search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
478 stars 47 forks source link

Add Support for --device /dev/XXX #78

Closed wrabcak closed 3 years ago

wrabcak commented 3 years ago

Commit adds functionality to generate allow rules when --device switch is used for podman e.g:# podman run --device /dev/tty0 fedora /bin/bash

The output policy should looks like:

(block devtest
    (blockinherit container)
    (allow process process ( capability ( audit_write chown dac_override fowner fsetid kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot )))

    (allow process tty_device_t ( blk_file ( getattr read write append ioctl lock open )))
    (allow process tty_device_t ( chr_file ( getattr read write append ioctl lock open )))
)

TODO: CRI-O functionality is missing

wrabcak commented 3 years ago

@JAORMX , is this applicable for CRI-O?

JAORMX commented 3 years ago

@JAORMX , is this applicable for CRI-O?

Currently, there doesn't seem to be similar support for this in CRI-O or Kubernetes [1]. But what folks tend to do is bind-mount the device on to the container.

With the current mount parsing, will udica still attach the appropriate policy for a device?

[1] https://github.com/kubernetes/kubernetes/issues/60748

wrabcak commented 3 years ago

Yes, bind-mount will work for container for both podman and CRI-O.

Okay, Thank you for update, I'll drop TODO for CRI-O and move "Draft PR" to "PR".

wrabcak commented 3 years ago

@JAORMX Thank you.