diff --git a/README.md b/README.md index 37f68b1..5ddec98 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ Udica supports following container engines: * docker v1.13+ * podman v2.0+ * containerd v1.5.0+ (using `nerdctl` v0.14+ or crictl) + * LXD v5.21.1+ ## Installing diff --git a/tests/test_basic.lxd.cil b/tests/test_basic.lxd.cil new file mode 100644 index 0000000..ac87e9a --- /dev/null +++ b/tests/test_basic.lxd.cil @@ -0,0 +1,402 @@ +(block my-lxd-container + (blockinherit container) + (blockinherit restricted_net_container) + (allow process ftp_port_t ( tcp_socket ( name_bind ))) + (blockinherit home_rw_container) + (allow process var_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process var_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process var_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process var_spool_t ( sock_file ( append getattr open read write ))) + (allow process xdm_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process xdm_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process xdm_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process xdm_spool_t ( sock_file ( append getattr open read write ))) + (allow process mqueue_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process mqueue_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process mqueue_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process mqueue_spool_t ( sock_file ( append getattr open read write ))) + (allow process quota_db_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process quota_db_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process quota_db_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process quota_db_t ( sock_file ( append getattr open read write ))) + (allow process user_cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process user_cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process user_cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process abrt_retrace_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process abrt_retrace_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process abrt_retrace_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process abrt_retrace_spool_t ( sock_file ( append getattr open read write ))) + (allow process getty_var_run_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process getty_var_run_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process getty_var_run_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process getty_var_run_t ( sock_file ( append getattr open read write ))) + (allow process print_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process print_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process print_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process print_spool_t ( sock_file ( append getattr open read write ))) + (allow process smsd_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process smsd_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process smsd_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process smsd_spool_t ( sock_file ( append getattr open read write ))) + (allow process abrt_var_cache_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process abrt_var_cache_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process abrt_var_cache_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process abrt_var_cache_t ( sock_file ( append getattr open read write ))) + (allow process ctdbd_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process ctdbd_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process ctdbd_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process ctdbd_spool_t ( sock_file ( append getattr open read write ))) + (allow process print_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process print_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process print_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process print_spool_t ( sock_file ( append getattr open read write ))) + (allow process httpd_sys_rw_content_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process httpd_sys_rw_content_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process httpd_sys_rw_content_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process httpd_sys_rw_content_t ( sock_file ( append getattr open read write ))) + (allow process mail_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process mail_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process mail_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process mail_spool_t ( sock_file ( append getattr open read write ))) + (allow process mail_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process mail_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process mail_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process mail_spool_t ( sock_file ( append getattr open read write ))) + (allow process news_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process news_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process news_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process news_spool_t ( sock_file ( append getattr open read write ))) + (allow process rwho_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process rwho_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process rwho_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process rwho_spool_t ( sock_file ( append getattr open read write ))) + (allow process uucpd_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process uucpd_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process uucpd_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process uucpd_spool_t ( sock_file ( append getattr open read write ))) + (allow process exim_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process exim_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process exim_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process exim_spool_t ( sock_file ( append getattr open read write ))) + (allow process audit_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process audit_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process audit_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process audit_spool_t ( sock_file ( append getattr open read write ))) + (allow process abrt_var_cache_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process abrt_var_cache_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process abrt_var_cache_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process abrt_var_cache_t ( sock_file ( append getattr open read write ))) + (allow process samba_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process samba_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process