Add policy for KubeVirt

policy/modules/kernel/devices.if

@@ -108,6 +108,24 @@ interface(`dev_getattr_fs',`
 	allow $1 device_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Unmount device filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_unmount_fs',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem unmount;
+')
+
 ########################################
 ## <summary>
 ##	Remount device filesystems.
@@ -5465,6 +5483,24 @@ interface(`dev_relabelfrom_vfio_dev',`
 	relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
 ')
 
+############################
+## <summary>
+##	Get the attributes of the vhost devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_vhost_dev',`
+	gen_require(`
+		type device_t, vhost_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
 ############################
 ## <summary>
 ##	Allow read/write the vhost devices

policy/modules/kernel/kernel.te

@@ -315,6 +315,7 @@ dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_blk_files(kernel_t)
 dev_rw_generic_chr_files(kernel_t)
 dev_setattr_generic_blk_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)

policy/modules/services/container.if

@@ -480,6 +480,26 @@ interface(`container_search_engine_tmp',`
 	allow $1 container_engine_tmp_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	container engine temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_engine_tmp_files',`
+	gen_require(`
+		type container_engine_tmp_t;
+	')
+
+	container_search_engine_tmp($1)
+	allow $1 container_engine_tmp_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -1207,6 +1227,25 @@ interface(`container_watch_config_dirs',`
 	allow $1 container_config_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	create container config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_config_dirs',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	create_dirs_pattern($1, container_config_t, container_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1607,6 +1646,26 @@ interface(`container_list_ro_dirs',`
 	allow $1 container_ro_file_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to get
+##	the attributes of all read-only
+##	container file character devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_getattr_all_ro_chr_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+	allow $1 container_ro_file_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to get

policy/modules/services/container.te

@@ -180,6 +180,12 @@ ifdef(`enable_mls',`
 ')
 mls_trusted_object(container_engine_t)
 
+container_domain_template(container_kvm)
+typeattribute container_kvm_t container_system_domain, container_net_domain;
+optional_policy(`
+	kubernetes_container(container_kvm_t)
+')
+
 type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain;
 domain_type(spc_t)
 role system_r types spc_t;
@@ -224,6 +230,9 @@ container_mountpoint(container_runtime_t)
 type container_tmpfs_t;
 files_tmpfs_file(container_tmpfs_t)
 
+type container_tmp_t;
+files_tmp_file(container_tmp_t)
+
 type container_log_t;
 logging_log_file(container_log_t)
 optional_policy(`
@@ -939,6 +948,28 @@ filetrans_pattern(container_engine_user_domain, container_data_home_t, container
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_file_t, dir, "volumes")
 
+########################################
+#
+# KVM container local policy
+#
+
+allow container_kvm_t self:process { getcap setrlimit };
+allow container_kvm_t self:capability { net_admin sys_resource };
+allow container_kvm_t self:tun_socket { relabelfrom relabelto };
+
+dev_getattr_mtrr_dev(container_kvm_t)
+dev_read_sysfs(container_kvm_t)
+
+fs_read_cgroup_files(container_kvm_t)
+
+kernel_read_device_sysctls(container_kvm_t)
+kernel_read_irq_sysctls(container_kvm_t)
+kernel_read_vm_overcommit_sysctl(container_kvm_t)
+
+allow container_kvm_t spc_t:fd use;
+allow container_kvm_t spc_t:fifo_file write;
+allow container_kvm_t spc_t:tun_socket relabelfrom;
+
 ########################################
 #
 # Common privileged container local policy
@@ -971,11 +1002,11 @@ domtrans_pattern(container_engine_system_domain, container_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
 
-allow spc_t self:process { getcap setrlimit };
+allow spc_t self:process { getcap setexec setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
-allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid ipc_lock mknod net_admin net_raw setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow spc_t self:key manage_key_perms;
@@ -1001,14 +1032,19 @@ allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
 allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
 # for rook-ceph
 allow spc_t container_engine_tmpfs_t:blk_file rw_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_engine_tmpfs_t:chr_file { relabelfrom setattr };
 
 # for kubernetes storage class providers
 allow spc_t container_file_t:{ dir file } mounton;
 allow spc_t container_file_t:dir_file_class_set relabel_blk_file_perms;
 # for rook-ceph
 allow spc_t container_file_t:blk_file manage_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_file_t:chr_file setattr;
+allow spc_t container_file_t:filesystem unmount;
 
-allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
+allow spc_t container_runtime_t:dir { manage_dir_perms mounton watch };
 allow spc_t container_runtime_t:file manage_file_perms;
 allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
 
