mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2026-05-04 20:06:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: add SELinux labels to volumes

Browse Source 
Label mounted filesystems like ephemeral, overlay mounts, as well as data directories (going to become volumes later).

Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
This commit is contained in:
Dmitry Sharshakov 2024-10-30 09:05:23 +01:00
parent 61b9129e0c
commit 1a8cc5f8b2
No known key found for this signature in database
GPG Key ID: 9866BBFAF691F3AF
27 changed files with 421 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
api/resource/definitions/block/block.proto
View File

@ -112,6 +112,7 @@ message LocatorSpec {
// MountSpec is the spec for volume mount.
message MountSpec {
string target_path = 1;
string selinux_label = 2;
}
// PartitionSpec is the spec for volume partitioning.

1
internal/app/machined/pkg/controllers/block/user_disk_config.go
View File

@ -123,6 +123,7 @@ func (ctrl *UserDiskConfigController) Run(ctx context.Context, r controller.Runt
Match: partitionIdxMatch(resolvedDevicePath, idx+1),
}
// TODO: label user disks
vc.TypedSpec().Mount = block.MountSpec{
TargetPath: part.MountPoint(),
}

9
internal/app/machined/pkg/controllers/block/volume_config.go
View File

@ -232,7 +232,8 @@ func (ctrl *VolumeConfigController) manageEphemeral(config cfg.Config) func(vc *
}
vc.TypedSpec().Mount = block.MountSpec{
TargetPath: constants.EphemeralMountPoint,
TargetPath: constants.EphemeralMountPoint,
SelinuxLabel: constants.EphemeralSelinuxLabel,
}
vc.TypedSpec().Locator = block.LocatorSpec{
@ -254,7 +255,8 @@ func (ctrl *VolumeConfigController) manageStateConfigPresent(config cfg.Config)
return func(vc *block.VolumeConfig) error {
vc.TypedSpec().Type = block.VolumeTypePartition
vc.TypedSpec().Mount = block.MountSpec{
TargetPath: constants.StateMountPoint,
TargetPath: constants.StateMountPoint,
SelinuxLabel: constants.StateSelinuxLabel,
}
vc.TypedSpec().Provisioning = block.ProvisioningSpec{
@ -293,7 +295,8 @@ func (ctrl *VolumeConfigController) manageStateNoConfig(encryptionMeta *runtime.
return func(vc *block.VolumeConfig) error {
vc.TypedSpec().Type = block.VolumeTypePartition
vc.TypedSpec().Mount = block.MountSpec{
TargetPath: constants.StateMountPoint,
TargetPath: constants.StateMountPoint,
SelinuxLabel: constants.StateSelinuxLabel,
}
match := labelVolumeMatchAndNonEmpty(constants.StatePartitionLabel)

24
internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
View File

@ -362,7 +362,7 @@ func StartDashboard(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, strin
// StartUdevd represents the task to start udevd.
func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
mp := mountv2.NewSystemOverlay([]string{constants.UdevDir}, constants.UdevDir, mountv2.WithShared(), mountv2.WithFlags(unix.MS_I_VERSION))
mp := mountv2.NewSystemOverlay([]string{constants.UdevDir}, constants.UdevDir, mountv2.WithShared(), mountv2.WithFlags(unix.MS_I_VERSION), mountv2.WithSelinuxLabel(constants.UdevRulesLabel))
if _, err = mp.Mount(); err != nil {
return err
@ -531,9 +531,10 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string
}
for _, dir := range []struct {
Path string
Mode os.FileMode
UID, GID int
Path string
Mode os.FileMode
UID, GID int
SELinuxLabel string
}{
{
Path: "/var/log",
@ -552,8 +553,14 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string
Mode: 0o755,
},
{
Path: "/var/lib/kubelet",
Mode: 0o700,
Path: "/var/lib/containerd",
Mode: 0o000,
SELinuxLabel: "system_u:object_r:containerd_state_t:s0",
},
{
Path: "/var/lib/kubelet",
Mode: 0o700,
SELinuxLabel: "system_u:object_r:kubelet_state_t:s0",
},
{
Path: "/var/run/lock",
@ -578,6 +585,10 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string
return err
}
if err := selinux.SetLabel(dir.Path, dir.SELinuxLabel); err != nil {
return err
}
if dir.UID != 0 || dir.GID != 0 {
if err := os.Chown(dir.Path, dir.UID, dir.GID); err != nil {
return err
@ -661,6 +672,7 @@ func MountUserDisks(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
volumeStatus.TypedSpec().MountLocation,
volumeConfig.TypedSpec().Mount.TargetPath,
volumeStatus.TypedSpec().Filesystem.String(),
mountv2.WithSelinuxLabel(volumeConfig.TypedSpec().Mount.SelinuxLabel),
))
}

