|
| 1 | +From c2c904f7a3802ac76e7546092fd9c383be5b1082 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Kemal Rasim Sh <kshakir@qti.qualcomm.com> |
| 3 | +Date: Mon, 29 Jun 2026 09:13:22 +0300 |
| 4 | +Subject: [PATCH 5/5] selinux: Add type and access policy for Docker home |
| 5 | + directories |
| 6 | + |
| 7 | +Define docker_home_t and label specific home subdirectories |
| 8 | +(media, models, labels, configs) for Docker use. |
| 9 | +Introduce docker_home_access interface to allow controlled |
| 10 | +access to these directories. |
| 11 | + |
| 12 | +Upstream-Status: Inappropriate [Qualcomm specific change] |
| 13 | + |
| 14 | +Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com> |
| 15 | +--- |
| 16 | + policy/modules/services/docker.te | 4 ++++ |
| 17 | + policy/modules/services/docker_home.fc | 4 ++++ |
| 18 | + policy/modules/services/docker_home.if | 19 +++++++++++++++++++ |
| 19 | + policy/modules/services/docker_home.te | 10 ++++++++++ |
| 20 | + 4 files changed, 37 insertions(+) |
| 21 | + create mode 100644 policy/modules/services/docker_home.fc |
| 22 | + create mode 100644 policy/modules/services/docker_home.if |
| 23 | + create mode 100644 policy/modules/services/docker_home.te |
| 24 | + |
| 25 | +diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te |
| 26 | +index cf45fc188..271c96800 100644 |
| 27 | +--- a/policy/modules/services/docker.te |
| 28 | ++++ b/policy/modules/services/docker.te |
| 29 | +@@ -98,6 +98,10 @@ optional_policy(` |
| 30 | + ') |
| 31 | + ') |
| 32 | + |
| 33 | ++optional_policy(` |
| 34 | ++ docker_home_access(dockerd_t) |
| 35 | ++') |
| 36 | ++ |
| 37 | + ######################################## |
| 38 | + # |
| 39 | + # Docker CLI local policy |
| 40 | +diff --git a/policy/modules/services/docker_home.fc b/policy/modules/services/docker_home.fc |
| 41 | +new file mode 100644 |
| 42 | +index 000000000..e55305fbc |
| 43 | +--- /dev/null |
| 44 | ++++ b/policy/modules/services/docker_home.fc |
| 45 | +@@ -0,0 +1,4 @@ |
| 46 | ++HOME_DIR/media(/.*)? gen_context(system_u:object_r:docker_home_t,s0) |
| 47 | ++HOME_DIR/models(/.*)? gen_context(system_u:object_r:docker_home_t,s0) |
| 48 | ++HOME_DIR/labels(/.*)? gen_context(system_u:object_r:docker_home_t,s0) |
| 49 | ++HOME_DIR/configs(/.*)? gen_context(system_u:object_r:docker_home_t,s0) |
| 50 | +diff --git a/policy/modules/services/docker_home.if b/policy/modules/services/docker_home.if |
| 51 | +new file mode 100644 |
| 52 | +index 000000000..7c25944d4 |
| 53 | +--- /dev/null |
| 54 | ++++ b/policy/modules/services/docker_home.if |
| 55 | +@@ -0,0 +1,19 @@ |
| 56 | ++## <summary>Policy for Docker home access.</summary> |
| 57 | ++ |
| 58 | ++##################################### |
| 59 | ++## <summary> |
| 60 | ++## Access Docker home directories. |
| 61 | ++## </summary> |
| 62 | ++## <param name="domain"> |
| 63 | ++## <summary> |
| 64 | ++## Domain allowed access. |
| 65 | ++## </summary> |
| 66 | ++## </param> |
| 67 | ++# |
| 68 | ++interface(`docker_home_access',` |
| 69 | ++ gen_require(` |
| 70 | ++ type docker_home_t; |
| 71 | ++ ') |
| 72 | ++ |
| 73 | ++ allow $1 docker_home_t:dir { getattr ioctl }; |
| 74 | ++') |
| 75 | +diff --git a/policy/modules/services/docker_home.te b/policy/modules/services/docker_home.te |
| 76 | +new file mode 100644 |
| 77 | +index 000000000..db7aa3a0f |
| 78 | +--- /dev/null |
| 79 | ++++ b/policy/modules/services/docker_home.te |
| 80 | +@@ -0,0 +1,10 @@ |
| 81 | ++policy_module(docker_home) |
| 82 | ++ |
| 83 | ++######################################## |
| 84 | ++# |
| 85 | ++# Declarations |
| 86 | ++# |
| 87 | ++ |
| 88 | ++type docker_home_t; |
| 89 | ++ |
| 90 | ++files_type(docker_home_t) |
| 91 | +-- |
| 92 | +2.43.0 |
| 93 | + |
0 commit comments