* /dev/vhost-vsock
@ 2020-04-11 3:55 Russell Coker
2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift
2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift
0 siblings, 2 replies; 4+ messages in thread
From: Russell Coker @ 2020-04-11 3:55 UTC (permalink / raw)
To: selinux-refpolicy
Would vhost_device_t be the right type for /dev/vhost-vsock?
https://wiki.qemu.org/Features/VirtioVsock
This seems to be the documentation for it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
2020-04-11 3:55 /dev/vhost-vsock Russell Coker
@ 2020-04-11 6:17 ` Dominick Grift
2020-04-11 8:10 ` /dev/vhost-vsock Dominick Grift
2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift
1 sibling, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2020-04-11 6:17 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> Would vhost_device_t be the right type for /dev/vhost-vsock?
>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.
this is the "ptrace" equivalent for applications that use user
namespaces like, i think, firefox and flatpak. This event will surface
if you do a `ps auxZ` when you have a running instance of a application
the uses user name spaces.
In the case of firefox you would for example append it below this line:
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
like so:
allow $2 mozilla_t:cap_userns sys_ptrace;
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
2020-04-11 3:55 /dev/vhost-vsock Russell Coker
2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift
@ 2020-04-11 6:19 ` Dominick Grift
1 sibling, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2020-04-11 6:19 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> Would vhost_device_t be the right type for /dev/vhost-vsock?
that is what i do:
https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/dev/node_vhost.cil;h=810213c6f2c02db02dfba873cbe740ad7cfaad95;hb=HEAD
>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift
@ 2020-04-11 8:10 ` Dominick Grift
0 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2020-04-11 8:10 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Dominick Grift <dominick.grift@defensec.nl> writes:
> Russell Coker <russell@coker.com.au> writes:
>
>> Would vhost_device_t be the right type for /dev/vhost-vsock?
>>
>> https://wiki.qemu.org/Features/VirtioVsock
>>
>> This seems to be the documentation for it.
>
> this is the "ptrace" equivalent for applications that use user
> namespaces like, i think, firefox and flatpak. This event will surface
> if you do a `ps auxZ` when you have a running instance of a application
> the uses user name spaces.
>
> In the case of firefox you would for example append it below this line:
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
> like so:
> allow $2 mozilla_t:cap_userns sys_ptrace;
err, no. its more like "allow $2 self:cap_userns sys_ptrace;"
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-11 8:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-11 3:55 /dev/vhost-vsock Russell Coker
2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift
2020-04-11 8:10 ` /dev/vhost-vsock Dominick Grift
2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).