16
internal/app/machined/pkg/startup/tasks.go
View File

@ -17,6 +17,7 @@ import (
"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
"github.com/siderolabs/talos/internal/pkg/environment"
"github.com/siderolabs/talos/internal/pkg/mount/v2"
"github.com/siderolabs/talos/internal/pkg/selinux"
"github.com/siderolabs/talos/pkg/machinery/constants"
"github.com/siderolabs/talos/pkg/machinery/resources/block"
)
@ -34,6 +35,21 @@ func SetupSystemDirectories(ctx context.Context, log *zap.Logger, rt runtime.Run
if err := os.MkdirAll(path, 0o700); err != nil {
return fmt.Errorf("setupSystemDirectories: %w", err)
}
var label string
switch path {
case constants.SystemEtcPath:
label = constants.SystemEtcSelinuxLabel
case constants.SystemVarPath:
label = constants.SystemVarSelinuxLabel
default: // /system/state is another mount
label = ""
}
if err := selinux.SetLabel(path, label); err != nil {
return err
}
}
for _, path := range []string{constants.SystemRunPath} {

6
internal/app/machined/pkg/system/services/etcd.go
View File

@ -40,6 +40,7 @@ import (
"github.com/siderolabs/talos/internal/pkg/containers/image"
"github.com/siderolabs/talos/internal/pkg/environment"
"github.com/siderolabs/talos/internal/pkg/etcd"
"github.com/siderolabs/talos/internal/pkg/selinux"
"github.com/siderolabs/talos/pkg/argsbuilder"
"github.com/siderolabs/talos/pkg/conditions"
"github.com/siderolabs/talos/pkg/filetree"
@ -93,6 +94,11 @@ func (e *Etcd) PreFunc(ctx context.Context, r runtime.Runtime) error {
return err
}
// Relabel in case of upgrade from older version or SELinux being disabled and then enabled.
if err := selinux.SetLabel(constants.EtcdDataPath, constants.EtcdDataSELinuxLabel); err != nil {
return err
}
// Make sure etcd user can access files in the data directory.
if err := filetree.ChownRecursive(constants.EtcdDataPath, constants.EtcdUserID, constants.EtcdUserID); err != nil {
return err

1
internal/app/machined/pkg/system/services/extension.go
View File

@ -52,6 +52,7 @@ func (svc *Extension) PreFunc(ctx context.Context, r runtime.Runtime) error {
// re-mount service rootfs as overlay rw mount to allow containerd to mount there /dev, /proc, etc.
rootfsPath := filepath.Join(constants.ExtensionServiceRootfsPath, svc.Spec.Name)
// TODO: label system extensions
overlay := mount.NewSystemOverlay(
[]string{rootfsPath},
rootfsPath,

54
internal/integration/api/selinux.go
View File

@ -10,6 +10,7 @@ import (
"bytes"
"context"
"io"
"maps"
"path/filepath"
"strconv"
"strings"
@ -17,6 +18,7 @@ import (
"github.com/siderolabs/go-pointer"
"github.com/siderolabs/go-procfs/procfs"
"golang.org/x/exp/slices"
"github.com/siderolabs/talos/cmd/talosctl/pkg/talos/helpers"
"github.com/siderolabs/talos/internal/integration/base"
@ -67,30 +69,45 @@ func (suite *SELinuxSuite) getLabel(nodeCtx context.Context, pid int32) string {
return string(bytes.TrimSpace(value))
}
// TestRuntimeFileLabels reads labels of runtime-created files from xattrs
// to ensure SELinux labels for files are set when they are created.
func (suite *SELinuxSuite) TestRuntimeFileLabels() {
// TestFileMountLabels reads labels of runtime-created files and mounts from xattrs
// to ensure SELinux labels for files are set when they are created and FS's are mounted with correct labels.
// FIXME: cancel the test in case system was upgraded.
func (suite *SELinuxSuite) TestFileMountLabels() {
workers := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeWorker)
controlplanes := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeControlPlane)
expectedLabelsWorker := map[string]string{
// Mounts
constants.SystemPath: constants.SystemSelinuxLabel,
constants.EphemeralMountPoint: constants.EphemeralSelinuxLabel,
constants.StateMountPoint: constants.StateSelinuxLabel,
constants.SystemEtcPath: constants.SystemEtcSelinuxLabel,
constants.SystemVarPath: constants.SystemVarSelinuxLabel,
constants.RunPath: constants.RunSelinuxLabel,
"/var/run": constants.RunSelinuxLabel,
// Runtime files
constants.APIRuntimeSocketPath: constants.APIRuntimeSocketLabel,
constants.APISocketPath: constants.APISocketLabel,
constants.DBusClientSocketPath: constants.DBusClientSocketLabel,
constants.UdevRulesPath: constants.UdevRulesLabel,
constants.DBusServiceSocketPath: constants.DBusServiceSocketLabel,
constants.MachineSocketPath: constants.MachineSocketLabel,
// Overlays
"/etc/cni": constants.CNISELinuxLabel,
constants.KubernetesConfigBaseDir: constants.KubernetesConfigSELinuxLabel,
"/usr/libexec/kubernetes": constants.KubeletPluginsSELinuxLabel,
"/opt": constants.OptSELinuxLabel,
"/opt/cni": "system_u:object_r:cni_plugin_t:s0",
"/opt/containerd": "system_u:object_r:containerd_plugin_t:s0",
// Directories
"/var/lib/containerd": "system_u:object_r:containerd_state_t:s0",
"/var/lib/kubelet": "system_u:object_r:kubelet_state_t:s0",
}
// Only running on controlplane
expectedLabelsControlPlane := map[string]string{
constants.APIRuntimeSocketPath: constants.APIRuntimeSocketLabel,
constants.APISocketPath: constants.APISocketLabel,
constants.DBusClientSocketPath: constants.DBusClientSocketLabel,
constants.UdevRulesPath: constants.UdevRulesLabel,
constants.DBusServiceSocketPath: constants.DBusServiceSocketLabel,
constants.MachineSocketPath: constants.MachineSocketLabel,
// Only running on controlplane
constants.EtcdPKIPath: constants.EtcdPKISELinuxLabel,
constants.EtcdDataPath: constants.EtcdDataSELinuxLabel,
constants.KubernetesAPIServerConfigDir: constants.KubernetesAPIServerConfigDirSELinuxLabel,
constants.KubernetesAPIServerSecretsDir: constants.KubernetesAPIServerSecretsDirSELinuxLabel,
constants.KubernetesControllerManagerSecretsDir: constants.KubernetesControllerManagerSecretsDirSELinuxLabel,
@ -98,12 +115,19 @@ func (suite *SELinuxSuite) TestRuntimeFileLabels() {
constants.KubernetesSchedulerSecretsDir: constants.KubernetesSchedulerSecretsDirSELinuxLabel,
constants.TrustdRuntimeSocketPath: constants.TrustdRuntimeSocketLabel,
}
maps.Copy(expectedLabelsControlPlane, expectedLabelsWorker)
suite.checkFileLabels(workers, expectedLabelsWorker)
suite.checkFileLabels(controlplanes, expectedLabelsControlPlane)
}
//nolint:gocyclo
func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[string]string) {
paths := make([]string, 0, len(expectedLabels))
for k := range expectedLabels {
paths = append(paths, k)
}
for _, node := range nodes {
nodeCtx := client.WithNode(suite.ctx, node)
cmdline := suite.ReadCmdline(nodeCtx)
@ -129,6 +153,11 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st
suite.Require().NoError(err)
suite.Require().NoError(helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error {
// E.g. /var/lib should inherit /var label, while /var/run is a new mountpoint
if slices.Contains(paths, info.Name) && info.Name != path {
return nil
}
suite.Require().NotNil(info.Xattrs)
found := false
@ -136,7 +165,7 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st
for _, l := range info.Xattrs {
if l.Name == "security.selinux" {
got := string(bytes.Trim(l.Data, "\x00\n"))
suite.Require().Equal(got, label, "expected %s to have label %s, got %s", path, label, got)
suite.Require().Contains(got, label, "expected %s to have label %s, got %s", path, label, got)
found = true
@ -225,7 +254,8 @@ func (suite *SELinuxSuite) TestProcessLabels() {
}
}
// TODO: test for volume labels
// TODO: test for all machined-created files
// TODO: test for system and CRI container labels
// TODO: test labels for unconfined system extensions, pods
// TODO: test for no avc denials in dmesg
// TODO: start a pod and ensure access to restricted resources is denied

