-
Notifications
You must be signed in to change notification settings - Fork 81
selinux: Add CDI access, Wayland interface and labeling, and tunable dockerd integration #358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
kemalrasimsh
wants to merge
5
commits into
qualcomm-linux:main
Choose a base branch
from
kemalrasimsh:SELinux
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
3c58338
selinux: Add SELinux dynamic layer recipe patterns
6b0a1bc
selinux: Add SEPolicy rules for CDI access
97116df
selinux: Enhance Wayland SEPolicy rules
40052f2
selinux: Enhance Docker SEPolicy rules
86dabb2
selinux: Add Docker home SEPolicy rules
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
...policy/refpolicy-targeted/0001-container-Allow-access-to-etc-cdi-for-CDI-configurat.patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| From 9ff44d61ab0e41a9bcdb30bbaf8654e037db85a5 Mon Sep 17 00:00:00 2001 | ||
|
lumag marked this conversation as resolved.
|
||
| From: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| Date: Tue, 16 Jun 2026 17:37:41 +0300 | ||
| Subject: [PATCH 1/1] container: Allow access to /etc/cdi for CDI configuration | ||
|
|
||
| Containerd requires access to /etc/cdi to load Container Device | ||
| Interface (CDI) configuration files. Without proper permissions, | ||
| containers fail to read the CDI specs, resulting in errors such as: | ||
|
|
||
| CDI: error associated with spec file /etc/cdi: | ||
| failed to monitor for changes: permission denied | ||
|
|
||
| avc: denied { watch } for pid=918 comm="containerd" | ||
| path="/etc/cdi" dev="sda2" ino=1566137 scontext=system_u:system_r:dockerd | ||
| type=SYSCALL msg=audit(83241.927:148): arch=c00000b7 syscall=27 | ||
| success=no exit=-13 a0=9 a1=6c64631b2870 a2=fc6 a3=0 items=0 ppid=1 | ||
| pid=918 auid=4294967295 uid=0 gtype=PROCTITLE msg=audit(83241.927:148): | ||
| proctitle="/usr/bin/containerd" | ||
|
|
||
| Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1163] | ||
|
|
||
| Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| --- | ||
| policy/modules/services/container.fc | 1 + | ||
| 1 file changed, 1 insertion(+) | ||
|
|
||
| diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc | ||
| index 010387a3a..812b46cee 100644 | ||
| --- a/policy/modules/services/container.fc | ||
| +++ b/policy/modules/services/container.fc | ||
| @@ -40,6 +40,7 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0) | ||
|
|
||
| /etc/containers(/.*)? gen_context(system_u:object_r:container_config_t,s0) | ||
| /etc/cni(/.*)? gen_context(system_u:object_r:container_config_t,s0) | ||
| +/etc/cdi(/.*)? gen_context(system_u:object_r:container_config_t,s0) | ||
| /etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0) | ||
| /etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) | ||
|
|
||
| -- | ||
| 2.43.0 | ||
|
|
||
55 changes: 55 additions & 0 deletions
55
...rity/refpolicy/refpolicy-targeted/0002-wayland-Add-wayland_stream_connect-interface.patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| From 86ee8eb9fb4226ba11e02254b12278c9de446f8a Mon Sep 17 00:00:00 2001 | ||
| From: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| Date: Fri, 19 Jun 2026 13:30:02 +0300 | ||
| Subject: [PATCH 2/3] wayland: Add wayland_stream_connect interface | ||
|
|
||
| Add a new interface, wayland_stream_connect(), to allow domains to | ||
| connect to a Wayland compositor via a UNIX stream socket. | ||
|
|
||
| This interface grants the necessary permissions to search the user | ||
