From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Jlqoq8iM; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id 127005A027C for ; Thu, 15 May 2025 17:55:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747324525; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=As+w4ALpk7ycjXPvM1rfncKoMDpwldn5rQnZXkHICmo=; b=Jlqoq8iM165zrTF0dYiCoScQkiQxlWYTFAVfUdmhVR3tJHpZ6Lz+KnsOOp4Tgm3DDooxCX Su12rA6oJQEhlmfTs6D5yHiXmqpBOLwL7epaJ//0W8t9ZoTIXr95JCxT0+AVjfMZ4xedQl vCrLZKcz405CeayY4qrJdh2AmLCOyZs= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-132-xAuyoEFCP4WYK53bjCzpeQ-1; Thu, 15 May 2025 11:55:22 -0400 X-MC-Unique: xAuyoEFCP4WYK53bjCzpeQ-1 X-Mimecast-MFC-AGG-ID: xAuyoEFCP4WYK53bjCzpeQ_1747324521 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-43cf5196c25so6481745e9.0 for ; Thu, 15 May 2025 08:55:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747324520; x=1747929320; h=content-transfer-encoding:mime-version:organization:references :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=As+w4ALpk7ycjXPvM1rfncKoMDpwldn5rQnZXkHICmo=; b=nBQUtvRLpiuCUJkZ0clrpsRwWEq1oGMQ2i3XTZQGAvvWmRcbJfnUytlfAcZpcuA+3o IKY0pfgpdWl6XMRYZ83stqB8DjLVVz2sKIxaLRrNcMbTzsWi+vh1AJrRLPuZUgoSoj6k OuTm4wu+3MyMOFZvgoi2OhRZyXlId5Iz7CAX8ygj2y9tthXWJ2fkAPbhoWVYjL7crEsW Ql2M/x9DQqVebdHVs5W7HXILPn8NrnEyPIgk+d8ZqOA7NQj0LRpcUxzdoqvtB67FQka4 F6hpi7KOE4DAIeYUvzacmTFsBGzFz3zRYe1W3VgaAN2copd71S2dJwlYkL6zUStyELct H6xg== X-Gm-Message-State: AOJu0YzmgbRVCCB8fvL3LFbPt1lU4iuSLBMukp0gGpElIN22szDJjLLI Lmg3EYEQ2cyycL+1vFQXwLlLtUa14dACp8HbDHD9PHyBBTVrDxZ1jpLwuMPuR1fgkwRst1x49N5 YHn+NDQyYxTLBq61IAECCf7Zgi+7KlssJp/JKHE8QJdsx+6ZcSd01rnT/a74vnw== X-Gm-Gg: ASbGncsPUFl5y2rhiTBuGTDegoKtfPKEWfhJ0pqSMAG8/udWv8zDwLs29EIAvcjRabm /dVpEHrlT80ddaeyEgONYMqOg/u2SzYzNZb/Vpo7xvceT1Q1+mkuCnp5XEN97CmR0EQWMWrAZS9 7dDiIIle9bk5qF0YS8lzl5GqB2tRnTaHtpyoDfbGaOC+GIX2bVRCnl/rdwihFvQUR4hy/9REyXh wQ4iA4zzdymfBEDhbu8OYTAXYa8rGtyDyn333Jg0ZuTcSL5dlZ8lVeN2prfWKoPwgpJVrir48hz glz7B+tUCXlXLQP8sHkYY8Q= X-Received: by 2002:a05:600c:3ba9:b0:43c:f597:d589 with SMTP id 5b1f17b1804b1-442fd672589mr199155e9.27.1747324520226; Thu, 15 May 2025 08:55:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHKHyzzVnRaWPUAYhC1GFb6FbSavq9KQcMX3gor2cjbxolnfNedtc7LWxa4sfwUHdFaTEBcGw== X-Received: by 2002:a05:600c:3ba9:b0:43c:f597:d589 with SMTP id 5b1f17b1804b1-442fd672589mr198995e9.27.1747324519721; Thu, 15 May 2025 08:55:19 -0700 (PDT) Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-442fd50b9a7sm1274515e9.10.2025.05.15.08.55.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 May 2025 08:55:19 -0700 (PDT) Date: Thu, 15 May 2025 17:55:17 +0200 From: Stefano Brivio To: Max Chernoff Subject: Re: [PATCH 1/1] selinux: Transition to pasta_t in containers Message-ID: <20250515175517.7bd22b25@elisabeth> In-Reply-To: <20250515154035.51eb8d14@elisabeth> References: <20250514104413.197448-2-git@maxchernoff.ca> <20250514104413.197448-3-git@maxchernoff.ca> <20250515154035.51eb8d14@elisabeth> Organization: Red Hat X-Mailer: Claws Mail 4.2.0 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: 6ldE6OMtoZ233KTU4qsyzhRfgZlB5B_PzJU8HRC0Raw_1747324521 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-ID-Hash: UJZWEEZJK2QQFSIBNBAZE7KQAGLSV5SY X-Message-ID-Hash: UJZWEEZJK2QQFSIBNBAZE7KQAGLSV5SY X-MailFrom: sbrivio@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, Paul Holzinger X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Thu, 15 May 2025 15:40:35 +0200 Stefano Brivio wrote: > On Wed, 14 May 2025 04:44:12 -0600 > Max Chernoff wrote: > > > Currently, pasta runs in the container_runtime_exec_t context when > > running in a container. This