samba_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process samba_spool_t ( sock_file ( append getattr open read write ))) + (allow process mail_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process mail_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process mail_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process mail_spool_t ( sock_file ( append getattr open read write ))) + (allow process spamd_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process spamd_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process spamd_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process spamd_spool_t ( sock_file ( append getattr open read write ))) + (allow process squid_cache_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process squid_cache_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process squid_cache_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process squid_cache_t ( sock_file ( append getattr open read write ))) + (allow process tetex_data_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process tetex_data_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process tetex_data_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process tetex_data_t ( sock_file ( append getattr open read write ))) + (allow process getty_var_run_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process getty_var_run_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process getty_var_run_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process getty_var_run_t ( sock_file ( append getattr open read write ))) + (allow process bacula_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process bacula_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process bacula_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process bacula_spool_t ( sock_file ( append getattr open read write ))) + (allow process nagios_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process nagios_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process nagios_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process nagios_spool_t ( sock_file ( append getattr open read write ))) + (allow process nagios_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process nagios_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process nagios_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process nagios_spool_t ( sock_file ( append getattr open read write ))) + (allow process snmpd_var_lib_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process snmpd_var_lib_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process snmpd_var_lib_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process snmpd_var_lib_t ( sock_file ( append getattr open read write ))) + (allow process spamd_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process spamd_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process spamd_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process spamd_spool_t ( sock_file ( append getattr open read write ))) + (allow process httpd_sys_rw_content_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process httpd_sys_rw_content_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process httpd_sys_rw_content_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process httpd_sys_rw_content_t ( sock_file ( append getattr open read write ))) + (allow process quota_db_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process quota_db_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process quota_db_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process quota_db_t ( sock_file ( append getattr open read write ))) + (allow process mailman_data_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process mailman_data_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process mailman_data_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process mailman_data_t ( sock_file ( append getattr open read write ))) + (allow process postfix_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_spool_t ( sock_file ( append getattr open read write ))) + (allow process antivirus_db_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process antivirus_db_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process antivirus_db_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process antivirus_db_t ( sock_file ( append getattr open read write ))) + (allow process system_cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process system_cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process system_cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process system_cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process courier_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process courier_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process courier_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process courier_spool_t ( sock_file ( append getattr open read write ))) + (allow process dovecot_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process dovecot_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process dovecot_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process dovecot_spool_t ( sock_file ( append getattr open read write ))) + (allow process prelude_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process prelude_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process prelude_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process prelude_spool_t ( sock_file ( append getattr open read write ))) + (allow process pyicqt_var_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process pyicqt_var_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process pyicqt_var_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process pyicqt_var_spool_t ( sock_file ( append getattr open read write ))) + (allow process var_log_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process var_log_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process var_log_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process var_log_t ( sock_file ( append getattr open read write ))) + (allow process rpm_var_cache_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process rpm_var_cache_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process rpm_var_cache_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process rpm_var_cache_t ( sock_file ( append getattr open read write ))) + (allow process asterisk_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process asterisk_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process asterisk_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process asterisk_spool_t ( sock_file ( append getattr open read write ))) + (allow process print_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process