6
internal/integration/k8s/tink.go
View File

@ -420,10 +420,10 @@ func (suite *TinkSuite) getTinkManifests(namespace, serviceName, ssName, talosIm
},
},
xslices.Map(
xslices.Filter(constants.Overlays, func(overlay string) bool { return overlay != "/opt" }), // /opt/cni/bin contains CNI binaries
func(mountPath string) overlayMountSpec {
xslices.Filter(constants.Overlays, func(overlay constants.SELinuxLabeledPath) bool { return overlay.Path != "/opt" }), // /opt/cni/bin contains CNI binaries
func(mnt constants.SELinuxLabeledPath) overlayMountSpec {
return overlayMountSpec{
MountPoint: mountPath,
MountPoint: mnt.Path,
Size: "100Mi",
}
},

2
internal/pkg/mount/system.go
View File

@ -42,6 +42,8 @@ func SystemPartitionMount(ctx context.Context, r runtime.Runtime, logger *log.Lo
return fmt.Errorf("error getting volume config %q: %w", label, err)
}
opts = append(opts, mountv2.WithSelinuxLabel(volumeConfig.TypedSpec().Mount.SelinuxLabel))
mountpoint := mountv2.NewPoint(
volumeStatus.TypedSpec().MountLocation,
volumeConfig.TypedSpec().Mount.TargetPath,

19
internal/pkg/mount/v2/mount.go
View File

@ -18,6 +18,7 @@ import (
"github.com/siderolabs/go-retry/retry"
"golang.org/x/sys/unix"
"github.com/siderolabs/talos/internal/pkg/selinux"
"github.com/siderolabs/talos/pkg/machinery/constants"
)
@ -29,8 +30,9 @@ type Point struct {
flags uintptr
data string
shared bool
extraDirs []string
shared bool
extraDirs []string
selinuxLabel string
}
// NewPointOption is a mount point option.
@ -84,6 +86,13 @@ func WithExtraDirs(dirs ...string) NewPointOption {
}
}
// WithSelinuxLabel sets the mount SELinux label.
func WithSelinuxLabel(label string) NewPointOption {
return func(p *Point) {
p.selinuxLabel = label
}
}
// NewPoint creates a new mount point.
func NewPoint(source, target, fstype string, opts ...NewPointOption) *Point {
p := &Point{
@ -290,7 +299,11 @@ func (p *Point) Move(newTarget string) error {
}
func (p *Point) mount() error {
return unix.Mount(p.source, p.target, p.fstype, p.flags, p.data)
if err := unix.Mount(p.source, p.target, p.fstype, p.flags, p.data); err != nil {
return err
}
return selinux.SetLabel(p.target, p.selinuxLabel)
}
func (p *Point) unmount(printer func(string, ...any)) error {

