From 4d6ff7cfca503341a7f2630aaee7cd15917c1218 Mon Sep 17 00:00:00 2001
From: Mathieu Tortuyaux <mathieu@kinvolk.io>
Date: Tue, 29 Jun 2021 17:58:05 +0200
Subject: [PATCH] sec-policy/selinux-base-policy: flatcar changes

- run sshd (and child) as unconfined_t
- add init.patch to allow execute_no_trans,map and
exec from init to unconfined
- add AVC patch for local login and journald

Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
---
 .../selinux-base-policy/files/init.patch       | 11 +++++++++++
 .../selinux-base-policy/files/locallogin.patch | 13 +++++++++++++
 .../selinux-base-policy/files/logging.patch    | 18 ++++++++++++++++++
 .../files/sshd.patch}                          |  8 ++++----
 .../selinux-base-policy-2.20200818-r2.ebuild   | 10 ++++++++++
 5 files changed, 56 insertions(+), 4 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch
 rename sdk_container/src/third_party/coreos-overlay/sec-policy/{selinux-base/files/mcs-sshd.patch => selinux-base-policy/files/sshd.patch} (79%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch
new file mode 100644
index 0000000000..e96500288e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch
@@ -0,0 +1,11 @@
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index dbd39cf8f..563559ca7 100644
+--- refpolicy/policy/modules/system/init.te
++++ refpolicy/policy/modules/system/init.te
+@@ -1503,3 +1503,6 @@ optional_policy(`
+ 	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+ 	userdom_dontaudit_write_user_tmp_files(systemprocess)
+ ')
++
++require { type unconfined_t; }
++allow init_t unconfined_t:file exec_file_perms;
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch
new file mode 100644
index 0000000000..2e9ae7ce53
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch
@@ -0,0 +1,13 @@
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 109980e79..d5c4a5d95 100644
+--- refpolicy/policy/modules/system/locallogin.te
++++ refpolicy/policy/modules/system/locallogin.te
+@@ -34,7 +34,7 @@ role system_r types sulogin_t;
+ 
+ allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+ dontaudit local_login_t self:capability net_admin;
+-allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
++allow local_login_t self:process { setpgid getcap setcap setexec setrlimit setsched };
+ allow local_login_t self:fd use;
+ allow local_login_t self:fifo_file rw_fifo_file_perms;
+ allow local_login_t self:sock_file read_sock_file_perms;
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch
new file mode 100644
index 0000000000..caa778d8ef
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch
@@ -0,0 +1,18 @@
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 7d713540d..d6cbc654d 100644
+--- refpolicy/policy/modules/system/logging.te
++++ refpolicy/policy/modules/system/logging.te
+@@ -516,11 +516,13 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+ userdom_dontaudit_search_user_home_dirs(syslogd_t)
+ 
+ ifdef(`init_systemd',`
++	require { type kernel_t; }
+ 	# for systemd-journal
+ 	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+ 	allow syslogd_t self:capability2 audit_read;
+ 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
+ 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
++	allow syslogd_t kernel_t:netlink_audit_socket getattr; 
+ 
+ 	# remove /run/log/journal when switching to permanent storage
+ 	allow syslogd_t var_log_t:dir rmdir;
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs-sshd.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch
similarity index 79%
rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs-sshd.patch
rename to sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch
index c3d0fcc009..420139c3be 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs-sshd.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch
@@ -1,5 +1,5 @@
-diff --git refpolicy/policy/modules/services/ssh.fc refpolicy/policy/modules/services/ssh.fc
-index 4ac3e733..ef8c9297 100644
+diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
+index 60060c35c..8d9f5b7a6 100644
 --- refpolicy/policy/modules/services/ssh.fc
 +++ refpolicy/policy/modules/services/ssh.fc
 @@ -6,7 +6,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
@@ -18,5 +18,5 @@ index 4ac3e733..ef8c9297 100644
 -/usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
 +/usr/sbin/sshd			--	gen_context(system_u:object_r:unconfined_t,s0)
  
- /run/sshd(/.*)?			gen_context(system_u:object_r:sshd_var_run_t,s0)
- /run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
+ /run/sshd(/.*)?			gen_context(system_u:object_r:sshd_runtime_t,s0)
+ /run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_runtime_t,s0)
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
index f7f0f25733..148ed5ff06 100644
--- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r2.ebuild
@@ -32,6 +32,15 @@ LICENSE="GPL-2"
 SLOT="0"
 S="${WORKDIR}/"
 
+# flatcar changes: apply a couple of
+# patches on the current policies
+PATCHES=(
+	"${FILESDIR}/sshd.patch"
+	"${FILESDIR}/init.patch"
+	"${FILESDIR}/locallogin.patch"
+	"${FILESDIR}/logging.patch"
+)
+
 # Code entirely copied from selinux-eclass (cannot inherit due to dependency on
 # itself), when reworked reinclude it. Only postinstall (where -b base.pp is
 # added) needs to remain then.
@@ -52,6 +61,7 @@ src_prepare() {
 		eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
 	fi
 
+	eapply -p0 "${PATCHES[@]}"
 	eapply_user
 
 	# Collect only those files needed for this particular module