diff options
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/apparmor/abstractions/passt | 5 | ||||
| -rw-r--r-- | contrib/apparmor/abstractions/pasta | 5 | ||||
| -rw-r--r-- | contrib/apparmor/usr.bin.passt | 9 | ||||
| -rw-r--r-- | contrib/apparmor/usr.bin.pasta | 12 | ||||
| -rw-r--r-- | contrib/fedora/passt.spec | 2 | ||||
| -rw-r--r-- | contrib/fedora/rpkg.macros | 6 | ||||
| -rw-r--r-- | contrib/selinux/passt.te | 8 | ||||
| -rw-r--r-- | contrib/selinux/pasta.te | 12 |
8 files changed, 35 insertions, 24 deletions
diff --git a/contrib/apparmor/abstractions/passt b/contrib/apparmor/abstractions/passt index 6bb25e0..43fd63f 100644 --- a/contrib/apparmor/abstractions/passt +++ b/contrib/apparmor/abstractions/passt @@ -26,13 +26,16 @@ capability sys_ptrace, / r, # isolate_prefork(), isolation.c - mount options=(rw, runbindable) /, + mount options=(rw, runbindable) -> /, + mount "" -> "/", mount "" -> "/tmp/", pivot_root "/tmp/" -> "/tmp/", umount "/", owner @{PROC}/@{pid}/uid_map r, # conf_ugid() + @{PROC}/sys/net/ipv4/ip_local_port_range r, # fwd_probe_ephemeral() + network netlink raw, # nl_sock_init_do(), netlink.c network inet stream, # tcp.c diff --git a/contrib/apparmor/abstractions/pasta b/contrib/apparmor/abstractions/pasta index a890391..9f73bee 100644 --- a/contrib/apparmor/abstractions/pasta +++ b/contrib/apparmor/abstractions/pasta @@ -27,8 +27,9 @@ @{PROC}/@{pid}/net/udp r, @{PROC}/@{pid}/net/udp6 r, - @{run}/user/@{uid}/netns/* r, # pasta_open_ns(), pasta.c + @{run}/user/@{uid}/** rw, # pasta_open_ns() + @{PROC}/[0-9]*/ns/ r, # pasta_netns_quit_init(), @{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(), @{PROC}/[0-9]*/ns/user r, # conf_pasta_ns() @@ -42,3 +43,5 @@ /{usr/,}bin/** Ux, /usr/bin/pasta.avx2 ix, # arch_avx2_exec(), arch.c + + ptrace r, # pasta_open_ns() diff --git a/contrib/apparmor/usr.bin.passt b/contrib/apparmor/usr.bin.passt index 564f82f..9568189 100644 --- a/contrib/apparmor/usr.bin.passt +++ b/contrib/apparmor/usr.bin.passt @@ -19,9 +19,12 @@ profile passt /usr/bin/passt{,.avx2} { include <abstractions/passt> # Alternatively: include <abstractions/user-tmp> - owner /tmp/** w, # tap_sock_unix_init(), pcap(), - # write_pidfile(), + owner /tmp/** w, # tap_sock_unix_open(), + # tap_sock_unix_init(), pcap(), + # pidfile_open(), + # pidfile_write(), # logfile_init() - owner @{HOME}/** w, # pcap(), write_pidfile() + owner @{HOME}/** w, # pcap(), pidfile_open(), + # pidfile_write() } diff --git a/contrib/apparmor/usr.bin.pasta b/contrib/apparmor/usr.bin.pasta index e5ee4df..2483968 100644 --- a/contrib/apparmor/usr.bin.pasta +++ b/contrib/apparmor/usr.bin.pasta @@ -19,9 +19,13 @@ profile pasta /usr/bin/pasta{,.avx2} flags=(attach_disconnected) { include <abstractions/pasta> # Alternatively: include <abstractions/user-tmp> - owner /tmp/** w, # tap_sock_unix_init(), pcap(), - # write_pidfile(), - # logfile_init() + /tmp/** rw, # tap_sock_unix_open(), + # tap_sock_unix_init(), pcap(), + # pidfile_open(), + # pidfile_write(), + # logfile_init(), + # pasta_open_ns() - owner @{HOME}/** w, # pcap(), write_pidfile() + owner @{HOME}/** w, # pcap(), pidfile_open(), + # pidfile_write() } diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 825cd76..7950fb9 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec @@ -14,7 +14,7 @@ Name: passt Version: {{{ git_version }}} Release: 1%{?dist} Summary: User-mode networking daemons for virtual machines and namespaces -License: GPLv2+ and BSD +License: GPL-2.0-or-later AND BSD-3-Clause Group: System Environment/Daemons URL: https://passt.top/ Source: https://passt.top/passt/snapshot/passt-%{git_hash}.tar.xz diff --git a/contrib/fedora/rpkg.macros b/contrib/fedora/rpkg.macros index c226c84..c98b791 100644 --- a/contrib/fedora/rpkg.macros +++ b/contrib/fedora/rpkg.macros @@ -29,7 +29,11 @@ function passt_git_changelog_entry { [ -z "${__from}" ] && __from="$(git rev-list --max-parents=0 HEAD)" __date="$(git log --pretty="format:%cI" "${__to}" -1)" - __author="$(git log -1 --pretty="format:%an <%ae>" ${__to} -- contrib/fedora)" + __author="Stefano Brivio <sbrivio@redhat.com>" + # Use: + # __author="$(git log -1 --pretty="format:%an <%ae>" ${__to} -- contrib/fedora)" + # if you want the author of changelog entries to match the latest + # author for contrib/fedora printf "* %s %s - %s\n" "$(date "+%a %b %e %Y" -d "${__date}")" "${__author}" "$(git_version "${__to}")-1" diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index bbb0917..c6cea34 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -47,9 +47,8 @@ require { type port_t; type http_port_t; - type passwd_file_t; - class netlink_route_socket { bind create nlmsg_read }; + type sysctl_net_t; class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace }; @@ -95,8 +94,7 @@ allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid s allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; allow passt_t self:user_namespace create; -allow passt_t passwd_file_t:file read_file_perms; -sssd_search_lib(passt_t) +auth_read_passwd(passt_t) allow passt_t proc_net_t:file read; allow passt_t net_conf_t:file { open read }; @@ -104,6 +102,8 @@ allow passt_t net_conf_t:lnk_file read; allow passt_t tmp_t:sock_file { create unlink write }; allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt }; kernel_search_network_sysctl(passt_t) +allow passt_t sysctl_net_t:dir search; +allow passt_t sysctl_net_t:file { open read }; corenet_tcp_bind_all_nodes(passt_t) corenet_udp_bind_all_nodes(passt_t) diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 0ceda06..69be081 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -68,9 +68,6 @@ require { type system_dbusd_t; type systemd_hostnamed_t; type systemd_systemctl_exec_t; - type passwd_file_t; - type sssd_public_t; - type sssd_var_lib_t; class dbus send_msg; class system module_request; class system status; @@ -115,8 +112,7 @@ allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; allow pasta_t self:user_namespace create; -allow pasta_t passwd_file_t:file read_file_perms; -sssd_search_lib(pasta_t) +auth_read_passwd(pasta_t) domain_auto_trans(pasta_t, bin_t, unconfined_t); domain_auto_trans(pasta_t, shell_exec_t, unconfined_t); @@ -178,12 +174,9 @@ allow pasta_t init_t:system status; allow pasta_t unconfined_t:dir search; allow pasta_t unconfined_t:file read; allow pasta_t unconfined_t:lnk_file read; -allow pasta_t passwd_file_t:file { getattr open read }; allow pasta_t self:process { setpgid setcap }; allow pasta_t shell_exec_t:file { execute execute_no_trans map }; -allow pasta_t sssd_var_lib_t:dir search; -allow pasta_t sssd_public_t:dir search; allow pasta_t hostname_exec_t:file { execute execute_no_trans getattr open read map }; allow pasta_t system_dbusd_t:unix_stream_socket connectto; allow pasta_t system_dbusd_t:dbus send_msg; @@ -196,7 +189,7 @@ allow pasta_t ifconfig_var_run_t:dir { read search watch }; allow pasta_t self:tun_socket create; allow pasta_t tun_tap_device_t:chr_file { ioctl open read write }; allow pasta_t sysctl_net_t:dir search; -allow pasta_t sysctl_net_t:file { open write }; +allow pasta_t sysctl_net_t:file { open read write }; allow pasta_t kernel_t:system module_request; allow pasta_t nsfs_t:file read; @@ -211,3 +204,4 @@ allow pasta_t ifconfig_t:process { noatsecure rlimitinh siginh }; allow pasta_t netutils_t:process { noatsecure rlimitinh siginh }; allow pasta_t ping_t:process { noatsecure rlimitinh siginh }; allow pasta_t user_tty_device_t:chr_file { append read write }; +allow pasta_t user_devpts_t:chr_file { append read write }; |