4
internal/pkg/mount/v2/overlay.go
View File

@ -14,7 +14,7 @@ import (
// OverlayMountPoints returns the mountpoints required to boot the system.
// These mountpoints are used as overlays on top of the read only rootfs.
func OverlayMountPoints() Points {
return xslices.Map(constants.Overlays, func(target string) *Point {
return NewVarOverlay([]string{target}, target, WithFlags(unix.MS_I_VERSION))
return xslices.Map(constants.Overlays, func(target constants.SELinuxLabeledPath) *Point {
return NewVarOverlay([]string{target.Path}, target.Path, WithFlags(unix.MS_I_VERSION), WithSelinuxLabel(target.Label))
})
}

4
internal/pkg/mount/v2/pseudo.go
View File

@ -24,8 +24,8 @@ func Pseudo() Points {
// PseudoLate returns the mountpoints mounted later in the boot cycle.
func PseudoLate() Points {
return Points{
NewPoint("tmpfs", "/run", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME), WithData("mode=0755")),
NewPoint("tmpfs", "/system", "tmpfs", WithData("mode=0755")),
NewPoint("tmpfs", "/run", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME), WithData("mode=0755"), WithSelinuxLabel(constants.RunSelinuxLabel)),
NewPoint("tmpfs", "/system", "tmpfs", WithData("mode=0755"), WithSelinuxLabel(constants.SystemSelinuxLabel)),
NewPoint("tmpfs", "/tmp", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV), WithData("size=64M"), WithData("mode=0755")),
}
}

6
internal/pkg/selinux/policy/file_contexts
View File

@ -1,7 +1,13 @@
/opt(/.*)? system_u:object_r:opt_t:s0
/sbin(/.*)? system_u:object_r:sbin_exec_t:s0
/etc/cni(/.*)? system_u:object_r:cni_conf_t:s0
/opt/cni(/.*)? system_u:object_r:cni_plugin_t:s0
/usr/sbin(/.*)? system_u:object_r:sbin_exec_t:s0
/usr/lib/udev(/.*)? system_u:object_r:udev_exec_t:s0
/etc/kubernetes(/.*)? system_u:object_r:k8s_conf_t:s0
/opt/containerd(/.*)? system_u:object_r:containerd_plugin_t:s0
/usr/lib/udev/rules.d(/.*)? system_u:object_r:udev_rules_t:s0
/usr/libexec/kubernetes(/.*)? system_u:object_r:k8s_plugin_t:s0
/ system_u:object_r:rootfs_t:s0
/bin/runc system_u:object_r:containerd_exec_t:s0
/sbin/init -- system_u:object_r:init_exec_t:s0

BIN
internal/pkg/selinux/policy/policy.33
View File

Binary file not shown.

26
internal/pkg/selinux/policy/selinux/common/files.cil Normal file
View File

@ -0,0 +1,26 @@
; Runtime and mounted filesystems
(type system_t)
(call filesystem_f (system_t))
(allow system_t tmpfs_t (filesystem (associate)))
(type system_etc_t)
(call system_f (system_etc_t))
(allow system_etc_t fs_t (filesystem (associate)))
(allow system_etc_t tmpfs_t (filesystem (associate)))
(type system_var_t)
(call system_f (system_var_t))
(allow system_var_t fs_t (filesystem (associate)))
(allow system_var_t tmpfs_t (filesystem (associate)))
(type ephemeral_t)
(call filesystem_f (ephemeral_t))
(type system_state_t)
(call filesystem_f (system_state_t))
(type run_t)
(call filesystem_f (run_t))
(allow run_t tmpfs_t (filesystem (associate)))
(type opt_t)
(call filesystem_f (opt_t))
(filecon "/opt(/.*)?" any (system_u object_r opt_t (systemLow systemLow)))

1
internal/pkg/selinux/policy/selinux/common/typeattributes.cil
View File

@ -61,6 +61,7 @@
)
(allow filesystem_f self (filesystem (associate)))
(allow any_f fs_t (filesystem (associate)))
(allow filesystem_f fs_t (filesystem (associate)))
(typeattribute service_exec_f)

