SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* /dev/vhost-vsock
@ 2020-04-11  3:55 Russell Coker
  2020-04-11  6:17 ` /dev/vhost-vsock Dominick Grift
  2020-04-11  6:19 ` /dev/vhost-vsock Dominick Grift
  0 siblings, 2 replies; 4+ messages in thread
From: Russell Coker @ 2020-04-11  3:55 UTC (permalink / raw)
  To: selinux-refpolicy

Would vhost_device_t be the right type for /dev/vhost-vsock?

https://wiki.qemu.org/Features/VirtioVsock

This seems to be the documentation for it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
  2020-04-11  3:55 /dev/vhost-vsock Russell Coker
@ 2020-04-11  6:17 ` Dominick Grift
  2020-04-11  8:10   ` /dev/vhost-vsock Dominick Grift
  2020-04-11  6:19 ` /dev/vhost-vsock Dominick Grift
  1 sibling, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2020-04-11  6:17 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> Would vhost_device_t be the right type for /dev/vhost-vsock?
>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.

this is the "ptrace" equivalent for applications that use user
namespaces like, i think, firefox and flatpak. This event will surface
if you do a `ps auxZ` when you have a running instance of a application
the uses user name spaces.

In the case of firefox you would for example append it below this line:
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
like so:
allow $2 mozilla_t:cap_userns sys_ptrace;

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
  2020-04-11  3:55 /dev/vhost-vsock Russell Coker
  2020-04-11  6:17 ` /dev/vhost-vsock Dominick Grift
@ 2020-04-11  6:19 ` Dominick Grift
  1 sibling, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2020-04-11  6:19 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> Would vhost_device_t be the right type for /dev/vhost-vsock?

that is what i do:
https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/dev/node_vhost.cil;h=810213c6f2c02db02dfba873cbe740ad7cfaad95;hb=HEAD

>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
  2020-04-11  6:17 ` /dev/vhost-vsock Dominick Grift
@ 2020-04-11  8:10   ` Dominick Grift
  0 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2020-04-11  8:10 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Dominick Grift <dominick.grift@defensec.nl> writes:

> Russell Coker <russell@coker.com.au> writes:
>
>> Would vhost_device_t be the right type for /dev/vhost-vsock?
>>
>> https://wiki.qemu.org/Features/VirtioVsock
>>
>> This seems to be the documentation for it.
>
> this is the "ptrace" equivalent for applications that use user
> namespaces like, i think, firefox and flatpak. This event will surface
> if you do a `ps auxZ` when you have a running instance of a application
> the uses user name spaces.
>
> In the case of firefox you would for example append it below this line:
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
> like so:
> allow $2 mozilla_t:cap_userns sys_ptrace;

err, no. its more like "allow $2 self:cap_userns sys_ptrace;"



-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-11  3:55 /dev/vhost-vsock Russell Coker
2020-04-11  6:17 ` /dev/vhost-vsock Dominick Grift
2020-04-11  8:10   ` /dev/vhost-vsock Dominick Grift
2020-04-11  6:19 ` /dev/vhost-vsock Dominick Grift

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git