Skip to content

Commit 86dabb2

Browse files
author
Kemal Rasim Sh
committed
selinux: Add Docker home SEPolicy rules
Docker cannot access designated home subdirectories, limiting container workloads that rely on user-provided data. Define the docker_home_t type and label specific directories (media, models, labels, configs) accordingly, and introduce the docker_home_access interface to allow controlled access. Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
1 parent 40052f2 commit 86dabb2

2 files changed

Lines changed: 94 additions & 0 deletions

File tree

Original file line numberDiff line numberDiff line change
@@ -0,0 +1,93 @@
1+
From c2c904f7a3802ac76e7546092fd9c383be5b1082 Mon Sep 17 00:00:00 2001
2+
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
3+
Date: Mon, 29 Jun 2026 09:13:22 +0300
4+
Subject: [PATCH 5/5] selinux: Add type and access policy for Docker home
5+
directories
6+
7+
Define docker_home_t and label specific home subdirectories
8+
(media, models, labels, configs) for Docker use.
9+
Introduce docker_home_access interface to allow controlled
10+
access to these directories.
11+
12+
Upstream-Status: Inappropriate [Qualcomm specific change]
13+
14+
Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
15+
---
16+
policy/modules/services/docker.te | 4 ++++
17+
policy/modules/services/docker_home.fc | 4 ++++
18+
policy/modules/services/docker_home.if | 19 +++++++++++++++++++
19+
policy/modules/services/docker_home.te | 10 ++++++++++
20+
4 files changed, 37 insertions(+)
21+
create mode 100644 policy/modules/services/docker_home.fc
22+
create mode 100644 policy/modules/services/docker_home.if
23+
create mode 100644 policy/modules/services/docker_home.te
24+
25+
diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
26+
index cf45fc188..271c96800 100644
27+
--- a/policy/modules/services/docker.te
28+
+++ b/policy/modules/services/docker.te
29+
@@ -98,6 +98,10 @@ optional_policy(`
30+
')
31+
')
32+
33+
+optional_policy(`
34+
+ docker_home_access(dockerd_t)
35+
+')
36+
+
37+
########################################
38+
#
39+
# Docker CLI local policy
40+
diff --git a/policy/modules/services/docker_home.fc b/policy/modules/services/docker_home.fc
41+
new file mode 100644
42+
index 000000000..e55305fbc
43+
--- /dev/null
44+
+++ b/policy/modules/services/docker_home.fc
45+
@@ -0,0 +1,4 @@
46+
+HOME_DIR/media(/.*)? gen_context(system_u:object_r:docker_home_t,s0)
47+
+HOME_DIR/models(/.*)? gen_context(system_u:object_r:docker_home_t,s0)
48+
+HOME_DIR/labels(/.*)? gen_context(system_u:object_r:docker_home_t,s0)
49+
+HOME_DIR/configs(/.*)? gen_context(system_u:object_r:docker_home_t,s0)
50+
diff --git a/policy/modules/services/docker_home.if b/policy/modules/services/docker_home.if
51+
new file mode 100644
52+
index 000000000..7c25944d4
53+
--- /dev/null
54+
+++ b/policy/modules/services/docker_home.if
55+
@@ -0,0 +1,19 @@
56+
+## <summary>Policy for Docker home access.</summary>
57+
+
58+
+#####################################
59+
+## <summary>
60+
+## Access Docker home directories.
61+
+## </summary>
62+
+## <param name="domain">
63+
+## <summary>
64+
+## Domain allowed access.
65+
+## </summary>
66+
+## </param>
67+
+#
68+
+interface(`docker_home_access',`
69+
+ gen_require(`
70+
+ type docker_home_t;
71+
+ ')
72+
+
73+
+ allow $1 docker_home_t:dir { getattr ioctl };
74+
+')
75+
diff --git a/policy/modules/services/docker_home.te b/policy/modules/services/docker_home.te
76+
new file mode 100644
77+
index 000000000..db7aa3a0f
78+
--- /dev/null
79+
+++ b/policy/modules/services/docker_home.te
80+
@@ -0,0 +1,10 @@
81+
+policy_module(docker_home)
82+
+
83+
+########################################
84+
+#
85+
+# Declarations
86+
+#
87+
+
88+
+type docker_home_t;
89+
+
90+
+files_type(docker_home_t)
91+
--
92+
2.43.0
93+

dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,5 @@ SRC_URI:append:qcom = " \
55
file://0002-wayland-Add-wayland_stream_connect-interface.patch \
66
file://0003-wayland-Label-sockets-under-run-with-wayland_runtime.patch \
77
file://0004-docker-Add-tunable-gated-optional-policy-for-dockerd.patch \
8+
file://0005-selinux-Add-type-and-access-policy-for-Docker-home-d.patch \
89
"

0 commit comments

Comments
 (0)