30
internal/pkg/selinux/policy/selinux/services/cri.cil
View File

@ -2,24 +2,48 @@
(type pod_containerd_t)
(call service_p (pod_containerd_t containerd_exec_t))
; TODO: label /run
(type pod_containerd_socket_t)
(call system_socket_f (pod_containerd_socket_t))
(typetransition pod_containerd_t run_t sock_file pod_containerd_socket_t)
(allow pod_containerd_t pod_p (process2 (nnp_transition nosuid_transition)))
(allow pod_containerd_t pod_p (process (transition)))
(type pod_t)
(call pod_p (pod_t))
; TODO: label ephemeral
; TODO: What if container is started not from containerd_state_t?
(typetransition pod_containerd_t containerd_state_t process pod_t)
(allow pod_t containerd_state_t (file (entrypoint execute_no_trans)))
(type etcd_t)
(call pod_p (etcd_t))
; FIXME: insecure as anyone with access to the pod containerd may obtain this domain (executable in ephemeral)
; FIXME: insecure as anyone with access to the pod containerd may obtain this domain
(allow etcd_t containerd_state_t (file (entrypoint)))
(type etcd_pki_t)
(call protected_f (etcd_pki_t))
(allow etcd_pki_t tmpfs_t (filesystem (associate)))
(allow etcd_t etcd_pki_t (fs_classes (ro)))
(type cni_conf_t)
(call filesystem_f (cni_conf_t))
(filecon "/etc/cni(/.*)?" any (system_u object_r cni_conf_t (systemLow systemLow)))
(type cni_plugin_t)
(call filesystem_f (cni_plugin_t))
(filecon "/opt/cni(/.*)?" any (system_u object_r cni_plugin_t (systemLow systemLow)))
(type containerd_plugin_t)
(call filesystem_f (containerd_plugin_t))
(filecon "/opt/containerd(/.*)?" any (system_u object_r containerd_plugin_t (systemLow systemLow)))
(type etcd_data_t)
(call protected_f (etcd_data_t))
(allow etcd_t etcd_data_t (fs_classes (rw)))
(type containerd_state_t)
(call common_f (containerd_state_t))
(type kube_apiserver_config_t)
(call protected_f (kube_apiserver_config_t))
(allow kube_apiserver_config_t tmpfs_t (filesystem (associate)))

14
internal/pkg/selinux/policy/selinux/services/kubelet.cil
View File

@ -1,3 +1,15 @@
(type kubelet_t)
(call pod_p (kubelet_t))
; FIXME: insecure as anyone with access to the pod containerd may obtain this domain (executable in ephemeral)
; FIXME: insecure as anyone with access to the pod containerd may obtain this domain
(allow kubelet_t containerd_state_t (file (entrypoint execute_no_trans)))
(type k8s_conf_t)
(call filesystem_f (k8s_conf_t))
(filecon "/etc/kubernetes(/.*)?" any (system_u object_r k8s_conf_t (systemLow systemLow)))
(type k8s_plugin_t)
(call filesystem_f (k8s_plugin_t))
(filecon "/usr/libexec/kubernetes(/.*)?" any (system_u object_r k8s_plugin_t (systemLow systemLow)))
(type kubelet_state_t)
(call system_f (kubelet_state_t))

6
internal/pkg/selinux/policy/selinux/services/system-containerd.cil
View File

@ -9,7 +9,9 @@
(type sys_containerd_t)
(call service_p (sys_containerd_t containerd_exec_t))
; TODO: label /system
(type sys_containerd_socket_t)
(call system_socket_f (sys_containerd_socket_t))
(typetransition sys_containerd_t system_t sock_file sys_containerd_socket_t)
(allow sys_containerd_t system_container_p (process2 (nnp_transition nosuid_transition)))
(allow sys_containerd_t system_container_p (process (transition)))
@ -22,4 +24,4 @@
; Talos installer
(type installer_t)
(call system_container_p (installer_t))
; TODO: label /system/var where it's stored
(allow installer_t system_var_t (file (entrypoint execute_no_trans)))

6
internal/pkg/selinux/policy/selinux/services/udev.cil
View File

@ -14,7 +14,11 @@
(type udev_t)
(call service_p (udev_t udev_exec_t))
; TODO: label /run
(type udev_socket_t)
(call system_socket_f (udev_socket_t))
(typetransition udev_t run_t sock_file udev_socket_t)
; udevadm called by machined in its context
(allow init_t udev_t (unix_stream_socket (connectto)))
(type modprobe_exec_t)
(call system_f (modprobe_exec_t))

