selinux-policy: protect snapshot layers from modification

Now that we have the machinery in place to provide a "context" option for overlayfs mounts, we can use a read-only type for file objects in the lower directories. We also record the type in `lxc_contexts` for programs that rely on that file for discovery. `host-ctr` now runs with the same type as the other container runtime components, because it handles the `mount()` syscall. The kernel will try to create a "work" subdirectory in workdir during the mount, so the calling process needs permissions to do so. Signed-off-by: Ben Cressey <bcressey@amazon.com>
bottlerocket-os · Jun 4, 2020 · 23c3d76 · 23c3d76
1 parent 4dc2055
commit 23c3d76
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/packages/selinux-policy/fs.cil b/packages/selinux-policy/fs.cil
@@ -42,6 +42,7 @@
 (filecon "/.*/usr/lib/systemd/systemd" file init_exec)
 (filecon "/.*/usr/bin/containerd.*" file runtime_exec)
 (filecon "/.*/usr/bin/docker.*" file runtime_exec)
+(filecon "/.*/usr/bin/host-ctr" file runtime_exec)
 (filecon "/.*/usr/sbin/runc" file runtime_exec)
 (filecon "/.*/usr/bin/apiserver" file api_exec)
 (filecon "/.*/usr/bin/early-boot-config" file api_exec)

diff --git a/packages/selinux-policy/lxc_contexts b/packages/selinux-policy/lxc_contexts
@@ -1,2 +1,3 @@
 process = "system_u:system_r:container_t:s0"
 file = "system_u:object_r:local_t:s0"
+ro_file = "system_u:object_r:cache_t:s0"
diff --git a/packages/selinux-policy/rules.cil b/packages/selinux-policy/rules.cil
@@ -54,9 +54,16 @@
 (typetransition trusted_s unlabeled_t file local_t)
 (typetransition trusted_s unlabeled_t dir local_t)
 
-; If a runtime process creates a directory for cached container layers
-; on local storage, it receives the "cache_t" label.
+; If a runtime process creates a directory for cached container archives
+; or snapshot layers on local storage, it receives the "cache_t" label.
+; ... containerd's pristine archives
 (typetransition runtime_t local_t dir "io.containerd.content.v1.content" cache_t)
+; ... containerd's metadata database
+(typetransition runtime_t local_t dir "io.containerd.metadata.v1.bolt" cache_t)
+; ... containerd's snapshot layers
+(typetransition runtime_t local_t dir "io.containerd.snapshotter.v1.overlayfs" cache_t)
+; ... docker's image layers
+(typetransition runtime_t local_t dir "overlay2" cache_t)
 
 ; All subjects are allowed to write to objects with their own label.
 ; This includes files like the ones under /proc/self.