@@ -1031,6 +1067,13 @@ dev_filetrans(spc_t, container_device_t, blk_file)
 dev_dontaudit_getattr_all_chr_files(spc_t)
 dev_dontaudit_setattr_generic_symlinks(spc_t)
 dev_dontaudit_relabelto_generic_blk_files(spc_t)
+# for multus and kubevirt
+dev_getattr_kvm_dev(spc_t)
+dev_getattr_vhost_dev(spc_t)
+dev_watch_dev_dirs(spc_t)
+# for DV upload in kubevirt over rook-ceph
+dev_unmount_fs(spc_t)
+dev_remount_fs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)
@@ -1093,6 +1136,7 @@ container_manage_config_files(spc_t)
 container_list_plugin_dirs(spc_t)
 container_manage_plugin_files(spc_t)
 
+container_create_config_dirs(spc_t)
 container_create_config_files(spc_t)
 container_rw_config_files(spc_t)
 
@@ -1104,11 +1148,20 @@ container_manage_var_lib_dirs(spc_t)
 container_manage_var_lib_files(spc_t)
 container_map_var_lib_files(spc_t)
 
+manage_dirs_pattern(spc_t, container_tmp_t, container_tmp_t)
+manage_files_pattern(spc_t, container_tmp_t, container_tmp_t)
+files_tmp_filetrans(spc_t, container_tmp_t, { dir file })
+
+files_runtime_filetrans(spc_t, container_runtime_t, dir)
 # for cilium
 allow spc_t container_config_t:dir watch;
 allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms;
 allow spc_t container_runtime_t:file watch;
 
+# for kubevirt
+allow spc_t container_kvm_t:process transition;
+ps_process_pattern(spc_t, container_kvm_t)
+
 ifdef(`init_systemd',`
 	init_dbus_chat(spc_t)
 	init_run_bpf(spc_t)

policy/modules/services/kubernetes.if

@@ -377,6 +377,25 @@ interface(`kubernetes_run_engine_bpf',`
 	allow $1 kubernetes_container_engine_domain:bpf prog_run;
 ')
 
+########################################
+## <summary>
+##	Read and write FIFO files from
+##	kubernetes container engines.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kubernetes_rw_container_engine_fifo_files',`
+	gen_require(`
+		attribute kubernetes_container_engine_domain;
+	')
+
+	allow $1 kubernetes_container_engine_domain:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Search kubernetes config directories.

policy/modules/services/kubernetes.te

@@ -82,6 +82,7 @@ corenet_tcp_connect_all_ports(kubernetes_container_engine_domain)
 dev_create_generic_blk_files(kubernetes_container_engine_domain)
 
 files_getattr_kernel_modules(kubernetes_container_engine_domain)
+files_mounton_runtime_dirs(kubernetes_container_engine_domain)
 # for replicated storage that may be mounted in /mnt
 files_search_mnt(kubernetes_container_engine_domain)
 
@@ -257,6 +258,7 @@ corecmd_exec_bin(kubelet_t)
 corecmd_watch_bin_dirs(kubelet_t)
 
 dev_getattr_mtrr_dev(kubelet_t)
+dev_getattr_generic_blk_files(kubelet_t)
 dev_read_kmsg(kubelet_t)
 dev_read_sysfs(kubelet_t)
 
@@ -408,6 +410,7 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
 # for metrics and accounting
 container_getattr_all_files(kubelet_t)
 container_getattr_all_ro_files(kubelet_t)
+container_getattr_all_ro_chr_files(kubelet_t)
 container_getattr_all_var_lib_files(kubelet_t)
 
 ifdef(`init_systemd',`

policy/modules/system/iptables.te

@@ -103,11 +103,12 @@ sysnet_dns_name_resolve(iptables_t)
 
 userdom_use_inherited_user_terminals(iptables_t)
 
-
-
 optional_policy(`
 	# iptables may try to rw /ptmx in a container
 	container_dontaudit_rw_chr_files(iptables_t)
+
+	# iptables reads firewall rules written to tmp
+	container_read_engine_tmp_files(iptables_t)
 ')
 
 optional_policy(`
@@ -125,6 +126,11 @@ optional_policy(`
 	firstboot_rw_pipes(iptables_t)
 ')
 
+optional_policy(`
+	# apply firewall rules from multus
+	kubernetes_rw_container_engine_fifo_files(iptables_t)
+')
+
 optional_policy(`
 	modutils_run(iptables_t, iptables_roles)
 ')

policy/modules/system/mount.te

@@ -80,6 +80,7 @@ dev_dontaudit_write_sysfs_dirs(mount_t)
 dev_rw_lvm_control(mount_t)
 dev_rw_loop_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_generic_blk_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 # Early devtmpfs, before udev relabel

testing/sechecker.ini

@@ -241,6 +241,7 @@ exempt_source = arpwatch_t
                 chronyd_t           # Conditional access (chronyd_hwtimestamp)
                 condor_startd_t
                 container_engine_t
+                container_kvm_t     # Modify interfaces and routes for VM networking
                 container_t         # Conditional access (container_use_host_all_caps)
                 crio_t
                 ctdbd_t