diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-01-12 15:03:17 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:04:41 -0500 |
commit | 8c7219727d5b774677ede79e47eba266e14bd3e6 (patch) | |
tree | a33478b408b1af43c9599ba1930ef840d2aab046 | |
parent | container, kubernetes: allow kubernetes to use fuse-overlayfs (diff) | |
download | hardened-refpolicy-8c7219727d5b774677ede79e47eba266e14bd3e6.tar.gz hardened-refpolicy-8c7219727d5b774677ede79e47eba266e14bd3e6.tar.bz2 hardened-refpolicy-8c7219727d5b774677ede79e47eba266e14bd3e6.zip |
kubernetes: fix kubelet accounting
The kubelet routinely measures metrics and accounting for all
containers which involves calculating resource utilization for both
running containers and the contents of their images on disk.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/services/container.if | 60 | ||||
-rw-r--r-- | policy/modules/services/kubernetes.te | 5 |
2 files changed, 65 insertions, 0 deletions
diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 165a73d5..18b27f19 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -1533,6 +1533,26 @@ interface(`container_spec_filetrans_file',` ######################################## ## <summary> +## Allow the specified domain to get +## the attributes of all container +## file objects. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_getattr_all_files',` + gen_require(` + type container_file_t; + ') + + allow $1 container_file_t:dir_file_class_set getattr; +') + +######################################## +## <summary> ## Allow the specified domain to list ## the contents of read-only container ## file directories. @@ -1553,6 +1573,26 @@ interface(`container_list_ro_dirs',` ######################################## ## <summary> +## Allow the specified domain to get +## the attributes of all read-only +## container file objects. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_getattr_all_ro_files',` + gen_require(` + type container_ro_file_t; + ') + + allow $1 container_ro_file_t:dir_file_class_set getattr; +') + +######################################## +## <summary> ## Allow the specified domain to ## manage container config home content. ## </summary> @@ -2338,6 +2378,26 @@ interface(`container_unlabeled_var_lib_filetrans',` ######################################## ## <summary> +## Allow the specified domain to get +## the attributes of all container +## var lib objects. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`container_getattr_all_var_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + allow $1 container_var_lib_t:dir_file_class_set getattr; +') + +######################################## +## <summary> ## Allow the specified domain to search ## container log file directories. ## </summary> diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 84e8ce4b..0f5f6769 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -400,6 +400,11 @@ kubernetes_manage_tmpfs_files(kubelet_t) kubernetes_manage_tmpfs_symlinks(kubelet_t) fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file }) +# for metrics and accounting +container_getattr_all_files(kubelet_t) +container_getattr_all_ro_files(kubelet_t) +container_getattr_all_var_lib_files(kubelet_t) + ifdef(`init_systemd',` init_dbus_chat(kubelet_t) |