Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions conf/layer.conf
Original file line number Diff line number Diff line change
Expand Up @@ -30,5 +30,7 @@ LAYERRECOMMENDS_qcom-distro = " \
BBFILES_DYNAMIC += " \
dpdk:${LAYERDIR}/dynamic-layers/dpdk/*/*/*.bb \
dpdk:${LAYERDIR}/dynamic-layers/dpdk/*/*/*.bbappend \
selinux:${LAYERDIR}/dynamic-layers/selinux/*/*/*.bb \
selinux:${LAYERDIR}/dynamic-layers/selinux/*/*/*.bbappend \
Comment thread
lumag marked this conversation as resolved.
"
LAYERSERIES_COMPAT_qcom-distro = "wrynose"
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
From 9ff44d61ab0e41a9bcdb30bbaf8654e037db85a5 Mon Sep 17 00:00:00 2001
Comment thread
lumag marked this conversation as resolved.
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Date: Tue, 16 Jun 2026 17:37:41 +0300
Subject: [PATCH 1/1] container: Allow access to /etc/cdi for CDI configuration

Containerd requires access to /etc/cdi to load Container Device
Interface (CDI) configuration files. Without proper permissions,
containers fail to read the CDI specs, resulting in errors such as:

CDI: error associated with spec file /etc/cdi:
failed to monitor for changes: permission denied

avc: denied { watch } for pid=918 comm="containerd"
path="/etc/cdi" dev="sda2" ino=1566137 scontext=system_u:system_r:dockerd
type=SYSCALL msg=audit(83241.927:148): arch=c00000b7 syscall=27
success=no exit=-13 a0=9 a1=6c64631b2870 a2=fc6 a3=0 items=0 ppid=1
pid=918 auid=4294967295 uid=0 gtype=PROCTITLE msg=audit(83241.927:148):
proctitle="/usr/bin/containerd"

Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1163]

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
---
policy/modules/services/container.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 010387a3a..812b46cee 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -40,6 +40,7 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)

/etc/containers(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/etc/cni(/.*)? gen_context(system_u:object_r:container_config_t,s0)
+/etc/cdi(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0)

--
2.43.0

Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
From 86ee8eb9fb4226ba11e02254b12278c9de446f8a Mon Sep 17 00:00:00 2001
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Date: Fri, 19 Jun 2026 13:30:02 +0300
Subject: [PATCH 2/3] wayland: Add wayland_stream_connect interface

Add a new interface, wayland_stream_connect(), to allow domains to
connect to a Wayland compositor via a UNIX stream socket.

This interface grants the necessary permissions to search the user
runtime directory and establish a stream connection to Wayland
compositor sockets labeled with wayland_runtime_t.

Typical usage includes enabling confined domains (such as container
runtimes or applications) to communicate with the Wayland display server.

Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1166]

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
---
policy/modules/session/wayland.if | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

diff --git a/policy/modules/session/wayland.if b/policy/modules/session/wayland.if
index 2812dcb30..bc4185c2a 100644
--- a/policy/modules/session/wayland.if
+++ b/policy/modules/session/wayland.if
@@ -99,3 +99,25 @@ interface(`wayland_client_sandboxed_domain',`

typeattribute $1 wayland_client_sandboxed;
')
+
+#########################################
+## <summary>
+## Connect to the Wayland compositor
+## using a UNIX domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`wayland_stream_connect',`
+ gen_require(`
+ type wayland_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ userdom_search_user_runtime($1)
+ allow $1 wayland_runtime_t:sock_file write_sock_file_perms;
+ allow $1 wayland_runtime_t:unix_stream_socket connectto;
+')
--
2.43.0

Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
From d4a85ae3abdbac8065b6389a103723755866af2c Mon Sep 17 00:00:00 2001
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Date: Mon, 22 Jun 2026 15:49:44 +0300
Subject: [PATCH 3/3] wayland: Label sockets under /run with wayland_runtime_t

On some embedded or single-user systems the Wayland socket
(e.g. wayland-0) is created directly under /run instead of
/run/user/<uid>/. The existing policy only covers per-user runtime
directories, leaving these sockets unlabeled.

Add a file context rule for /run/wayland-* to ensure such sockets are
correctly labeled with wayland_runtime_t, aligning behavior across
different system configurations.

Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1166]

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
---
policy/modules/session/wayland.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/session/wayland.fc b/policy/modules/session/wayland.fc
index 73151efba..bd2ccc08e 100644
--- a/policy/modules/session/wayland.fc
+++ b/policy/modules/session/wayland.fc
@@ -1 +1,2 @@
/run/user/%{USERID}/wayland-.* -s gen_context(system_u:object_r:wayland_runtime_t,s0)
+/run/wayland-.* -s gen_context(system_u:object_r:wayland_runtime_t,s0)
--
2.43.0

Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
From fa9fde3e037f395cd2ecc10cc86aa5f413c4528c Mon Sep 17 00:00:00 2001
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Date: Fri, 19 Jun 2026 13:43:44 +0300
Subject: [PATCH 4/4] docker: Add tunable-gated optional policy for dockerd
access to user session services

Introduce a new tunable to control whether the Docker daemon (dockerd_t)
may connect to user session services over UNIX stream sockets.

