Skip to content

Commit f01a30f

Browse files
author
Kemal Rasim Sh
committed
selinux: Add CDI access, Wayland interface and labeling, and tunable dockerd integration
Enhance SELinux policy to improve support for container runtimes and Wayland-based systems across a variety of configurations. Allow container runtimes to access /etc/cdi so that Container Device Interface (CDI) configuration files can be loaded correctly. Without this access, runtimes such as containerd may fail with permission errors when attempting to monitor or read CDI specifications. Introduce a new interface, wayland_stream_connect(), which allows domains to connect to a Wayland compositor via UNIX stream sockets. The interface grants permissions to search user runtime directories and establish connections to sockets labeled with wayland_runtime_t, enabling confined domains such as container runtimes or applications to communicate with the Wayland display server. Extend Wayland socket labeling by adding a file context rule for /run/wayland-*, ensuring sockets created directly under /run are labeled as wayland_runtime_t. This addresses systems where Wayland operates outside of per-user runtime directories, providing consistent behavior across embedded and single-user environments. Introduce a new tunable, dockerd_connect_user_services (default: off), to control whether the Docker daemon (dockerd_t) may connect to user session services. When enabled, the policy allows dockerd to use: pulseaudio_stream_connect(dockerd_t) wayland_stream_connect(dockerd_t) These permissions enable container workloads to access host audio and graphical services via PulseAudio and Wayland sockets located under /run/user/$UID. The docker-related permissions are gated using tunable_policy() and wrapped in optional_policy() blocks to ensure they are only applied when the corresponding policy modules are available. Together, these changes improve compatibility with CDI-enabled containers and containerized desktop workloads while maintaining secure-by-default behavior and modular policy design. Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
1 parent 1f9b451 commit f01a30f

