search

containers / container-selinux

SELinux policy files for Container Runtimes
GNU General Public License v2.0
252 stars 91 forks source link

Socket activation AF_VSOCK (SOCK_STREAM): Client on the host, server on the host #175

Closed eriksjolund closed 2 years ago

eriksjolund commented 2 years ago

Description

Feature request.

Follow these steps to see the audit logs

Open three Bash terminals, terminal 1, terminal 2, terminal 3 on a Fedora 35 Linux computer.

Make sure you are running container-selinux 2.181.0. I installed the RPM from https://bodhi.fedoraproject.org/updates/FEDORA-2022-32eea4f938

$ rpm -q container-selinux
container-selinux-2.181.0-1.fc35.noarch

Terminal 1 and terminal 3 are used for running commands as the regular user.

Terminal 2 is used for running commands as root.

  1. In terminal 1 run

    git clone https://github.com/eriksjolund/socket-activate-echo.git
cd socket-activate-echo
git checkout vsock
mkdir -p ~/.config/systemd/user
cp -r systemd/echo* ~/.config/systemd/user

  2. In terminal 2 run

    setenforce 0

  3. In terminal 1 run

    [esjolund@asus socket-activate-echo]$ systemctl --user daemon-reload
[esjolund@asus socket-activate-echo]$ systemctl --user start echo@demo.socket
[esjolund@asus socket-activate-echo]$ date '+%x %T'
04/16/2022 13:34:23
[esjolund@asus socket-activate-echo]$ CID=1
[esjolund@asus socket-activate-echo]$ echo hello | socat - VSOCK-CONNECT:$CID:3000
hello

    The special number 1 in CID=1 means VMADDR_CID_LOCAL (see man vsock)

  4. In terminal 2 run

    [root@asus ~]# ausearch --start 04/16/2022  '13:34:23' --raw > /tmp/raw1
[root@asus ~]# cat /tmp/raw1 | audit2allow 

#============= container_t ==============
allow container_t container_runtime_t:unix_dgram_socket { getattr getopt };
allow container_t container_runtime_t:vsock_socket { accept getattr getopt };
[root@asus ~]# cat /tmp/raw1
type=AVC msg=audit(1650108867.800:492): avc:  denied  { getattr } for  pid=5390 comm="socket-activate" path="socket:[62505]" dev="sockfs" ino=62505 scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1650108867.800:493): avc:  denied  { getopt } for  pid=5390 comm="socket-activate" path="/home/esjolund/echo_datagram_sock.demo" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1650108867.801:494): avc:  denied  { getattr } for  pid=5390 comm="socket-activate" path="socket:[62510]" dev="sockfs" ino=62510 scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=AVC msg=audit(1650108867.801:495): avc:  denied  { getopt } for  pid=5390 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=AVC msg=audit(1650108867.801:496): avc:  denied  { accept } for  pid=5390 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
[root@asus ~]# cat /tmp/raw1 | ausearch --start 04/16/2022  '13:34:23' 
----
time->Sat Apr 16 13:34:27 2022
type=AVC msg=audit(1650108867.800:492): avc:  denied  { getattr } for  pid=5390 comm="socket-activate" path="socket:[62505]" dev="sockfs" ino=62505 scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
----
time->Sat Apr 16 13:34:27 2022
type=AVC msg=audit(1650108867.800:493): avc:  denied  { getopt } for  pid=5390 comm="socket-activate" path="/home/esjolund/echo_datagram_sock.demo" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
----
time->Sat Apr 16 13:34:27 2022
type=AVC msg=audit(1650108867.801:494): avc:  denied  { getattr } for  pid=5390 comm="socket-activate" path="socket:[62510]" dev="sockfs" ino=62510 scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:34:27 2022
type=AVC msg=audit(1650108867.801:495): avc:  denied  { getopt } for  pid=5390 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:34:27 2022
type=AVC msg=audit(1650108867.801:496): avc:  denied  { accept } for  pid=5390 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
[root@asus ~]#

  5. In terminal 1 run

    [esjolund@asus socket-activate-echo]$ systemd-socket-activate -l /tmp/stream.sock -l 4000 -l vsock:4294967295:4000  podman run --rm --name echo2  --network=none ghcr.io/eriksjolund/socket-activate-echo:vsock  
Listening on /tmp/stream.sock as 3.
Listening on [::]:4000 as 4.
Listening on vsock::4000 as 5.

  6. In terminal 3 run

    [esjolund@asus tmp]$ date '+%x %T'
04/16/2022 13:42:59
[esjolund@asus tmp]$ echo hello | socat -t 30 - VSOCK-CONNECT:1:4000
hello

  7. In terminal 2 run

    [root@asus ~]# ausearch --start 04/16/2022  '13:42:59' --raw > /tmp/raw2
[root@asus ~]# cat /tmp/raw2 | audit2allow 

#============= container_t ==============
allow container_t unconfined_t:vsock_socket { accept getattr getopt };
[root@asus ~]# cat /tmp/raw2 
type=AVC msg=audit(1650109384.754:497): avc:  denied  { getattr } for  pid=5583 comm="socket-activate" path="socket:[61681]" dev="sockfs" ino=61681 scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=AVC msg=audit(1650109384.754:498): avc:  denied  { getopt } for  pid=5583 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
type=AVC msg=audit(1650109384.754:499): avc:  denied  { accept } for  pid=5583 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
[root@asus ~]# cat /tmp/raw2 | ausearch --start 04/16/2022  '13:42:59'
----
time->Sat Apr 16 13:43:04 2022
type=AVC msg=audit(1650109384.754:497): avc:  denied  { getattr } for  pid=5583 comm="socket-activate" path="socket:[61681]" dev="sockfs" ino=61681 scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:43:04 2022
type=AVC msg=audit(1650109384.754:498): avc:  denied  { getopt } for  pid=5583 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
----
time->Sat Apr 16 13:43:04 2022
type=AVC msg=audit(1650109384.754:499): avc:  denied  { accept } for  pid=5583 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
eriksjolund commented 2 years ago

I noticed that the audit2allow rules collected in this GitHub issue are identical to the audit2allow rules collected in https://github.com/containers/container-selinux/issues/176

echospan>@</spandemo.service

allow container_t container_runtime_t:unix_dgram_socket { getattr getopt };
allow container_t container_runtime_t:vsock_socket { accept getattr getopt };

systemd-socket-activate

allow container_t unconfined_t:vsock_socket { accept getattr getopt };

Probably it would have been enough just creating one GitHub issue instead of two GitHub issues. The results look so similar.

rhatdan commented 2 years ago

Fixed in v2.182.0