook-ceph
 allow spc_t container_file_t:blk_file manage_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_file_t:chr_file setattr;
+allow spc_t container_file_t:filesystem unmount;
 
-allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
+allow spc_t container_runtime_t:dir { manage_dir_perms mounton watch };
 allow spc_t container_runtime_t:file manage_file_perms;
 allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
 
@@ -1034,6 +1039,10 @@ dev_filetrans(spc_t, container_device_t, blk_file)
 dev_dontaudit_getattr_all_chr_files(spc_t)
 dev_dontaudit_setattr_generic_symlinks(spc_t)
 dev_dontaudit_relabelto_generic_blk_files(spc_t)
+# for multus and kubevirt
+dev_getattr_kvm_dev(spc_t)
+dev_getattr_vhost_dev(spc_t)
+dev_watch_dev_dirs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)

From ca7b2180465f88607bce3aae03acb964ca273e07 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 9 Aug 2024 15:23:24 -0400
Subject: [PATCH 3/6] iptables: allow reading container engine tmp files

When multus creates a new network, iptables rules get written to /tmp
and iptables will be called to load them.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/container.if | 20 ++++++++++++++++++++
 policy/modules/system/iptables.te    |  5 +++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index c9f4aa934..902c31b89 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -480,6 +480,26 @@ interface(`container_search_engine_tmp',`
 	allow $1 container_engine_tmp_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	container engine temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_engine_tmp_files',`
+	gen_require(`
+		type container_engine_tmp_t;
+	')
+
+	container_search_engine_tmp($1)
+	allow $1 container_engine_tmp_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 989404bb0..68ad7c54e 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -104,11 +104,12 @@ sysnet_dns_name_resolve(iptables_t)
 
 userdom_use_inherited_user_terminals(iptables_t)
 
-
-
 optional_policy(`
 	# iptables may try to rw /ptmx in a container
 	container_dontaudit_rw_chr_files(iptables_t)
+
+	# iptables reads firewall rules written to tmp
+	container_read_engine_tmp_files(iptables_t)
 ')
 
 optional_policy(`

From 9c2ca659096f4c8709e889f586885816d922911e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 9 Aug 2024 15:30:01 -0400
Subject: [PATCH 4/6] container: add container_kvm_t and supporting kubevirt
 rules

container_kvm_t is the type for containers with access to KVM for
running virtual machines.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/services/container.te | 34 +++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 938446471..b8316aad6 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -180,6 +180,12 @@ ifdef(`enable_mls',`
 ')
 mls_trusted_object(container_engine_t)
 
+container_domain_template(container_kvm)
+typeattribute container_kvm_t container_system_domain, container_net_domain;
+optional_policy(`
+	kubernetes_container(container_kvm_t)
+')
+
 type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain;
 domain_type(spc_t)
 role system_r types spc_t;
@@ -942,6 +948,28 @@ filetrans_pattern(container_engine_user_domain, container_data_home_t, container
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_file_t, dir, "volumes")
 
+########################################
+#
+# KVM container local policy
+#
+
+allow container_kvm_t self:process { getcap setrlimit };
+allow container_kvm_t self:capability { net_admin sys_resource };
+allow container_kvm_t self:tun_socket { relabelfrom relabelto };
+
+dev_getattr_mtrr_dev(container_kvm_t)
+dev_read_sysfs(container_kvm_t)
+
+fs_read_cgroup_files(container_kvm_t)
+
+kernel_read_device_sysctls(container_kvm_t)
+kernel_read_irq_sysctls(container_kvm_t)
+kernel_read_vm_overcommit_sysctl(container_kvm_t)
+
+allow container_kvm_t spc_t:fd use;
+allow container_kvm_t spc_t:fifo_file write;
+allow container_kvm_t spc_t:tun_socket relabelfrom;
+
 ########################################
 #
 # Common privileged container local policy
@@ -974,7 +1002,7 @@ domtrans_pattern(container_engine_system_domain, container_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
 
-allow spc_t self:process { getcap setrlimit };
+allow spc_t self:process { getcap setexec setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
@@ -1127,6 +1155,10 @@ allow spc_t container_config_t:dir watch;
 allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms;
 allow spc_t container_runtime_t:file watch;
 