6 files changed

Lines changed: 225 additions & 0 deletions

conf/layer.conf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,5 +30,7 @@ LAYERRECOMMENDS_qcom-distro = " \
3030
BBFILES_DYNAMIC += " \
3131
dpdk:${LAYERDIR}/dynamic-layers/dpdk/*/*/*.bb \
3232
dpdk:${LAYERDIR}/dynamic-layers/dpdk/*/*/*.bbappend \
33+
selinux:${LAYERDIR}/dynamic-layers/selinux/*/*/*.bb \
34+
selinux:${LAYERDIR}/dynamic-layers/selinux/*/*/*.bbappend \
3335
"
3436
LAYERSERIES_COMPAT_qcom-distro = "wrynose"
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
From 9ff44d61ab0e41a9bcdb30bbaf8654e037db85a5 Mon Sep 17 00:00:00 2001
2+
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
3+
Date: Tue, 16 Jun 2026 17:37:41 +0300
4+
Subject: [PATCH 1/1] container: Allow access to /etc/cdi for CDI configuration
5+
6+
Containerd requires access to /etc/cdi to load Container Device
7+
Interface (CDI) configuration files. Without proper permissions,
8+
containers fail to read the CDI specs, resulting in errors such as:
9+
10+
CDI: error associated with spec file /etc/cdi:
11+
failed to monitor for changes: permission denied
12+
13+
avc: denied { watch } for pid=918 comm="containerd"
14+
path="/etc/cdi" dev="sda2" ino=1566137 scontext=system_u:system_r:dockerd
15+
type=SYSCALL msg=audit(83241.927:148): arch=c00000b7 syscall=27
16+
success=no exit=-13 a0=9 a1=6c64631b2870 a2=fc6 a3=0 items=0 ppid=1
17+
pid=918 auid=4294967295 uid=0 gtype=PROCTITLE msg=audit(83241.927:148):
18+
proctitle="/usr/bin/containerd"
19+
20+
Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1163]
21+
22+
Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
23+
---
24+
policy/modules/services/container.fc | 1 +
25+
1 file changed, 1 insertion(+)
26+
27+
diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
28+
index 010387a3a..812b46cee 100644
29+
--- a/policy/modules/services/container.fc
30+
+++ b/policy/modules/services/container.fc
31+
@@ -40,6 +40,7 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
32+
33+
/etc/containers(/.*)? gen_context(system_u:object_r:container_config_t,s0)
34+
/etc/cni(/.*)? gen_context(system_u:object_r:container_config_t,s0)
35+
+/etc/cdi(/.*)? gen_context(system_u:object_r:container_config_t,s0)
36+
/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
37+
/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)
38+
39+
--
40+
2.43.0
41+
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
From c51b18c9ce439423f7b7497b9172469da5ca3669 Mon Sep 17 00:00:00 2001
2+
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
3+
Date: Fri, 19 Jun 2026 13:30:02 +0300
4+
Subject: [PATCH 2/3] wayland: Add wayland_stream_connect interface
5+
6+
Add a new interface, wayland_stream_connect(), to allow domains
7+
to connect to a Wayland compositor via an UNIX stream socket.
8+
9+
This interface grants the necessary permissions to search the
10+
user runtime directory and establish a stream connection to
11+
Wayland compositor sockets labeled with wayland_runtime_t.
12+
13+
Typical usage includes enabling confined domains (such as
14+
container runtimes or applications) to communicate with the
15+
Wayland display server.
16+
17+
Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1166]
18+
19+
Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
20+
---
21+
policy/modules/session/wayland.if | 27 +++++++++++++++++++++++++++
22+
1 file changed, 27 insertions(+)
23+
24+
diff --git a/policy/modules/session/wayland.if b/policy/modules/session/wayland.if
25+
index 2812dcb30..e2eab0b49 100644
26+
--- a/policy/modules/session/wayland.if
27+
+++ b/policy/modules/session/wayland.if
28+
@@ -99,3 +99,30 @@ interface(`wayland_client_sandboxed_domain',`
29+
30+
typeattribute $1 wayland_client_sandboxed;
31+
')
32+
+
33+
+#########################################
34+
+## <summary>
35+
+## Connect to the Wayland compositor
36+
+## using an UNIX domain stream socket.
37+
+## </summary>
38+
+## <param name="domain">
39+
+## <summary>
40+
+## Domain allowed access.
41+
+## </summary>
42+
+## </param>
43+
+#
44+
+interface(`wayland_stream_connect',`
45+
+ gen_require(`
46+
+ attribute wayland_compositor;
47+
+ type wayland_runtime_t;
48+
+ ')
49+
+
50+
+ files_search_runtime($1)
51+
+
52+
+ stream_connect_pattern(
53+
+ $1,
54+
+ wayland_runtime_t,
55+
+ wayland_runtime_t,
56+
+ wayland_compositor
57+
+ )
58+
+')
59+
--
60+
2.43.0
61+
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
From 6a2e69104e2772b87e8a910519d21aa3cbd5eb5f Mon Sep 17 00:00:00 2001
2+
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
3+
Date: Mon, 22 Jun 2026 15:49:44 +0300
4+