This change adds the following interfaces:

pulseaudio_stream_connect(dockerd_t)
wayland_stream_connect(dockerd_t)

These permissions allow dockerd to communicate with PulseAudio and Wayland compositor
sockets typically located under /run/user/$UID, which is required for certain container
workloads that need access to the host audio or graphical display.

The access is gated behind a new tunable:

dockerd_connect_user_services (default: off)

When enabled, the rules are applied via tunable_policy(), providing
administrators explicit control using setsebool.

Both interfaces remain wrapped in optional_policy blocks to ensure the
policy compiles and applies cleanly only when the corresponding PulseAudio
and Wayland policy modules are present.

This approach improves compatibility with containerized desktop workloads
while maintaining secure-by-default behavior and modular SELinux policy design.

Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1167]

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
---
policy/modules/services/docker.te | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)

diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
index f40713d12..cf45fc188 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -5,6 +5,15 @@ policy_module(docker)
# Declarations
#

+## <desc>
+## <p>
+## Determine whether the Docker daemon can connect to user
+## session services such as PulseAudio and Wayland over
+## UNIX stream sockets.
+## </p>
+## </desc>
+gen_tunable(dockerd_connect_user_services, false)
+
container_engine_domain_template(dockerd)
container_system_engine(dockerd_t)
optional_policy(`
@@ -77,6 +86,18 @@ ifdef(`init_systemd',`
init_stop_generic_units(dockerd_t)
')

+optional_policy(`
+ tunable_policy(`dockerd_connect_user_services',`
+ pulseaudio_stream_connect(dockerd_t)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`dockerd_connect_user_services',`
+ wayland_stream_connect(dockerd_t)
+ ')
+')
+
########################################
#
# Docker CLI local policy
--
2.43.0

Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
From c2c904f7a3802ac76e7546092fd9c383be5b1082 Mon Sep 17 00:00:00 2001
From: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
Date: Mon, 29 Jun 2026 09:13:22 +0300
Subject: [PATCH 5/5] selinux: Add type and access policy for Docker home
directories

Define docker_home_t and label specific home subdirectories
(media, models, labels, configs) for Docker use.
Introduce docker_home_access interface to allow controlled
access to these directories.

Upstream-Status: Inappropriate [Qualcomm specific change]

Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com>
---
policy/modules/services/docker.te | 4 ++++
policy/modules/services/docker_home.fc | 4 ++++
policy/modules/services/docker_home.if | 19 +++++++++++++++++++
policy/modules/services/docker_home.te | 10 ++++++++++
4 files changed, 37 insertions(+)
create mode 100644 policy/modules/services/docker_home.fc
create mode 100644 policy/modules/services/docker_home.if
create mode 100644 policy/modules/services/docker_home.te

diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
index cf45fc188..271c96800 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -98,6 +98,10 @@ optional_policy(`
')
')

+optional_policy(`
+ docker_home_access(dockerd_t)
+')
+
########################################
#
# Docker CLI local policy
diff --git a/policy/modules/services/docker_home.fc b/policy/modules/services/docker_home.fc
new file mode 100644
index 000000000..e55305fbc
--- /dev/null
+++ b/policy/modules/services/docker_home.fc
@@ -0,0 +1,4 @@
+HOME_DIR/media(/.*)? gen_context(system_u:object_r:docker_home_t,s0)
+HOME_DIR/models(/.*)? gen_context(system_u:object_r:docker_home_t,s0)
+HOME_DIR/labels(/.*)? gen_context(system_u:object_r:docker_home_t,s0)
+HOME_DIR/configs(/.*)? gen_context(system_u:object_r:docker_home_t,s0)
diff --git a/policy/modules/services/docker_home.if b/policy/modules/services/docker_home.if
new file mode 100644
index 000000000..7c25944d4
--- /dev/null
+++ b/policy/modules/services/docker_home.if
@@ -0,0 +1,19 @@
+## <summary>Policy for Docker home access.</summary>
+
+#####################################
+## <summary>
+## Access Docker home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`docker_home_access',`
+ gen_require(`
+ type docker_home_t;
+ ')
+
+ allow $1 docker_home_t:dir { getattr ioctl };
+')
diff --git a/policy/modules/services/docker_home.te b/policy/modules/services/docker_home.te
new file mode 100644
index 000000000..db7aa3a0f
--- /dev/null
+++ b/policy/modules/services/docker_home.te
@@ -0,0 +1,10 @@
+policy_module(docker_home)
+
+########################################
+#
+# Declarations
+#
+
+type docker_home_t;
+
+files_type(docker_home_t)
--
2.43.0

Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"

SRC_URI:append:qcom = " \
file://0001-container-Allow-access-to-etc-cdi-for-CDI-configurat.patch \
file://0002-wayland-Add-wayland_stream_connect-interface.patch \
file://0003-wayland-Label-sockets-under-run-with-wayland_runtime.patch \
file://0004-docker-Add-tunable-gated-optional-policy-for-dockerd.patch \
file://0005-selinux-Add-type-and-access-policy-for-Docker-home-d.patch \
"
Loading