* /dev/vhost-vsock
@ 2020-04-11 3:55 Russell Coker
2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift
2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift
0 siblings, 2 replies; 4+ messages in thread
From: Russell Coker @ 2020-04-11 3:55 UTC (permalink / raw)
To: selinux-refpolicy
Would vhost_device_t be the right type for /dev/vhost-vsock?
https://wiki.qemu.org/Features/VirtioVsock
This seems to be the documentation for it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
2020-04-11 3:55 /dev/vhost-vsock Russell Coker
@ 2020-04-11 6:17 ` Dominick Grift
2020-04-11 8:10 ` /dev/vhost-vsock Dominick Grift
2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift
1 sibling, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2020-04-11 6:17 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> Would vhost_device_t be the right type for /dev/vhost-vsock?
>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.
this is the "ptrace" equivalent for applications that use user
namespaces like, i think, firefox and flatpak. This event will surface
if you do a `ps auxZ` when you have a running instance of a application
the uses user name spaces.
In the case of firefox you would for example append it below this line:
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
like so:
allow $2 mozilla_t:cap_userns sys_ptrace;
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
2020-04-11 3:55 /dev/vhost-vsock Russell Coker
2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift
@ 2020-04-11 6:19 ` Dominick Grift
1 sibling, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2020-04-11 6:19 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> Would vhost_device_t be the right type for /dev/vhost-vsock?
that is what i do:
https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/dev/node_vhost.cil;h=810213c6f2c02db02dfba873cbe740ad7cfaad95;hb=HEAD
>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: /dev/vhost-vsock
2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift
@ 2020-04-11 8:10 ` Dominick Grift
0 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2020-04-11 8:10 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Dominick Grift <dominick.grift@defensec.nl> writes:
> Russell Coker <russell@coker.com.au> writes:
>
>> Would vhost_device_t be the right type for /dev/vhost-vsock?
>>
>> https://wiki.qemu.org/Features/VirtioVsock
>>
>> This seems to be the documentation for it.
>
> this is the "ptrace" equivalent for applications that use user
> namespaces like, i think, firefox and flatpak. This event will surface
> if you do a `ps auxZ` when you have a running instance of a application
> the uses user name spaces.
>
> In the case of firefox you would for example append it below this line:
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
> like so:
> allow $2 mozilla_t:cap_userns sys_ptrace;
err, no. its more like "allow $2 self:cap_userns sys_ptrace;"
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, back to index
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-11 3:55 /dev/vhost-vsock Russell Coker
2020-04-11 6:17 ` /dev/vhost-vsock Dominick Grift
2020-04-11 8:10 ` /dev/vhost-vsock Dominick Grift
2020-04-11 6:19 ` /dev/vhost-vsock Dominick Grift
SELinux-Refpolicy Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
selinux-refpolicy@vger.kernel.org
public-inbox-index selinux-refpolicy
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git