| runtime directory and establish a stream connection to Wayland | ||
| compositor sockets labeled with wayland_runtime_t. | ||
|
|
||
| Typical usage includes enabling confined domains (such as container | ||
| runtimes or applications) to communicate with the Wayland display server. | ||
|
|
||
| Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1166] | ||
|
|
||
| Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| --- | ||
| policy/modules/session/wayland.if | 22 ++++++++++++++++++++++ | ||
| 1 file changed, 22 insertions(+) | ||
|
|
||
| diff --git a/policy/modules/session/wayland.if b/policy/modules/session/wayland.if | ||
| index 2812dcb30..bc4185c2a 100644 | ||
| --- a/policy/modules/session/wayland.if | ||
| +++ b/policy/modules/session/wayland.if | ||
| @@ -99,3 +99,25 @@ interface(`wayland_client_sandboxed_domain',` | ||
|
|
||
| typeattribute $1 wayland_client_sandboxed; | ||
| ') | ||
| + | ||
| +######################################### | ||
| +## <summary> | ||
| +## Connect to the Wayland compositor | ||
| +## using a UNIX domain stream socket. | ||
| +## </summary> | ||
| +## <param name="domain"> | ||
| +## <summary> | ||
| +## Domain allowed access. | ||
| +## </summary> | ||
| +## </param> | ||
| +# | ||
| +interface(`wayland_stream_connect',` | ||
| + gen_require(` | ||
| + type wayland_runtime_t; | ||
| + ') | ||
| + | ||
| + files_search_runtime($1) | ||
| + userdom_search_user_runtime($1) | ||
| + allow $1 wayland_runtime_t:sock_file write_sock_file_perms; | ||
| + allow $1 wayland_runtime_t:unix_stream_socket connectto; | ||
| +') | ||
| -- | ||
| 2.43.0 | ||
|
|
31 changes: 31 additions & 0 deletions
31
...policy/refpolicy-targeted/0003-wayland-Label-sockets-under-run-with-wayland_runtime.patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| From d4a85ae3abdbac8065b6389a103723755866af2c Mon Sep 17 00:00:00 2001 | ||
| From: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| Date: Mon, 22 Jun 2026 15:49:44 +0300 | ||
| Subject: [PATCH 3/3] wayland: Label sockets under /run with wayland_runtime_t | ||
|
|
||
| On some embedded or single-user systems the Wayland socket | ||
| (e.g. wayland-0) is created directly under /run instead of | ||
| /run/user/<uid>/. The existing policy only covers per-user runtime | ||
| directories, leaving these sockets unlabeled. | ||
|
|
||
| Add a file context rule for /run/wayland-* to ensure such sockets are | ||
| correctly labeled with wayland_runtime_t, aligning behavior across | ||
| different system configurations. | ||
|
|
||
| Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1166] | ||
|
|
||
| Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| --- | ||
| policy/modules/session/wayland.fc | 1 + | ||
| 1 file changed, 1 insertion(+) | ||
|
|
||
| diff --git a/policy/modules/session/wayland.fc b/policy/modules/session/wayland.fc | ||
| index 73151efba..bd2ccc08e 100644 | ||
| --- a/policy/modules/session/wayland.fc | ||
| +++ b/policy/modules/session/wayland.fc | ||
| @@ -1 +1,2 @@ | ||
| /run/user/%{USERID}/wayland-.* -s gen_context(system_u:object_r:wayland_runtime_t,s0) | ||
| +/run/wayland-.* -s gen_context(system_u:object_r:wayland_runtime_t,s0) | ||
| -- | ||
| 2.43.0 | ||
|
|
81 changes: 81 additions & 0 deletions
81
...policy/refpolicy-targeted/0004-docker-Add-tunable-gated-optional-policy-for-dockerd.patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| From fa9fde3e037f395cd2ecc10cc86aa5f413c4528c Mon Sep 17 00:00:00 2001 | ||
| From: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| Date: Fri, 19 Jun 2026 13:43:44 +0300 | ||