is not ideal since it means that pasta runs > > with more privileges than strictly necessary. This commit updates the > > SELinux policy to have pasta transition to the pasta_t context when > > started from the container_runtime_t context, adds the appropriate > > labels to $XDG_RUNTIME_DIR/netns and > > $XDG_RUNTIME_DIR/containers/networks/rootless-netns, and grants the > > necessary permissions to the pasta_t context. > > > > Link: https://bugs.passt.top/show_bug.cgi?id=81 > > Link: https://github.com/containers/podman/discussions/26100#discussioncomment-13088518 > > Signed-off-by: Max Chernoff > > Thanks, I think that with your patch we're almost there. (!) > > I ran Podman tests covering pasta on Fedora Rawhide, with the updated > profile (that is, 'bats test/system/505-networking-pasta.bats' from a > Podman tree) and it looks like there are a couple of minor things > missing, though. > > Tests pass, but on a number of tests I'm getting these in the audit > log: > > type=AVC msg=audit(1747313163.407:129988): avc: denied { nlmsg_read } for pid=1313607 comm="ss" scontext=system_u:system_r:container_t:s0:c752,c999 tcontext=system_u:system_r:container_t:s0:c752,c999 tclass=netlink_tcpdiag_socket permissive=0 > type=AVC msg=audit(1747313164.090:129989): avc: denied { getattr } for pid=1313686 comm="pasta.avx2" path="pipe:[6839919]" dev="pipefs" ino=6839919 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 > type=AVC msg=audit(1747313164.209:129990): avc: denied { getattr } for pid=1313714 comm="pasta.avx2" path="pipe:[6840012]" dev="pipefs" ino=6840012 scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 > > The 'ss' thing is unrelated, and might be something to add to > container-selinux, perhaps. I'm not really sure if containers should > reasonably be able to access netlink_tcpdiag_socket. > > The getattr on pipes, though, is pasta trying to read out attributes of > pipes that are used for loopback connections, that is, the path > represented here (orange square on top) as "tap bypass": > > https://passt.top/#pasta-pack-a-subtle-tap-abstraction > > if those fail, by the way, things still work (I guess it's just what we > do to probe / tune the size of the pipes). > > A summary from audit2allow: > > #============= container_t ============== > > #!!!! This avc can be allowed using the boolean 'virt_sandbox_use_netlink' > allow container_t self:netlink_tcpdiag_socket nlmsg_read; > > #============= pasta_t ============== > allow pasta_t container_runtime_t:fifo_file getattr; > > I plan to try again later (probably in a few hours) to add what's > missing (it could very well be just this rule) and get back to you. Of > course, if you manage to fix / re-test meanwhile, before I get to it, > feel free to re-post this. Yes, adding getattr on fifo_file makes the tests pass without any SELinux warning. Full review of your patch: > diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc > index 41ee46d..3be7789 100644 > --- a/contrib/selinux/pasta.fc > +++ b/contrib/selinux/pasta.fc > @@ -8,7 +8,9 @@ > # Copyright (c) 2022 Red Hat GmbH > # Author: Stefano Brivio > > -/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 > -/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 > -/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 > -/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 > +/usr/bin/pasta system_u:object_r:pasta_exec_t:s0 > +/usr/bin/pasta.avx2 system_u:object_r:pasta_exec_t:s0 > +/tmp/pasta\.pcap system_u:object_r:pasta_log_t:s0 > +/var/run/pasta\.pid system_u:object_r:pasta_pid_t:s0 > +/run/user/%{USERID}/netns