print_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process print_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process print_spool_t ( sock_file ( append getattr open read write ))) + (allow process dkim_milter_data_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process dkim_milter_data_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process dkim_milter_data_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process dkim_milter_data_t ( sock_file ( append getattr open read write ))) + (allow process plymouthd_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process plymouthd_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process plymouthd_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process plymouthd_spool_t ( sock_file ( append getattr open read write ))) + (allow process mqueue_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process mqueue_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process mqueue_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process mqueue_spool_t ( sock_file ( append getattr open read write ))) + (allow process dkim_milter_data_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process dkim_milter_data_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process dkim_milter_data_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process dkim_milter_data_t ( sock_file ( append getattr open read write ))) + (allow process spamd_var_run_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process spamd_var_run_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process spamd_var_run_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process spamd_var_run_t ( sock_file ( append getattr open read write ))) + (allow process courier_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process courier_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process courier_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process courier_spool_t ( sock_file ( append getattr open read write ))) + (allow process var_log_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process var_log_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process var_log_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process var_log_t ( sock_file ( append getattr open read write ))) + (allow process callweaver_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process callweaver_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process callweaver_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process callweaver_spool_t ( sock_file ( append getattr open read write ))) + (allow process sge_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process sge_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process sge_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process sge_spool_t ( sock_file ( append getattr open read write ))) + (allow process abrt_var_cache_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process abrt_var_cache_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process abrt_var_cache_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process abrt_var_cache_t ( sock_file ( append getattr open read write ))) + (allow process lpd_var_run_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process lpd_var_run_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process lpd_var_run_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process lpd_var_run_t ( sock_file ( append getattr open read write ))) + (allow process uucpd_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process uucpd_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process uucpd_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process uucpd_spool_t ( sock_file ( append getattr open read write ))) + (allow process mscan_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process mscan_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process mscan_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process mscan_spool_t ( sock_file ( append getattr open read write ))) + (allow process public_content_rw_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process public_content_rw_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process public_content_rw_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process public_content_rw_t ( sock_file ( append getattr open read write ))) + (allow process etc_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process etc_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process etc_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process etc_t ( sock_file ( append getattr open read write ))) + (allow process lib_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process lib_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process lib_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process lib_t ( sock_file ( append getattr open read write ))) + (allow process lib_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process lib_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process lib_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process lib_t ( sock_file ( append getattr open read write ))) + (allow process postfix_var_run_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_var_run_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_var_run_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_var_run_t ( sock_file ( append getattr open read write ))) + (allow process abrt_retrace_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process abrt_retrace_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process abrt_retrace_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process abrt_retrace_spool_t ( sock_file ( append getattr open read write ))) + (allow process regex_milter_data_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process regex_milter_data_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process regex_milter_data_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process regex_milter_data_t ( sock_file ( append getattr open read write ))) + (allow process spamd_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process spamd_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process spamd_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process spamd_spool_t ( sock_file ( append getattr open read write ))) + (allow process squirrelmail_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process squirrelmail_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process squirrelmail_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process squirrelmail_spool_t ( sock_file ( append getattr open read write ))) + (allow process spamd_var_run_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process