Subject: [PATCH 3/3] wayland: Label sockets under /run with wayland_runtime_t
5+
6+
On some embedded or single-user systems the Wayland socket
7+
(e.g. wayland-0) is created directly under /run instead of
8+
/run/user/<uid>/. The existing policy only covers per-user runtime
9+
directories, leaving these sockets unlabeled.
10+
11+
Add a file context rule for /run/wayland-* to ensure such sockets are
12+
correctly labeled with wayland_runtime_t, aligning behavior across
13+
different system configurations.
14+
15+
Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1166]
16+
17+
Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
18+
---
19+
policy/modules/session/wayland.fc | 1 +
20+
1 file changed, 1 insertion(+)
21+
22+
diff --git a/policy/modules/session/wayland.fc b/policy/modules/session/wayland.fc
23+
index 73151efba..bd2ccc08e 100644
24+
--- a/policy/modules/session/wayland.fc
25+
+++ b/policy/modules/session/wayland.fc
26+
@@ -1 +1,2 @@
27+
/run/user/%{USERID}/wayland-.* -s gen_context(system_u:object_r:wayland_runtime_t,s0)
28+
+/run/wayland-.* -s gen_context(system_u:object_r:wayland_runtime_t,s0)
29+
--
30+
2.43.0
31+
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
From 41a1660f8bc0e3d18d9cb169f7a4fd6cde67aff2 Mon Sep 17 00:00:00 2001
2+
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
3+
Date: Fri, 19 Jun 2026 13:43:44 +0300
4+
Subject: [PATCH 4/4] docker: Add tunable-gated optional policy for dockerd
5+
access to user session services
6+
7+
Introduce a new tunable to control whether the Docker daemon (dockerd_t)
8+
may connect to user session services over UNIX stream sockets.
9+
10+
This change adds the following interfaces:
11+
12+
pulseaudio_stream_connect(dockerd_t)
13+
wayland_stream_connect(dockerd_t)
14+
15+
These permissions allow dockerd to communicate with PulseAudio and Wayland
16+
compositor sockets typically located under /run/user/$UID, which is required
17+
for certain container workloads that need access to host audio or graphical
18+
display services.
19+
20+
The access is gated behind a new tunable:
21+
22+
dockerd_connect_user_services (default: off)
23+
24+
When enabled, the rules are applied via tunable_policy(), providing
25+
administrators explicit control using setsebool.
26+
27+
Both interfaces remain wrapped in optional_policy blocks to ensure the
28+
policy compiles and applies cleanly only when the corresponding PulseAudio
29+
and Wayland policy modules are present.
30+
31+
This approach improves compatibility with containerized desktop workloads
32+
while maintaining secure-by-default behavior and modular SELinux policy design.
33+
34+
Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1167]
35+
36+
Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
37+
---
38+
policy/modules/services/docker.te | 21 +++++++++++++++++++++
39+
1 file changed, 21 insertions(+)
40+
41+
diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
42+
index f40713d12..a90763c8e 100644
43+
--- a/policy/modules/services/docker.te
44+
+++ b/policy/modules/services/docker.te
45+
@@ -5,6 +5,15 @@ policy_module(docker)
46+
# Declarations
47+
#
48+
49+
+## <desc>
50+
+## <p>
51+
+## Determine whether the Docker daemon can connect to user
52+
+## session services such as PulseAudio and Wayland over
53+
+## UNIX stream sockets.
54+
+## </p>
55+
+## </desc>
56+
+gen_tunable(dockerd_connect_user_services, false)
57+
+
58+
container_engine_domain_template(dockerd)
59+
container_system_engine(dockerd_t)
60+
optional_policy(`
61+
@@ -61,6 +70,18 @@ container_stream_connect_system_containers(dockerd_t)
62+
# docker manages key.json in /etc/docker
63+
container_manage_config_files(dockerd_t)
64+
65+
+optional_policy(`
66+
+ tunable_policy(`dockerd_connect_user_services',`
67+
+ pulseaudio_stream_connect(dockerd_t)
68+
+ ')
69+
+')
70+
+
71+
+optional_policy(`
72+
+ tunable_policy(`dockerd_connect_user_services',`
73+
+ wayland_stream_connect(dockerd_t)
74+
+ ')
75+
+')
76+
+
77+
# In btrfs mode, docker creates subvolumes which are unlabeled
78+
# in /var/lib/docker/btrfs/subvolumes. The files inside will
79+
# become labeled with a file transition, but the subvolume
80+
--
81+
2.43.0
82+
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
2+
3+
SRC_URI:append:qcom = " \
4+
file://0001-container-Allow-access-to-etc-cdi-for-CDI-configurat.patch \
5+
file://0002-wayland-Add-wayland_stream_connect-interface.patch \
6+
file://0003-wayland-Label-sockets-under-run-with-wayland_runtime.patch \
7+
file://0004-docker-Add-tunable-gated-optional-policy-for-dockerd.patch \
8+
"

0 commit comments

Comments
 (0)