| Subject: [PATCH 4/4] docker: Add tunable-gated optional policy for dockerd | ||
| access to user session services | ||
|
|
||
| Introduce a new tunable to control whether the Docker daemon (dockerd_t) | ||
| may connect to user session services over UNIX stream sockets. | ||
|
|
||
| This change adds the following interfaces: | ||
|
|
||
| pulseaudio_stream_connect(dockerd_t) | ||
| wayland_stream_connect(dockerd_t) | ||
|
|
||
| These permissions allow dockerd to communicate with PulseAudio and Wayland compositor | ||
| sockets typically located under /run/user/$UID, which is required for certain container | ||
| workloads that need access to the host audio or graphical display. | ||
|
|
||
| The access is gated behind a new tunable: | ||
|
|
||
| dockerd_connect_user_services (default: off) | ||
|
|
||
| When enabled, the rules are applied via tunable_policy(), providing | ||
| administrators explicit control using setsebool. | ||
|
|
||
| Both interfaces remain wrapped in optional_policy blocks to ensure the | ||
| policy compiles and applies cleanly only when the corresponding PulseAudio | ||
| and Wayland policy modules are present. | ||
|
|
||
| This approach improves compatibility with containerized desktop workloads | ||
| while maintaining secure-by-default behavior and modular SELinux policy design. | ||
|
|
||
| Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1167] | ||
|
|
||
| Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| --- | ||
| policy/modules/services/docker.te | 21 +++++++++++++++++++++ | ||
| 1 file changed, 21 insertions(+) | ||
|
|
||
| diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te | ||
| index f40713d12..cf45fc188 100644 | ||
| --- a/policy/modules/services/docker.te | ||
| +++ b/policy/modules/services/docker.te | ||
| @@ -5,6 +5,15 @@ policy_module(docker) | ||
| # Declarations | ||
| # | ||
|
|
||
| +## <desc> | ||
| +## <p> | ||
| +## Determine whether the Docker daemon can connect to user | ||
| +## session services such as PulseAudio and Wayland over | ||
| +## UNIX stream sockets. | ||
| +## </p> | ||
| +## </desc> | ||
| +gen_tunable(dockerd_connect_user_services, false) | ||
| + | ||
| container_engine_domain_template(dockerd) | ||
| container_system_engine(dockerd_t) | ||
| optional_policy(` | ||
| @@ -77,6 +86,18 @@ ifdef(`init_systemd',` | ||
| init_stop_generic_units(dockerd_t) | ||
| ') | ||
|
|
||
| +optional_policy(` | ||
| + tunable_policy(`dockerd_connect_user_services',` | ||
| + pulseaudio_stream_connect(dockerd_t) | ||
| + ') | ||
| +') | ||
| + | ||
| +optional_policy(` | ||
| + tunable_policy(`dockerd_connect_user_services',` | ||
| + wayland_stream_connect(dockerd_t) | ||
| + ') | ||
| +') | ||
| + | ||
| ######################################## | ||
| # | ||
| # Docker CLI local policy | ||
| -- | ||
| 2.43.0 | ||
|
|
93 changes: 93 additions & 0 deletions
93
...policy/refpolicy-targeted/0005-selinux-Add-type-and-access-policy-for-Docker-home-d.patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| From c2c904f7a3802ac76e7546092fd9c383be5b1082 Mon Sep 17 00:00:00 2001 | ||
| From: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| Date: Mon, 29 Jun 2026 09:13:22 +0300 | ||
| Subject: [PATCH 5/5] selinux: Add type and access policy for Docker home | ||
| directories | ||
|
|
||
| Define docker_home_t and label specific home subdirectories | ||
| (media, models, labels, configs) for Docker use. | ||
| Introduce docker_home_access interface to allow controlled | ||
| access to these directories. | ||
