Skip to content

Commit

Permalink
k3s-root: reduced executable privileges (#26)
Browse files Browse the repository at this point in the history 
Addresses k3s-io/k3s#4562
Addresses k3s-io/k3s#4564
Addresses k3s-io/k3s#4600
Addresses k3s-io/k3s#4601

Address container_runtime_exec_t applied to too many executables.
Introduce k3s_data_t, k3s_lock_t, and k3s_root_t types:
- k3s_data_t as default for everything under K3S_DATA_DIR
- k3s_lock_t applied to K3S_DATA_DIR/.lock
- k3s_root_t as default for everything under K3S_DATA_DIR/bin
  this is an execution domain type that allows container_runtime_t and
  unconfined_t to work as expected, but regular seusers will be denied.
  additionally, this allows for easy, automatic transition to
  container_runtime_exec_t for the cni, containerd (including shims),
  and runc executables when k3s establishes the data-dir.

Signed-off-by: Jacob Blain Christen <[email protected]>
  • Loading branch information
@dweomer
dweomer authored Jan 4, 2022
1 parent e4307b9 commit 7b982cf
Show file tree
Hide file tree
Showing 12 changed files with 300 additions and 207 deletions.
46 changes: 25 additions & 21 deletions policy/centos7/k3s-selinux.spec
View file
Original file line number Diff line number Diff line change
@@ -1,46 +1,51 @@
# vim: sw=4:ts=4:et


%define k3s_relabel_files() \
mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/k3s/data; \
mkdir -p /var/run/flannel; \
mkdir -p /var/run/k3s; \
restorecon -R -i /etc/systemd/system/k3s.service; \
restorecon -R -i /usr/lib/systemd/system/k3s.service; \
restorecon -R /var/lib/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel

mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/k3s/data; \
mkdir -p /var/run/flannel; \
mkdir -p /var/run/k3s; \
restorecon -R -i /etc/systemd/system/k3s.service; \
restorecon -R -i /usr/lib/systemd/system/k3s.service; \
restorecon -R /var/lib/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel

%define selinux_policyver 3.13.1-252
%define container_policyver 2.107-3
%define container_policy_epoch 2
%define container_policy_schism 2.164.2

Name: k3s-selinux
Version: %{k3s_selinux_version}
Release: %{k3s_selinux_release}.el7
Summary: SELinux policy module for k3s

Group: System Environment/Base
Group: System Environment/Base
License: ASL 2.0
URL: http://k3s.io
Source0: k3s.pp
Source1: k3s.if

BuildArch: noarch
BuildRequires: container-selinux >= %{container_policyver}
BuildRequires: container-selinux < 2:2.164.2
BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
BuildRequires: container-selinux < %{container_policy_epoch}:%{container_policy_schism}
BuildRequires: git
BuildRequires: selinux-policy-devel
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}

Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver}, container-selinux < 2:2.164.2
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
Requires(post): container-selinux < %{container_policy_epoch}:%{container_policy_schism}
Requires(postun): policycoreutils

Provides: %{name} = %{version}-%{release}
Obsoletes: k3s-selinux <= 0.5
Conflicts: rke2-selinux

%description
Expand Down Expand Up @@ -75,7 +80,6 @@ fi;
%attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
%{_datadir}/selinux/devel/include/contrib/k3s.if


%changelog
* Mon Feb 24 2020 Darren Shepherd <[email protected]> 1.0-1
- Initial version
Expand Down
16 changes: 12 additions & 4 deletions policy/centos7/k3s.fc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,27 @@
/etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0)
/var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/k3s/data/.lock gen_context(system_u:object_r:container_lock_t,s0)
/var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
Expand Down
27 changes: 27 additions & 0 deletions policy/centos7/k3s.if
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#######################################################################
## <summary>
## Creates types and rules for a k3s runtime domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`k3s_runtime_domain_template',`
gen_require(`
attribute container_runtime_domain, exec_type;
role system_r, sysadm_r;
')

attribute $1_domain;
type $1_t, $1_domain;
role system_r types $1_t;
role sysadm_r types $1_t;

can_exec($1_t, exec_type)
domain_type($1_t)
domain_entry_file($1_domain, $1_t)

admin_pattern(container_runtime_domain, $1_t)
')
68 changes: 33 additions & 35 deletions policy/centos7/k3s.te
View file
Original file line number Diff line number Diff line change
@@ -1,42 +1,40 @@
policy_module(k3s, 1.0.0)

gen_require(`
type container_runtime_t, container_var_lib_t, container_runtime_exec_t;
')
filetrans_pattern(container_runtime_t, container_var_lib_t, container_runtime_exec_t, dir, "data")

gen_require(`
type container_runtime_t, container_runtime_exec_t, container_lock_t;
')
filetrans_pattern(container_runtime_t, container_runtime_exec_t, container_lock_t, file, ".lock")

gen_require(`
type container_runtime_t, container_runtime_exec_t, container_config_t;
')
filetrans_pattern(container_runtime_t, container_runtime_exec_t, container_config_t, dir, "etc")

gen_require(`
type container_runtime_t, container_var_lib_t, container_file_t;
')
##### type: k3s_data_t
type k3s_data_t;
files_type(k3s_data_t);