spamd_var_run_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process spamd_var_run_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process spamd_var_run_t ( sock_file ( append getattr open read write ))) + (allow process postfix_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_spool_t ( sock_file ( append getattr open read write ))) + (allow process postfix_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_spool_t ( sock_file ( append getattr open read write ))) + (allow process lib_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process lib_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process lib_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process lib_t ( sock_file ( append getattr open read write ))) + (allow process postfix_spool_bounce_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_spool_bounce_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_spool_bounce_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_spool_bounce_t ( sock_file ( append getattr open read write ))) + (allow process postfix_public_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_public_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_public_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_public_t ( sock_file ( append getattr open read write ))) + (allow process abrt_retrace_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process abrt_retrace_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process abrt_retrace_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process abrt_retrace_spool_t ( sock_file ( append getattr open read write ))) + (allow process ld_so_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process ld_so_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process ld_so_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process ld_so_t ( sock_file ( append getattr open read write ))) + (allow process postfix_private_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_private_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_private_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_private_t ( sock_file ( append getattr open read write ))) + (allow process spamass_milter_data_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process spamass_milter_data_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process spamass_milter_data_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process spamass_milter_data_t ( sock_file ( append getattr open read write ))) + (allow process prelude_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process prelude_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process prelude_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process prelude_spool_t ( sock_file ( append getattr open read write ))) + (allow process postfix_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_spool_t ( sock_file ( append getattr open read write ))) + (allow process postfix_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postfix_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postfix_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postfix_spool_t ( sock_file ( append getattr open read write ))) + (allow process postgrey_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process postgrey_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process postgrey_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process postgrey_spool_t ( sock_file ( append getattr open read write ))) + (allow process plymouthd_var_log_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process plymouthd_var_log_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process plymouthd_var_log_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process plymouthd_var_log_t ( sock_file ( append getattr open read write ))) + (allow process zoneminder_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process zoneminder_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process zoneminder_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process zoneminder_spool_t ( sock_file ( append getattr open read write ))) + (allow process user_cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process user_cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process user_cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process device_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process device_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process device_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process device_t ( sock_file ( append getattr open read write ))) + (allow process var_run_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process var_run_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process var_run_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process var_run_t ( sock_file ( append getattr open read write ))) + (allow process system_cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process system_cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process system_cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process system_cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process devlog_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process devlog_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process devlog_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process devlog_t ( sock_file ( append getattr open read write ))) + (allow process system_cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process system_cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process system_cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process system_cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process system_cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process system_cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process system_cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process system_cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process fetchmail_uidl_cache_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process fetchmail_uidl_cache_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process fetchmail_uidl_cache_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process fetchmail_uidl_cache_t ( sock_file ( append getattr open read write ))) + (allow process locale_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process locale_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process locale_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process locale_t ( sock_file ( append getattr open read write ))) + (allow process fetchmail_uidl_cache_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process fetchmail_uidl_cache_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process