|
|
||
| Upstream-Status: Inappropriate [Qualcomm specific change] | ||
|
|
||
| Signed-off-by: Kemal Rasim Sh <kshakir@qti.qualcomm.com> | ||
| --- | ||
| policy/modules/services/docker.te | 4 ++++ | ||
| policy/modules/services/docker_home.fc | 4 ++++ | ||
| policy/modules/services/docker_home.if | 19 +++++++++++++++++++ | ||
| policy/modules/services/docker_home.te | 10 ++++++++++ | ||
| 4 files changed, 37 insertions(+) | ||
| create mode 100644 policy/modules/services/docker_home.fc | ||
| create mode 100644 policy/modules/services/docker_home.if | ||
| create mode 100644 policy/modules/services/docker_home.te | ||
|
|
||
| diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te | ||
| index cf45fc188..271c96800 100644 | ||
| --- a/policy/modules/services/docker.te | ||
| +++ b/policy/modules/services/docker.te | ||
| @@ -98,6 +98,10 @@ optional_policy(` | ||
| ') | ||
| ') | ||
|
|
||
| +optional_policy(` | ||
| + docker_home_access(dockerd_t) | ||
| +') | ||
| + | ||
| ######################################## | ||
| # | ||
| # Docker CLI local policy | ||
| diff --git a/policy/modules/services/docker_home.fc b/policy/modules/services/docker_home.fc | ||
| new file mode 100644 | ||
| index 000000000..e55305fbc | ||
| --- /dev/null | ||
| +++ b/policy/modules/services/docker_home.fc | ||
| @@ -0,0 +1,4 @@ | ||
| +HOME_DIR/media(/.*)? gen_context(system_u:object_r:docker_home_t,s0) | ||
| +HOME_DIR/models(/.*)? gen_context(system_u:object_r:docker_home_t,s0) | ||
| +HOME_DIR/labels(/.*)? gen_context(system_u:object_r:docker_home_t,s0) | ||
| +HOME_DIR/configs(/.*)? gen_context(system_u:object_r:docker_home_t,s0) | ||
| diff --git a/policy/modules/services/docker_home.if b/policy/modules/services/docker_home.if | ||
| new file mode 100644 | ||
| index 000000000..7c25944d4 | ||
| --- /dev/null | ||
| +++ b/policy/modules/services/docker_home.if | ||
| @@ -0,0 +1,19 @@ | ||
| +## <summary>Policy for Docker home access.</summary> | ||
| + | ||
| +##################################### | ||
| +## <summary> | ||
| +## Access Docker home directories. | ||
| +## </summary> | ||
| +## <param name="domain"> | ||
| +## <summary> | ||
| +## Domain allowed access. | ||
| +## </summary> | ||
| +## </param> | ||
| +# | ||
| +interface(`docker_home_access',` | ||
| + gen_require(` | ||
| + type docker_home_t; | ||
| + ') | ||
| + | ||
| + allow $1 docker_home_t:dir { getattr ioctl }; | ||
| +') | ||
| diff --git a/policy/modules/services/docker_home.te b/policy/modules/services/docker_home.te | ||
| new file mode 100644 | ||
| index 000000000..db7aa3a0f | ||
| --- /dev/null | ||
| +++ b/policy/modules/services/docker_home.te | ||
| @@ -0,0 +1,10 @@ | ||
| +policy_module(docker_home) | ||
| + | ||
| +######################################## | ||
| +# | ||
| +# Declarations | ||
| +# | ||
| + | ||
| +type docker_home_t; | ||
| + | ||
| +files_type(docker_home_t) | ||
| -- | ||
| 2.43.0 | ||
|
|
9 changes: 9 additions & 0 deletions
9
dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" | ||
|
|
||
| SRC_URI:append:qcom = " \ | ||
| file://0001-container-Allow-access-to-etc-cdi-for-CDI-configurat.patch \ | ||
| file://0002-wayland-Add-wayland_stream_connect-interface.patch \ | ||
| file://0003-wayland-Label-sockets-under-run-with-wayland_runtime.patch \ | ||
| file://0004-docker-Add-tunable-gated-optional-policy-for-dockerd.patch \ | ||
| file://0005-selinux-Add-type-and-access-policy-for-Docker-home-d.patch \ | ||
| " |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.