* /dev/vhost-vsock @ 2020-04-11 3:55 Russell Coker 2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift 2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift 0 siblings, 2 replies; 4+ messages in thread From: Russell Coker @ 2020-04-11 3:55 UTC (permalink / raw) To: selinux-refpolicy Would vhost_device_t be the right type for /dev/vhost-vsock? https://wiki.qemu.org/Features/VirtioVsock This seems to be the documentation for it. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock 2020-04-11 3:55 /dev/vhost-vsock Russell Coker @ 2020-04-11 6:17 ` Dominick Grift 2020-04-11 8:10 ` /dev/vhost-vsock Dominick Grift 2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift 1 sibling, 1 reply; 4+ messages in thread From: Dominick Grift @ 2020-04-11 6:17 UTC (permalink / raw) To: Russell Coker; +Cc: selinux-refpolicy Russell Coker <russell@coker.com.au> writes: > Would vhost_device_t be the right type for /dev/vhost-vsock? > > https://wiki.qemu.org/Features/VirtioVsock > > This seems to be the documentation for it. this is the "ptrace" equivalent for applications that use user namespaces like, i think, firefox and flatpak. This event will surface if you do a `ps auxZ` when you have a running instance of a application the uses user name spaces. In the case of firefox you would for example append it below this line: https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40 like so: allow $2 mozilla_t:cap_userns sys_ptrace; -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock 2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift @ 2020-04-11 8:10 ` Dominick Grift 0 siblings, 0 replies; 4+ messages in thread From: Dominick Grift @ 2020-04-11 8:10 UTC (permalink / raw) To: Russell Coker; +Cc: selinux-refpolicy Dominick Grift <dominick.grift@defensec.nl> writes: > Russell Coker <russell@coker.com.au> writes: > >> Would vhost_device_t be the right type for /dev/vhost-vsock? >> >> https://wiki.qemu.org/Features/VirtioVsock >> >> This seems to be the documentation for it. > > this is the "ptrace" equivalent for applications that use user > namespaces like, i think, firefox and flatpak. This event will surface > if you do a `ps auxZ` when you have a running instance of a application > the uses user name spaces. > > In the case of firefox you would for example append it below this line: > https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40 > like so: > allow $2 mozilla_t:cap_userns sys_ptrace; err, no. its more like "allow $2 self:cap_userns sys_ptrace;" -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock 2020-04-11 3:55 /dev/vhost-vsock Russell Coker 2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift @ 2020-04-11 6:19 ` Dominick Grift 1 sibling, 0 replies; 4+ messages in thread From: Dominick Grift @ 2020-04-11 6:19 UTC (permalink / raw) To: Russell Coker; +Cc: selinux-refpolicy Russell Coker <russell@coker.com.au> writes: > Would vhost_device_t be the right type for /dev/vhost-vsock? that is what i do: https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/dev/node_vhost.cil;h=810213c6f2c02db02dfba873cbe740ad7cfaad95;hb=HEAD > > https://wiki.qemu.org/Features/VirtioVsock > > This seems to be the documentation for it. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-11 8:10 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-04-11 3:55 /dev/vhost-vsock Russell Coker 2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift 2020-04-11 8:10 ` /dev/vhost-vsock Dominick Grift 2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).