system_u:object_r:ifconfig_var_run_t:s0 > +/run/user/%{USERID}/containers/networks/rootless-netns system_u:object_r:ifconfig_var_run_t:s0 > diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te > index 89c8043..e97fd88 100644 > --- a/contrib/selinux/pasta.te > +++ b/contrib/selinux/pasta.te > @@ -89,6 +89,13 @@ require { > class capability { sys_tty_config setuid setgid }; > class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; > class user_namespace create; > + > + # Container requires > + attribute_role usernetctl_roles; > + role container_user_r; > + role staff_r; > + role user_r; > + type container_runtime_t; > } > > type pasta_t; > @@ -213,3 +220,32 @@ allow pasta_t netutils_t:process { noatsecure rlimitinh siginh }; > allow pasta_t ping_t:process { noatsecure rlimitinh siginh }; > allow pasta_t user_tty_device_t:chr_file { append read write }; > allow pasta_t user_devpts_t:chr_file { append read write }; > + > +# Allow network administration commands for non-privileged users > +roleattribute container_user_r usernetctl_roles; > +roleattribute staff_r usernetctl_roles; > +roleattribute user_r usernetctl_roles; > +role usernetctl_roles types pasta_t; > + > +# Make pasta in a container run under the pasta_t context > +type_transition container_runtime_t pasta_exec_t : process pasta_t; > +allow container_runtime_t pasta_t:process transition; > + > +# Label the user network namespace files > +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "netns"; > +type_transition container_runtime_t user_tmp_t : dir ifconfig_var_run_t "rootless-netns"; > +allow pasta_t ifconfig_var_run_t:dir { add_name open rmdir write }; > +allow pasta_t ifconfig_var_run_t:file { create open write }; > + > +# From audit2allow Instead of these three "unsorted" rules: > +allow pasta_t container_runtime_t:fifo_file write; ...as I mentioned, changing this to: allow pasta_t container_runtime_t:fifo_file { write getattr }; fixes the remaining warning. And I think it should be "grouped" together with the TCP socket stuff above, that is, just after: corenet_tcp_bind_generic_node(pasta_t) because it's something we need for (loopback) TCP connections, together with TCP sockets. > +allow pasta_t self:cap_userns { setgid setuid }; Strictly speaking, this part shouldn't be needed, see points 7. and c. at: https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 ...unfortunately, I never got any feedback about those and I haven't found the time to fix this in kernel either, so, sure, let's keep this rule to avoid noise. We could group this together with capabilities stuff, that is, just after: allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; (but separated, so that we can drop them without code churn) and maybe add a comment referencing: https://bugzilla.redhat.com/show_bug.cgi?id=2330512#c10 and the fact that setuid() and setgid() are always called with the current UID and GID in the detached user namespace. > +allow pasta_t tmpfs_t:filesystem getattr; This is needed regardless of Podman, getattr was simply missing from: allow pasta_t tmpfs_t:filesystem mount; so I would rather add it there, together with mount. > + > +# Allow pasta to bind to any port > +bool pasta_allow_bind_any_port true; > +if (pasta_allow_bind_any_port) { > + allow pasta_t port_type:icmp_socket { accept getopt name_bind }; > + allow pasta_t port_type:tcp_socket { accept getopt name_bind name_connect }; > + allow pasta_t port_type:udp_socket { accept getopt name_bind }; > +} Everything else looks good to me! If you want to re-post this, you can give --subject-prefix="PATCH v2" to git format-email. -- Stefano