fetchmail_uidl_cache_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process fetchmail_uidl_cache_t ( sock_file ( append getattr open read write ))) + (allow process user_cron_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_cron_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process user_cron_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process user_cron_spool_t ( sock_file ( append getattr open read write ))) + (allow process var_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process var_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process var_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process var_spool_t ( sock_file ( append getattr open read write ))) + (allow process var_spool_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process var_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) + (allow process var_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) + (allow process var_spool_t ( sock_file ( append getattr open read write ))) +) \ No newline at end of file diff --git a/tests/test_basic.lxd.json b/tests/test_basic.lxd.json new file mode 100644 index 0000000..b71ca46 --- /dev/null +++ b/tests/test_basic.lxd.json @@ -0,0 +1,92 @@ +{ + "architecture": "x86_64", + "config": { + "image.architecture": "amd64", + "image.description": "ubuntu 20.04 LTS amd64 (release) (20240626)", + "image.label": "release", + "image.os": "ubuntu", + "image.release": "focal", + "image.serial": "20240626", + "image.type": "squashfs", + "image.version": "20.04", + "volatile.base_image": "afeb6fc84380878e47e1be18b3cd4e0a6671610f94ad3ffc8a50481afbe77a19", + "volatile.cloud-init.instance-id": "402d6e74-3ce0-483c-8d46-fdb28cdab306", + "volatile.eth0.host_name": "veth21ca03ab", + "volatile.eth0.hwaddr": "00:16:3e:fc:a1:ec", + "volatile.idmap.base": "0", + "volatile.idmap.current": "[{\"Isuid\":true,\"Isgid\":false,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000},{\"Isuid\":false,\"Isgid\":true,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000}]", + "volatile.idmap.next": "[{\"Isuid\":true,\"Isgid\":false,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000},{\"Isuid\":false,\"Isgid\":true,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000}]", + "volatile.last_state.idmap": "[]", + "volatile.last_state.power": "RUNNING", + "volatile.last_state.ready": "false", + "volatile.uuid": "5835af62-6142-4a7c-9282-35d31ae22cb7", + "volatile.uuid.generation": "5835af62-6142-4a7c-9282-35d31ae22cb7" + }, + "created_at": "2024-06-29T16:03:00.781248448Z", + "description": "", + "devices": {}, + "ephemeral": false, + "expanded_config": { + "image.architecture": "amd64", + "image.description": "ubuntu 20.04 LTS amd64 (release) (20240626)", + "image.label": "release", + "image.os": "ubuntu", + "image.release": "focal", + "image.serial": "20240626", + "image.type": "squashfs", + "image.version": "20.04", + "volatile.base_image": "afeb6fc84380878e47e1be18b3cd4e0a6671610f94ad3ffc8a50481afbe77a19", + "volatile.cloud-init.instance-id": "402d6e74-3ce0-483c-8d46-fdb28cdab306", + "volatile.eth0.host_name": "veth21ca03ab", + "volatile.eth0.hwaddr": "00:16:3e:fc:a1:ec", + "volatile.idmap.base": "0", + "volatile.idmap.current": "[{\"Isuid\":true,\"Isgid\":false,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000},{\"Isuid\":false,\"Isgid\":true,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000}]", + "volatile.idmap.next": "[{\"Isuid\":true,\"Isgid\":false,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000},{\"Isuid\":false,\"Isgid\":true,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000}]", + "volatile.last_state.idmap": "[]", + "volatile.last_state.power": "RUNNING", + "volatile.last_state.ready": "false", + "volatile.uuid": "5835af62-6142-4a7c-9282-35d31ae22cb7", + "volatile.uuid.generation": "5835af62-6142-4a7c-9282-35d31ae22cb7" + }, + "expanded_devices": { + "eth0": { + "name": "eth0", + "network": "lxdbr0", + "type": "nic" + }, + "home": { + "path": "/home", + "readonly": "true", + "source": "/home", + "type": "disk" + }, + "myport21": { + "bind": "host", + "connect": "tcp:127.0.0.1:21", + "listen": "tcp:0.0.0.0:21", + "type": "proxy" + }, + "root": { + "path": "/", + "pool": "default", + "type": "disk" + }, + "spool": { + "path": "/var/spool", + "source": "/var/spool", + "type": "disk" + } + }, + "last_used_at": "2024-07-01T15:00:22.55170503Z", + "location": "none", + "name": "my-ubuntu-container", + "profiles": [ + "default", + "myprofile" + ], + "project": "default", + "stateful": false, + "status": "Running", + "status_code": 103, + "type": "container" +} \ No newline at end of file diff --git a/udica/__main__.py b/udica/__main__.py index 801499c..abd5121 100644 --- a/udica/__main__.py +++ b/udica/__main__.py @@ -19,7 +19,7 @@ # import udica from udica.parse import parse_avc_file -from udica.parse import ENGINE_ALL, ENGINE_PODMAN, ENGINE_DOCKER +from udica.parse import ENGINE_ALL, ENGINE_PODMAN, ENGINE_DOCKER, ENGINE_LXD from udica.version import version from udica import parse from udica.policy import create_policy, load_policy, generate_playbook @@ -260,13 +260,20 @@ def main(): if opts["ContainerID"]: container_inspect_raw = None - for backend in [ENGINE_PODMAN, ENGINE_DOCKER]: + for backend in [ENGINE_PODMAN, ENGINE_DOCKER, ENGINE_LXD]: try: - run_inspect = subprocess.Popen( - [backend, "inspect", opts["ContainerID"]], - stdout=subprocess.PIPE, - stderr=subprocess.DEVNULL, - ) + if backend == ENGINE_LXD: + run_inspect = subprocess.Popen( + ["lxc", "query", "/1.0/instances/", opts["ContainerID"]], + stdout=subprocess.PIPE, + stderr=subprocess.DEVNULL, + ) + else: + run_inspect = subprocess.Popen( + [backend, "inspect", opts["ContainerID"]], + stdout=subprocess.PIPE, + stderr=subprocess.DEVNULL, + ) inspect_data = run_inspect.communicate()[0] if run_inspect.returncode != 0: inspect_data = None @@ -278,7 +285,7 @@ def main(): break if not container_inspect_raw: - print("Container with specified ID does not exits!") + print("Container with specified ID does not exist!") exit(3) if opts["JsonFile"]: diff --git a/udica/parse.py b/udica/parse.py index f02ec0b..e0b3821 100644 --- a/udica/parse.py +++ b/udica/parse.py @@ -16,20 +16,15 @@ import abc import json -#: Constant for the podman engine +#: Constants for container engines ENGINE_PODMAN = "podman" - -#: Constant for the cri-o engine ENGINE_CRIO = "CRI-O" - -#: Constant for the docker engine ENGINE_DOCKER = "docker" - -#: Constant for the containerd engine ENGINE_CONTAINERD = "containerd" +ENGINE_LXD = "LXD" #: All supported engines -ENGINE_ALL = [ENGINE_PODMAN, ENGINE_CRIO, ENGINE_DOCKER, ENGINE_CONTAINERD] +ENGINE_ALL = [ENGINE_PODMAN, ENGINE_CRIO, ENGINE_DOCKER, ENGINE_CONTAINERD, ENGINE_LXD] # Decorator for verifying