processes: cleanup

Signed-off-by: Dmitry Sharshakov <[email protected]>

selinux/common/processes.cil

@@ -41,8 +41,7 @@
 ; BPF, observability
 (allow any_p self (bpf (map_create map_read map_write prog_load prog_run)))
 
-; TODO: check if sys_admin is ok
-; All caps
+; All caps, except sys_boot and sys_modules
 (allow any_p self (capability (
     audit_control
     audit_write
@@ -66,9 +65,7 @@
     setpcap
     setuid
     sys_admin
-    sys_boot
     sys_chroot
-    sys_module
     sys_nice
     sys_pacct
     sys_ptrace
@@ -100,9 +97,7 @@
     setpcap
     setuid
     sys_admin
-    sys_boot
     sys_chroot
-    sys_module
     sys_nice
     sys_pacct
     sys_ptrace
@@ -185,10 +180,8 @@
 (allow any_p self (perf_event (open cpu kernel tracepoint read write)))
 ; Used by chromium, wine, other. Might be useful to disable to protect from kernel null-deref exploits
 (allow any_p self (memprotect (mmap_zero)))
-; TODO: kernel_service
-; TODO: anon_inode
-; TODO: override_creds?
-(allow any_p self (io_uring (sqpoll cmd)))
+; TODO: kernel_service, anon_inode
+(allow any_p self (io_uring (sqpoll cmd override_creds)))
 (allow any_p self (user_namespace (create)))
 
 (allow pod_t pod_t (fs_classes (rw)))

selinux/services/cri.cil

@@ -56,7 +56,6 @@
 (allow pod_p self (unix_stream_socket (connectto)))
 
 ; kube-proxy demands
-; TODO: specifically /proc/sys/net
 (allow pod_p proc_sysctl_t (fs_classes (rw)))
 ; comm="loopback"
 (allow pod_p nsfs_t (fs_classes (ro)))

selinux/services/kubelet.cil

@@ -13,15 +13,13 @@
 (allow kubelet_t dbus_client_socket_t (sock_file (append getattr open write)))
 (allow kubelet_t init_t (unix_stream_socket (connectto getattr)))
 
-; D-Bus socket used for shutdown notification, owned by machined
+; CRI socket
 (allow kubelet_t pod_containerd_socket_t (sock_file (append getattr open write)))
 (allow kubelet_t pod_containerd_t (unix_stream_socket (connectto getattr)))
 
 ; Read misc kernel properties
 (allow kubelet_t proc_sysctl_t (fs_classes (ro)))
 
-(allow kubelet_t self (capability2 (syslog)))
-
 ; Manage filesystem quotas and mounts
 (allow kubelet_t filesystem_f (filesystem (
     associate
@@ -43,33 +41,9 @@
 
 ; syslog
 (allow kubelet_t kernel_t (system (syslog_read)))
+(allow kubelet_t self (capability2 (syslog)))
 
 ; TODO: constrain
 (allow kubelet_t device_f (fs_classes (rw)))
 (allow kubelet_t sysfs_t (fs_classes (ro)))
 (allow kubelet_t securityfs_t (fs_classes (ro)))
-
-(allow kubelet_t kernel_t (fifo_file (write)))
-(allow kubelet_t kernel_t (unix_stream_socket (connectto)))
-
-; TODO: ensure all these
-; mounts := []specs.Mount{
-; 	{Type: "bind", Destination: "/dev", Source: "/dev", Options: []string{"rbind", "rshared", "rw"}},
-; 	{Type: "sysfs", Destination: "/sys", Source: "/sys", Options: []string{"bind", "ro"}},
-; 	{Type: "securityfs", Destination: "/sys/kernel/security", Source: "/sys/kernel/security", Options: []string{"bind", "ro"}},
-; 	{Type: "bind", Destination: constants.CgroupMountPath, Source: constants.CgroupMountPath, Options: []string{"rbind", "rshared", "rw"}},
-; 	{Type: "bind", Destination: "/lib/modules", Source: "/lib/modules", Options: []string{"bind", "ro"}},
-; 	{Type: "bind", Destination: "/etc/kubernetes", Source: "/etc/kubernetes", Options: []string{"bind", "rshared", "rw"}},
-; 	{Type: "bind", Destination: constants.KubeletCredentialProviderBinDir, Source: constants.KubeletCredentialProviderBinDir, Options: []string{"bind", "ro"}},
-; 	{Type: "bind", Destination: "/etc/nfsmount.conf", Source: "/etc/nfsmount.conf", Options: []string{"bind", "ro"}},
-; 	{Type: "bind", Destination: "/etc/machine-id", Source: "/etc/machine-id", Options: []string{"bind", "ro"}},
-; 	{Type: "bind", Destination: "/etc/os-release", Source: "/etc/os-release", Options: []string{"bind", "ro"}},
-; 	{Type: "bind", Destination: constants.PodResolvConfPath, Source: constants.PodResolvConfPath, Options: []string{"bind", "ro"}},
-; 	{Type: "bind", Destination: "/etc/cni", Source: "/etc/cni", Options: []string{"rbind", "rshared", "rw"}},
-; 	{Type: "bind", Destination: "/usr/libexec/kubernetes", Source: "/usr/libexec/kubernetes", Options: []string{"rbind", "rshared", "rw"}},
-; 	{Type: "bind", Destination: "/var/run", Source: "/run", Options: []string{"rbind", "rshared", "rw"}},
-; 	{Type: "bind", Destination: "/var/lib/containerd", Source: "/var/lib/containerd", Options: []string{"rbind", "rshared", "rw"}},
-; 	{Type: "bind", Destination: "/var/lib/kubelet", Source: "/var/lib/kubelet", Options: []string{"rbind", "rshared", "rw"}},
-; 	{Type: "bind", Destination: "/var/log/containers", Source: "/var/log/containers", Options: []string{"rbind", "rshared", "rw"}},
-; 	{Type: "bind", Destination: "/var/log/pods", Source: "/var/log/pods", Options: []string{"rbind", "rshared", "rw"}},
-; }

selinux/services/machined.cil

@@ -47,3 +47,6 @@
 
 ; Used during reboot probably
 (allow init_t apid_t (unix_stream_socket (connectto)))
+
+(allow any_p self (capability (sys_boot sys_module)))
+(allow any_p self (cap_userns (sys_boot sys_module)))

selinux/services/udev.cil

@@ -26,6 +26,8 @@
 
 ; TODO: other module locations? Special label?
 (allow udev_t lib_t (system (module_load)))
+(allow udev_t self (capability (sys_module)))
+(allow udev_t self (cap_userns (sys_module)))
 
 (type udev_socket_t)
 (call system_socket_f (udev_socket_t))
@@ -73,5 +75,7 @@
 (filecon "/sbin/modprobe" file (system_u object_r modprobe_exec_t (systemLow systemLow)))
 (allow kernel_t modprobe_exec_t (file (execute_no_trans)))
 (allow udev_t modprobe_exec_t (file (execute_no_trans)))
+(allow kernel_t self (capability (sys_module)))
+(allow kernel_t self (cap_userns (sys_module)))
 
 (allow udev_t kernel_t (key (search)))