235
pkg/machinery/api/resource/definitions/block/block.pb.go
View File

@ -898,7 +898,8 @@ type MountSpec struct {
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
TargetPath string `protobuf:"bytes,1,opt,name=target_path,json=targetPath,proto3" json:"target_path,omitempty"`
TargetPath string `protobuf:"bytes,1,opt,name=target_path,json=targetPath,proto3" json:"target_path,omitempty"`
SelinuxLabel string `protobuf:"bytes,2,opt,name=selinux_label,json=selinuxLabel,proto3" json:"selinux_label,omitempty"`
}
func (x *MountSpec) Reset() {
@ -938,6 +939,13 @@ func (x *MountSpec) GetTargetPath() string {
return ""
}
func (x *MountSpec) GetSelinuxLabel() string {
if x != nil {
return x.SelinuxLabel
}
return ""
}
// PartitionSpec is the spec for volume partitioning.
type PartitionSpec struct {
state protoimpl.MessageState
@ -1571,122 +1579,125 @@ var file_resource_definitions_block_block_proto_rawDesc = []byte{
0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70,
0x69, 0x2e, 0x65, 0x78, 0x70, 0x72, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
0x43, 0x68, 0x65, 0x63, 0x6b, 0x65, 0x64, 0x45, 0x78, 0x70, 0x72, 0x52, 0x05, 0x6d, 0x61, 0x74,
0x63, 0x68, 0x22, 0x2c, 0x0a, 0x09, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12,
0x63, 0x68, 0x22, 0x51, 0x0a, 0x09, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12,
0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01,
0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68,
0x22, 0x8c, 0x01, 0x0a, 0x0d, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70,
0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x69, 0x6e, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x01,
0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x69, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a,
0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52,
0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x67, 0x72, 0x6f, 0x77,
0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x67, 0x72, 0x6f, 0x77, 0x12, 0x14, 0x0a, 0x05,
0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62,
0x65, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18,
0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65, 0x55, 0x75, 0x69, 0x64, 0x22,
0xae, 0x02, 0x0a, 0x10, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67,
0x53, 0x70, 0x65, 0x63, 0x12, 0x53, 0x0a, 0x0d, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x73, 0x65, 0x6c,
0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x74, 0x61,
0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66,
0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x44,
0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x0c, 0x64, 0x69, 0x73,
0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x56, 0x0a, 0x0e, 0x70, 0x61, 0x72,
0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62,
0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70,
0x65, 0x63, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65,
0x63, 0x12, 0x12, 0x0a, 0x04, 0x77, 0x61, 0x76, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52,
0x04, 0x77, 0x61, 0x76, 0x65, 0x12, 0x59, 0x0a, 0x0f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73,
0x74, 0x65, 0x6d, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30,
0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e,
0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63,
0x6b, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x70, 0x65, 0x63,
0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x70, 0x65, 0x63,
0x22, 0x44, 0x0a, 0x0e, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x70,
0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20,
0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x73, 0x6b, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x64,
0x65, 0x76, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x64,
0x65, 0x76, 0x50, 0x61, 0x74, 0x68, 0x22, 0x30, 0x0a, 0x18, 0x55, 0x73, 0x65, 0x72, 0x44, 0x69,
0x73, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70,
0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28,
0x08, 0x52, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x22, 0xac, 0x03, 0x0a, 0x10, 0x56, 0x6f, 0x6c,
0x75, 0x6d, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a,
0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x45, 0x0a, 0x04, 0x74, 0x79,
0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73,
0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69,
0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63,
0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70,
0x65, 0x12, 0x56, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e,
0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e,
0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74,
0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69,
0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0c, 0x70, 0x72, 0x6f,
0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x07, 0x6c, 0x6f, 0x63,
0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x61, 0x6c,
0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69,
0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4c, 0x6f,
0x63, 0x61, 0x74, 0x6f, 0x72, 0x53, 0x70, 0x65, 0x63, 0x52, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74,
0x6f, 0x72, 0x12, 0x41, 0x0a, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62,
0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x52, 0x05,
0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x50, 0x0a, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f,
0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e,
0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x45, 0x6e, 0x63,
0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0a, 0x65, 0x6e, 0x63,
0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa7, 0x05, 0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75,
0x6d, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x48, 0x0a, 0x05,
0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61,
0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66,
0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42,
0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52,
0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69,
0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69,
0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73,
0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72,
0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18,
0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x25, 0x0a, 0x0e, 0x70,
0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20,
0x01, 0x28, 0x09, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x75,
0x69, 0x64, 0x12, 0x58, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x5f, 0x70,
0x68, 0x61, 0x73, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c,
0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69,
0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c,
0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x0c,
0x70, 0x72, 0x65, 0x46, 0x61, 0x69, 0x6c, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0f,
0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18,
0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x4c, 0x6f, 0x63,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69,
0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e,
0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x12,
0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x04, 0x52, 0x04, 0x73, 0x69,
0x7a, 0x65, 0x12, 0x55, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d,
0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
0x12, 0x23, 0x0a, 0x0d, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78, 0x5f, 0x6c, 0x61, 0x62, 0x65,
0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78,
0x4c, 0x61, 0x62, 0x65, 0x6c, 0x22, 0x8c, 0x01, 0x0a, 0x0d, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74,
0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x69, 0x6e, 0x5f, 0x73,
0x69, 0x7a, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x69, 0x6e, 0x53, 0x69,