##### type: k3s_lock_t
type k3s_lock_t;
files_lock_file(k3s_lock_t)

##### type: k3s_root_t, attr: k3s_root_domain
k3s_runtime_domain_template(k3s_root)

gen_require(`
attribute container_runtime_domain;
type container_runtime_exec_t, container_runtime_t;
type container_file_t, container_share_t;
type container_var_lib_t, var_lib_t;
type container_log_t, var_log_t;
')
admin_pattern(container_runtime_domain, k3s_data_t)
admin_pattern(container_runtime_domain, k3s_lock_t)
files_lock_filetrans(container_runtime_domain, k3s_lock_t, { dir file })
filetrans_pattern(container_runtime_t, container_var_lib_t, k3s_data_t, dir, "data")
filetrans_pattern(container_runtime_t, k3s_data_t, k3s_lock_t, file, ".lock")
filetrans_pattern(container_runtime_t, k3s_data_t, k3s_root_t, dir, "bin")
filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".links")
filetrans_pattern(container_runtime_t, k3s_root_t, k3s_data_t, file, ".sha256sums")
filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "cni")
filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd")
filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim")
filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v1")
filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "containerd-shim-runc-v2")
filetrans_pattern(container_runtime_t, k3s_root_t, container_runtime_exec_t, file, "runc")
filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "storage")

gen_require(`
type container_runtime_t, container_var_lib_t, container_share_t;
')
filetrans_pattern(container_runtime_t, container_var_lib_t, container_share_t, dir, "snapshots")

gen_require(`
type container_runtime_t, var_lib_t, container_var_lib_t;
')
filetrans_pattern(container_runtime_t, var_lib_t, container_var_lib_t, dir, "kubelet")

gen_require(`
type container_runtime_t, container_var_lib_t, container_file_t;
')
filetrans_pattern(container_runtime_t, container_var_lib_t, container_file_t, dir, "pods")

gen_require(`
type container_runtime_t, var_log_t, container_log_t;
')
filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "pods")
filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "containers")
filetrans_pattern(container_runtime_t, var_log_t, container_log_t, dir, "pods")
42 changes: 21 additions & 21 deletions policy/centos8/k3s-selinux.spec
View file
Original file line number Diff line number Diff line change
@@ -1,47 +1,48 @@
# vim: sw=4:ts=4:et


%define k3s_relabel_files() \
mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/k3s/data; \
mkdir -p /var/run/flannel; \
mkdir -p /var/run/k3s; \
restorecon -R -i /etc/systemd/system/k3s.service; \
restorecon -R -i /usr/lib/systemd/system/k3s.service; \
restorecon -R /var/lib/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel

mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/k3s/data; \
mkdir -p /var/run/flannel; \
mkdir -p /var/run/k3s; \
restorecon -R -i /etc/systemd/system/k3s.service; \
restorecon -R -i /usr/lib/systemd/system/k3s.service; \
restorecon -R /var/lib/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel

%define selinux_policyver 3.14.3-67
%define container_policyver 2.167.0-1
%define container_policy_epoch 2

Name: k3s-selinux
Version: %{k3s_selinux_version}
Release: %{k3s_selinux_release}.el8
Summary: SELinux policy module for k3s

Group: System Environment/Base
Group: System Environment/Base
License: ASL 2.0
URL: http://k3s.io
Source0: k3s.pp
Source1: k3s.if

BuildArch: noarch
BuildRequires: container-selinux >= %{container_policyver}
BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
BuildRequires: git
BuildRequires: selinux-policy-devel
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}

Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= 2:%{container_policyver}
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
Requires(postun): policycoreutils

Provides: %{name} = %{version}-%{release}
Obsoletes: k3s-selinux < 0.5
Obsoletes: k3s-selinux <= 0.5
Conflicts: rke2-selinux

%description
Expand Down Expand Up @@ -76,7 +77,6 @@ fi;
%attr(0600,root,root) %{_datadir}/selinux/packages/k3s.pp
%{_datadir}/selinux/devel/include/contrib/k3s.if


%changelog
* Mon Feb 24 2020 Darren Shepherd <[email protected]> 1.0-1
- Initial version
Expand Down
41 changes: 22 additions & 19 deletions policy/centos8/k3s.fc
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,26 @@
# vim: sw=8:ts=8:et

/etc/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
#/usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/lib/systemd/system/k3s.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
#/usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
#/usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
#/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
#/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
#/var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
#/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
#/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
#/var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0)
#/var/lib/rancher/k3s/data/.lock gen_context(system_u:object_r:container_lock_t,s0)
#/var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
#/var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
/usr/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/s?bin/k3s -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/k3s/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
/var/lib/rancher/k3s/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/k3s/data(/.*)? gen_context(system_u:object_r:k3s_data_t,s0)
/var/lib/rancher/k3s/data/.lock -- gen_context(system_u:object_r:k3s_lock_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin(/.*)? gen_context(system_u:object_r:k3s_root_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/[.]links -- gen_context(system_u:object_r:k3s_data_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/[.]sha256sums -- gen_context(system_u:object_r:k3s_data_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/cni -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/containerd -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/containerd-shim-runc-v[12] -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/k3s/data/[^/]*/etc(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/lib/rancher/k3s/storage(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
27 changes: 27 additions & 0 deletions policy/centos8/k3s.if
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#######################################################################
## <summary>
## Creates types and rules for a k3s runtime domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`k3s_runtime_domain_template',`
gen_require(`
attribute container_runtime_domain, exec_type;
role system_r, sysadm_r;
')

attribute $1_domain;
type $1_t, $1_domain;
role system_r types $1_t;
role sysadm_r types $1_t;

can_exec($1_t, exec_type)
domain_type($1_t)
domain_entry_file($1_domain, $1_t)

admin_pattern(container_runtime_domain, $1_t)
')
Loading

0 comments on commit 7b982cf

Please sign in to comment.