+# for kubevirt
+allow spc_t container_kvm_t:process transition;
+ps_process_pattern(spc_t, container_kvm_t)
+
 ifdef(`init_systemd',`
 	init_dbus_chat(spc_t)
 	init_run_bpf(spc_t)

From fe0472250f6688ea62b470a1f80f30e394b3dff8 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 9 Aug 2024 15:36:57 -0400
Subject: [PATCH 5/6] various: rules required for DV manipulation in kubevirt

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/kernel/devices.if      | 18 ++++++++++++++++++
 policy/modules/kernel/kernel.te       |  1 +
 policy/modules/services/container.te  |  3 +++
 policy/modules/services/kubernetes.if | 19 +++++++++++++++++++
 policy/modules/services/kubernetes.te |  1 +
 policy/modules/system/iptables.te     |  5 +++++
 policy/modules/system/mount.te        |  1 +
 7 files changed, 48 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 085bd30f0..aabc1b8e7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -108,6 +108,24 @@ interface(`dev_getattr_fs',`
 	allow $1 device_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Unmount device filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_unmount_fs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem unmount;
+')
+
 ########################################
 ## <summary>
 ##	Remount device filesystems.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b16142608..b791ebc71 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -315,6 +315,7 @@ dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_blk_files(kernel_t)
 dev_rw_generic_chr_files(kernel_t)
 dev_setattr_generic_blk_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index b8316aad6..6b75b9477 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1071,6 +1071,9 @@ dev_dontaudit_relabelto_generic_blk_files(spc_t)
 dev_getattr_kvm_dev(spc_t)
 dev_getattr_vhost_dev(spc_t)
 dev_watch_dev_dirs(spc_t)
+# for DV upload in kubevirt over rook-ceph
+dev_unmount_fs(spc_t)
+dev_remount_fs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index de14a7b61..2af5b64b3 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -377,6 +377,25 @@ interface(`kubernetes_run_engine_bpf',`
 	allow $1 kubernetes_container_engine_domain:bpf prog_run;
 ')
 
+########################################
+## <summary>
+##	Read and write FIFO files from
+##	kubernetes container engines.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_rw_container_engine_fifo_files',`
+	gen_require(`
+		attribute kubernetes_container_engine_domain;
+	')
+
+	allow $1 kubernetes_container_engine_domain:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search kubernetes config directories.
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index de2e56451..3ce6b4392 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -258,6 +258,7 @@ corecmd_exec_bin(kubelet_t)
 corecmd_watch_bin_dirs(kubelet_t)
 
 dev_getattr_mtrr_dev(kubelet_t)
+dev_getattr_generic_blk_files(kubelet_t)
 dev_read_kmsg(kubelet_t)
 dev_read_sysfs(kubelet_t)
 
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 68ad7c54e..c9ec5d9c9 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -127,6 +127,11 @@ optional_policy(`
 	firstboot_rw_pipes(iptables_t)
 ')
 
+optional_policy(`
+	# apply firewall rules from multus
+	kubernetes_rw_container_engine_fifo_files(iptables_t)
+')
+
 optional_policy(`
 	modutils_run(iptables_t, iptables_roles)
 ')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 88ffb90f6..01fe24528 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -83,6 +83,7 @@ dev_dontaudit_write_sysfs_dirs(mount_t)
 dev_rw_lvm_control(mount_t)
 dev_rw_loop_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_generic_blk_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 # Early devtmpfs, before udev relabel

From c5925c6b3619046aa431e02a48f64850161cd3a0 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Fri, 9 Aug 2024 15:45:47 -0400
Subject: [PATCH 6/6] testing: add container_kvm_t to net admin exempt list

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 testing/sechecker.ini | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testing/sechecker.ini b/testing/sechecker.ini
index b873b94ec..54179ef47 100644
--- a/testing/sechecker.ini
+++ b/testing/sechecker.ini
@@ -241,6 +241,7 @@ exempt_source = arpwatch_t
                 chronyd_t           # Conditional access (chronyd_hwtimestamp)
                 condor_startd_t
                 container_engine_t
+                container_kvm_t
                 container_t         # Conditional access (container_use_host_all_caps)
                 crio_t
                 ctdbd_t