0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02,
0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a,
0x04, 0x67, 0x72, 0x6f, 0x77, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x67, 0x72, 0x6f,
0x77, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09,
0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x79, 0x70, 0x65, 0x5f,
0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65,
0x55, 0x75, 0x69, 0x64, 0x22, 0xae, 0x02, 0x0a, 0x10, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69,
0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x53, 0x0a, 0x0d, 0x64, 0x69, 0x73,
0x6b, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x2e, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c,
0x6f, 0x63, 0x6b, 0x2e, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
0x52, 0x0c, 0x64, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x56,
0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x70, 0x65, 0x63,
0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x46,
0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x66,
0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x25, 0x0a, 0x0e, 0x6d, 0x6f, 0x75,
0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28,
0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70,
0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x3d, 0x2e,
0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74,
0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69,
0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x12, 0x0a, 0x04, 0x77, 0x61, 0x76, 0x65, 0x18, 0x03,
0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x77, 0x61, 0x76, 0x65, 0x12, 0x59, 0x0a, 0x0f, 0x66, 0x69,
0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x04, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f,
0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73,
0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65,
0x6d, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65,
0x6d, 0x53, 0x70, 0x65, 0x63, 0x22, 0x44, 0x0a, 0x0e, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x44,
0x69, 0x73, 0x6b, 0x53, 0x70, 0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x6b, 0x5f,
0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x73, 0x6b, 0x49, 0x64,
0x12, 0x19, 0x0a, 0x08, 0x64, 0x65, 0x76, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01,
0x28, 0x09, 0x52, 0x07, 0x64, 0x65, 0x76, 0x50, 0x61, 0x74, 0x68, 0x22, 0x30, 0x0a, 0x18, 0x55,
0x73, 0x65, 0x72, 0x44, 0x69, 0x73, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61,
0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79,
0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x22, 0xac, 0x03,
0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70,
0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18,
0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12,
0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e,
0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64,
0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73,
0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e,
0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x52, 0x12, 0x65, 0x6e,
0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18,
0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x53, 0x69, 0x7a,
0x65, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61,
0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69,
0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x5a, 0x48, 0x67,
0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f,
0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d,
0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73,
0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e,
0x73, 0x2f, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65,
0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x56, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73,
0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74,
0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65,
0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e,
0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63,
0x52, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x47,
0x0a, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x2d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f,
0x63, 0x6b, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x53, 0x70, 0x65, 0x63, 0x52, 0x07,
0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x41, 0x0a, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74,
0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72,
0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53,
0x70, 0x65, 0x63, 0x52, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x50, 0x0a, 0x0a, 0x65, 0x6e,
0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30,
0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e,
0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63,
0x6b, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63,
0x52, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa7, 0x05, 0x0a,
0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65,
0x63, 0x12, 0x48, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e,
0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e,
0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50,
0x68, 0x61, 0x73, 0x65, 0x52, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x6c,
0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6c,
0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72,
0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a, 0x04,
0x75, 0x75, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64,
0x12, 0x25, 0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x75, 0x75,
0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74,
0x69, 0x6f, 0x6e, 0x55, 0x75, 0x69, 0x64, 0x12, 0x58, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x5f, 0x66,
0x61, 0x69, 0x6c, 0x5f, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32,
0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75,
0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68,
0x61, 0x73, 0x65, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x46, 0x61, 0x69, 0x6c, 0x50, 0x68, 0x61, 0x73,
0x65, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x65,
0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61,
0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x08, 0x20,
0x01, 0x28, 0x03, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e,
0x64, 0x65, 0x78, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28,
0x04, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x55, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73,
0x79, 0x73, 0x74, 0x65, 0x6d, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74, 0x61,
0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66,
0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42,
0x6c, 0x6f, 0x63, 0x6b, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79,
0x70, 0x65, 0x52, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x25,
0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4c, 0x6f, 0x63,
0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01,
0x28, 0x0e, 0x32, 0x3d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75,
0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e,
0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x63, 0x72, 0x79,
0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70,
0x65, 0x52, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f,
0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x5f,
0x73, 0x69, 0x7a, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x65, 0x74,
0x74, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61,
0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f,
0x63, 0x6b, 0x5a, 0x48, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73,
0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f,
0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70,
0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e,
0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x62, 0x06, 0x70, 0x72,
0x6f, 0x74, 0x6f, 0x33,
}
var (