that getting value from "data" won't @@ -69,17 +64,34 @@ def json_is_containerd_format(json_rep): def json_is_podman_format(json_rep): """Check if the inspected file is in a format from podman.""" - return isinstance(json_rep, list) and ( - "container=oci" in json_rep[0]["Config"]["Env"] - or "container=podman" in json_rep[0]["Config"]["Env"] + return ( + isinstance(json_rep, list) + and ( + "container=oci" in json_rep[0]["Config"]["Env"] + or "container=podman" in json_rep[0]["Config"]["Env"] + ) + ) + +def json_is_lxd_format(json_rep): + """Check if the inspected file is in a format from LXD.""" + return ( + # LXD's inspection output returns a single dictionary for a single container + isinstance(json_rep, dict) + and "expanded_devices" in json_rep + and "architecture" in json_rep + and "config" in json_rep ) def get_engine_helper(data, ContainerEngine): engine = validate_container_engine(ContainerEngine) + if engine == "-": json_rep = json.loads(data) - if json_is_list(json_rep): + + if json_is_lxd_format(json_rep): + return LxdHelper() + elif json_is_list(json_rep): if json_is_containerd_format(json_rep): return ContainerdHelper() elif json_is_podman_format(json_rep): @@ -96,7 +108,9 @@ def get_engine_helper(data, ContainerEngine): return CrioHelper() elif engine == ENGINE_CONTAINERD: return ContainerdHelper() - raise RuntimeError("Unkown engine") + elif engine == ENGINE_LXD: + return LxdHelper() + raise RuntimeError("Unknown engine") class EngineHelper(abc.ABC): @@ -259,6 +273,54 @@ def get_caps(self, data, opts): return opts["Caps"].split(",") return data[0]["Spec"]["process"]["capabilities"]["effective"] +class LxdHelper(EngineHelper): + def __init__(self): + super().__init__(ENGINE_LXD) + + @getter_decorator + def get_devices(self, data): + # Extract devices from the config + devices = [] + config_devices = data["expanded_devices"] + for name, device in config_devices.items(): + if device["type"] in ["unix-block", "unix-char"]: + device["PathOnHost"] = device.get("path", "") + devices.append(device) + return devices + + @getter_decorator + def get_mounts(self, data): + # Extract mounts (disk devices) + mounts = [] + config_devices = data["expanded_devices"] + for name, device in config_devices.items(): + if device["type"] == "disk": + mount = { + "source": device.get("source", ""), + "path": device.get("path", ""), + "readonly": device.get("readonly", False), + } + mounts.append(mount) + return mounts + + @getter_decorator + def get_ports(self, data): + # Extract port information from the LXD JSON configuration + ports = [] + for name, device in data["expanded_devices"].items(): + if device["type"] == "proxy": + port_info = { + "portNumber": int(device["listen"].split(":")[-1]), + "protocol": device["connect"].split(":")[0] + } + ports.append(port_info) + return ports + + @getter_decorator + def get_caps(self, data, opts): + # Capabilities are not part of LXD spec directly + return [] + def parse_cap(data): return data.decode().split("\n")[1].split(",") diff --git a/udica/perms.py b/udica/perms.py index 13472c7..ab66e30 100644 --- a/udica/perms.py +++ b/udica/perms.py @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +# Dictionary of permissions for various device and file types perm = { "device_rw": "getattr read write append ioctl lock open", "dir_rw": "add_name create getattr ioctl lock open read remove_name rmdir search setattr write", @@ -25,4 +26,5 @@ "socket_ro": "getattr open read", } +# Dictionary of socket types mapped to their corresponding SELinux object class socket = {"tcp": "tcp_socket", "udp": "udp_socket", "sctp": "sctp_socket"} diff --git a/udica/policy.py b/udica/policy.py index 9d1eae0..4ddba50 100644 --- a/udica/policy.py +++ b/udica/policy.py @@ -181,6 +181,8 @@ def create_policy( write_policy_for_crio_mounts(mounts, policy) elif inspect_format == "containerd": write_policy_for_containerd_mounts(mounts, policy) + elif inspect_format == "LXD": + write_policy_for_lxd_mounts(mounts, policy) else: write_policy_for_podman_mounts(mounts, policy) @@ -567,6 +569,111 @@ def write_policy_for_containerd_mounts(mounts, policy): ) +def write_policy_for_lxd_mounts(mounts, policy): + for item in sorted(mounts, key=lambda x: str(x["source"])): + if not item["source"].find("/"): + if item["source"] == LOG_CONTAINER and "ro" in item.get("options", []): + policy.write(" (blockinherit log_container)\n") + add_template("log_container") + continue + + if item["source"] == LOG_CONTAINER and "ro" not in item.get("options", []): + policy.write(" (blockinherit log_rw_container)\n") + add_template("log_container") + continue + + if item["source"] == HOME_CONTAINER and "ro" in item.get("options", []): + policy.write(" (blockinherit home_container)\n") + add_template("home_container") + continue + + if item["source"] == HOME_CONTAINER and "ro" not in item.get("options", []): + policy.write(" (blockinherit home_rw_container)\n") + add_template("home_container") + continue + + if item["source"] == TMP_CONTAINER and "ro" in item.get("options", []): + policy.write(" (blockinherit tmp_container)\n") + add_template("tmp_container") + continue + + if item["source"] == TMP_CONTAINER and "ro" not in item.get("options", []): + policy.write(" (blockinherit tmp_rw_container)\n") + add_template("tmp_container") + continue + + if item["source"] == CONFIG_CONTAINER and "ro" in item.get("options", []): + policy.write(" (blockinherit config_container)\n") + add_template("config_container") + continue + + if item["source"] == CONFIG_CONTAINER and "ro" not in item.get("options", []): + policy.write(" (blockinherit config_rw_container)\n") + add_template("config_container") + continue + + contexts = list_contexts(item["source"]) + for context in contexts: + if "ro" not in item.get("options", []): + policy.write( + " (allow process " + + context + + " ( dir ( " + + perms.perm["dir_rw"] + + " ))) \n" + ) + policy.write( + " (allow process " + + context + + " ( file ( " + + perms.perm["file_rw"] + + " ))) \n" + ) + policy.write( + " (allow process " + + context + + " ( fifo_file ( " + + perms.perm["fifo_rw"] + + " ))) \n" + ) + policy.write( + " (allow process " + + context + + " ( sock_file ( " + + perms.perm["socket_rw"] + + " ))) \n" + ) + if "ro" in item.get("options", []): + policy.write( + " (allow process " + + context + + " ( dir ( " + + perms.perm["dir_ro"] + + " ))) \n" + ) + policy.write( + " (allow process " + + context + + " ( file ( " + + perms.perm["file_ro"] + + " ))) \n" + ) + policy.write( + " (allow process " + + context + + " ( fifo_file ( " + + perms.perm["fifo_ro"] + + " ))) \n" + ) + policy.write( + " (allow process " + + context + + " ( sock_file ( " + + perms.perm["socket_ro"] + + " ))) \n" + ) + + def load_policy(opts): PWD = getcwd()