43
pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go
View File

@ -829,6 +829,13 @@ func (m *MountSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
i -= len(m.unknownFields)
copy(dAtA[i:], m.unknownFields)
}
if len(m.SelinuxLabel) > 0 {
i -= len(m.SelinuxLabel)
copy(dAtA[i:], m.SelinuxLabel)
i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.SelinuxLabel)))
i--
dAtA[i] = 0x12
}
if len(m.TargetPath) > 0 {
i -= len(m.TargetPath)
copy(dAtA[i:], m.TargetPath)
@ -1609,6 +1616,10 @@ func (m *MountSpec) SizeVT() (n int) {
if l > 0 {
n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
}
l = len(m.SelinuxLabel)
if l > 0 {
n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
}
n += len(m.unknownFields)
return n
}
@ -4002,6 +4013,38 @@ func (m *MountSpec) UnmarshalVT(dAtA []byte) error {
}
m.TargetPath = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field SelinuxLabel", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return protohelpers.ErrIntOverflow
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return protohelpers.ErrInvalidLength
}
postIndex := iNdEx + intStringLen
if postIndex < 0 {
return protohelpers.ErrInvalidLength
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.SelinuxLabel = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := protohelpers.Skip(dAtA[iNdEx:])

52
pkg/machinery/constants/constants.go
View File

@ -193,6 +193,9 @@ const (
// the state path.
StateMountPoint = "/system/state"
// StateSelinuxLabel is the label to be assigned to the state mount.
StateSelinuxLabel = "system_u:object_r:system_state_t:s0"
// BootPartitionLabel is the label of the partition to use for mounting at
// the boot path.
BootPartitionLabel = "BOOT"
@ -209,6 +212,12 @@ const (
// the data path.
EphemeralMountPoint = "/var"
// EphemeralSelinuxLabel is the label to be assigned to the ephemeral mount.
EphemeralSelinuxLabel = "system_u:object_r:ephemeral_t:s0"
// OptSELinuxLabel is the SELinux label to be set for /opt overlay mount.
OptSELinuxLabel = "system_u:object_r:opt_t:s0"
// RootMountPoint is the label of the partition to use for mounting at
// the root path.
RootMountPoint = "/"
@ -226,6 +235,12 @@ const (
// KubernetesConfigBaseDir is the path to the base Kubernetes configuration directory.
KubernetesConfigBaseDir = "/etc/kubernetes"
// KubernetesConfigSELinuxLabel is the SELinux label to be set for the Kubernetes configuration directory overlay mount.
KubernetesConfigSELinuxLabel = "system_u:object_r:k8s_conf_t:s0"
// KubeletPluginsSELinuxLabel is the SELinux label to be set for the Kubernetes plugin directory overlay mount.
KubeletPluginsSELinuxLabel = "system_u:object_r:k8s_plugin_t:s0"
// DefaultCertificatesDir is the path the Kubernetes PKI directory.
DefaultCertificatesDir = KubernetesConfigBaseDir + "/" + "pki"
@ -463,6 +478,9 @@ const (
// EtcdDataPath is the path where etcd stores its' data.
EtcdDataPath = "/var/lib/etcd"
// EtcdDataSELinuxLabel is the SELinux label for the etcd data directory.
EtcdDataSELinuxLabel = "system_u:object_r:etcd_data_t:s0"
// EtcdRecoverySnapshotPath is the path where etcd snapshot is uploaded for recovery.
EtcdRecoverySnapshotPath = "/var/lib/etcd.snapshot"
@ -681,6 +699,15 @@ const (
// and directories.
SystemPath = "/system"
// SystemSelinuxLabel is the SELinux label for runtime system related files and directories.
SystemSelinuxLabel = "system_u:object_r:system_t:s0"
// RunPath is the path to the system run directory.
RunPath = "/run"
// RunSelinuxLabel is the SELinux label for the run directory.
RunSelinuxLabel = "system_u:object_r:run_t:s0"
// VarSystemOverlaysPath is the path where overlay mounts are created.
VarSystemOverlaysPath = "/var/system/overlays"
@ -690,9 +717,15 @@ const (
// SystemVarPath is the path to the system var directory.
SystemVarPath = SystemPath + "/var"
// SystemVarSelinuxLabel is the SELinux label for the system var directory.
SystemVarSelinuxLabel = "system_u:object_r:system_var_t:s0"
// SystemEtcPath is the path to the system etc directory.
SystemEtcPath = SystemPath + "/etc"
// SystemEtcSelinuxLabel is the SELinux label for the system etc directory.
SystemEtcSelinuxLabel = "system_u:object_r:system_etc_t:s0"
// SystemLibexecPath is the path to the system libexec directory.
SystemLibexecPath = SystemPath + "/libexec"
@ -855,6 +888,9 @@ const (
// NoneCNI is the string to indicate that CNI will not be managed by Talos.
NoneCNI = "none"
// CNISELinuxLabel is the SELinux label to be set for CNI configuration overlay mount.
CNISELinuxLabel = "system_u:object_r:cni_conf_t:s0"
// DefaultIPv4PodNet is the IPv4 network to be used for kubernetes Pods.
DefaultIPv4PodNet = "10.244.0.0/16"
@ -1202,12 +1238,18 @@ const (
CodeKey = "code"
)
// SELinuxLabeledPath is an object used to describe overlay mounts with SELinux labels applied on creation.
type SELinuxLabeledPath struct {
Path string
Label string
}
// Overlays is the set of paths to create overlay mounts for.
var Overlays = []string{
"/etc/cni",
KubernetesConfigBaseDir,
"/usr/libexec/kubernetes",
"/opt",
var Overlays = []SELinuxLabeledPath{
{"/etc/cni", CNISELinuxLabel},
{KubernetesConfigBaseDir, KubernetesConfigSELinuxLabel},
{"/usr/libexec/kubernetes", KubeletPluginsSELinuxLabel},
{"/opt", OptSELinuxLabel},
}
// DefaultDroppedCapabilities is the default set of capabilities to drop.

2
pkg/machinery/resources/block/volume_config.go
View File

@ -147,6 +147,8 @@ type EncryptionKey struct {
type MountSpec struct {
// Mount path for the volume.
TargetPath string `yaml:"targetPath" protobuf:"1"`
// SELinux label for the volume.
SelinuxLabel string `yaml:"selinuxLabel" protobuf:"2"`
}
// NewVolumeConfig initializes a BlockVolumeConfig resource.

8
pkg/provision/providers/docker/node.go
View File

@ -21,6 +21,7 @@ import (
"github.com/docker/docker/api/types/network"
"github.com/docker/go-connections/nat"
"github.com/hashicorp/go-multierror"
"github.com/siderolabs/gen/xslices"
"github.com/siderolabs/talos/pkg/machinery/config/machine"
"github.com/siderolabs/talos/pkg/machinery/constants"
@ -125,7 +126,12 @@ func (p *provisioner) createNode(ctx context.Context, clusterReq provision.Clust
})
}
for _, path := range append([]string{constants.EphemeralMountPoint, constants.StateMountPoint}, constants.Overlays...) {
for _, path := range append(
[]string{constants.EphemeralMountPoint, constants.StateMountPoint},
xslices.Map(constants.Overlays, func(overlay constants.SELinuxLabeledPath) string {
return overlay.Path
})...,
) {
mounts = append(mounts, mount.Mount{
Type: mount.TypeVolume,
Target: path,

1
website/content/v1.9/reference/api.md
View File

@ -1004,6 +1004,7 @@ MountSpec is the spec for volume mount.
| Field | Type | Label | Description |
| ----- | ---- | ----- | ----------- |
| target_path | [string](#string) | | |
| selinux_label | [string](#string) | | |