diff --git a/api/resource/definitions/block/block.proto b/api/resource/definitions/block/block.proto index cc184cbbf..ce045efe9 100755 --- a/api/resource/definitions/block/block.proto +++ b/api/resource/definitions/block/block.proto @@ -112,6 +112,7 @@ message LocatorSpec { // MountSpec is the spec for volume mount. message MountSpec { string target_path = 1; + string selinux_label = 2; } // PartitionSpec is the spec for volume partitioning. diff --git a/internal/app/machined/pkg/controllers/block/user_disk_config.go b/internal/app/machined/pkg/controllers/block/user_disk_config.go index 00818d534..3c3ac9e03 100644 --- a/internal/app/machined/pkg/controllers/block/user_disk_config.go +++ b/internal/app/machined/pkg/controllers/block/user_disk_config.go @@ -123,6 +123,7 @@ func (ctrl *UserDiskConfigController) Run(ctx context.Context, r controller.Runt Match: partitionIdxMatch(resolvedDevicePath, idx+1), } + // TODO: label user disks vc.TypedSpec().Mount = block.MountSpec{ TargetPath: part.MountPoint(), } diff --git a/internal/app/machined/pkg/controllers/block/volume_config.go b/internal/app/machined/pkg/controllers/block/volume_config.go index 0884245ee..46709ede5 100644 --- a/internal/app/machined/pkg/controllers/block/volume_config.go +++ b/internal/app/machined/pkg/controllers/block/volume_config.go @@ -232,7 +232,8 @@ func (ctrl *VolumeConfigController) manageEphemeral(config cfg.Config) func(vc * } vc.TypedSpec().Mount = block.MountSpec{ - TargetPath: constants.EphemeralMountPoint, + TargetPath: constants.EphemeralMountPoint, + SelinuxLabel: constants.EphemeralSelinuxLabel, } vc.TypedSpec().Locator = block.LocatorSpec{ @@ -254,7 +255,8 @@ func (ctrl *VolumeConfigController) manageStateConfigPresent(config cfg.Config) return func(vc *block.VolumeConfig) error { vc.TypedSpec().Type = block.VolumeTypePartition vc.TypedSpec().Mount = block.MountSpec{ - TargetPath: constants.StateMountPoint, + TargetPath: constants.StateMountPoint, + SelinuxLabel: constants.StateSelinuxLabel, } vc.TypedSpec().Provisioning = block.ProvisioningSpec{ @@ -293,7 +295,8 @@ func (ctrl *VolumeConfigController) manageStateNoConfig(encryptionMeta *runtime. return func(vc *block.VolumeConfig) error { vc.TypedSpec().Type = block.VolumeTypePartition vc.TypedSpec().Mount = block.MountSpec{ - TargetPath: constants.StateMountPoint, + TargetPath: constants.StateMountPoint, + SelinuxLabel: constants.StateSelinuxLabel, } match := labelVolumeMatchAndNonEmpty(constants.StatePartitionLabel) diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go index e4473889d..2b922a8e3 100644 --- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go +++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go @@ -362,7 +362,7 @@ func StartDashboard(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, strin // StartUdevd represents the task to start udevd. func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) { - mp := mountv2.NewSystemOverlay([]string{constants.UdevDir}, constants.UdevDir, mountv2.WithShared(), mountv2.WithFlags(unix.MS_I_VERSION)) + mp := mountv2.NewSystemOverlay([]string{constants.UdevDir}, constants.UdevDir, mountv2.WithShared(), mountv2.WithFlags(unix.MS_I_VERSION), mountv2.WithSelinuxLabel(constants.UdevRulesLabel)) if _, err = mp.Mount(); err != nil { return err @@ -531,9 +531,10 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string } for _, dir := range []struct { - Path string - Mode os.FileMode - UID, GID int + Path string + Mode os.FileMode + UID, GID int + SELinuxLabel string }{ { Path: "/var/log", @@ -552,8 +553,14 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string Mode: 0o755, }, { - Path: "/var/lib/kubelet", - Mode: 0o700, + Path: "/var/lib/containerd", + Mode: 0o000, + SELinuxLabel: "system_u:object_r:containerd_state_t:s0", + }, + { + Path: "/var/lib/kubelet", + Mode: 0o700, + SELinuxLabel: "system_u:object_r:kubelet_state_t:s0", }, { Path: "/var/run/lock", @@ -578,6 +585,10 @@ func SetupVarDirectory(runtime.Sequence, any) (runtime.TaskExecutionFunc, string return err } + if err := selinux.SetLabel(dir.Path, dir.SELinuxLabel); err != nil { + return err + } + if dir.UID != 0 || dir.GID != 0 { if err := os.Chown(dir.Path, dir.UID, dir.GID); err != nil { return err @@ -661,6 +672,7 @@ func MountUserDisks(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) { volumeStatus.TypedSpec().MountLocation, volumeConfig.TypedSpec().Mount.TargetPath, volumeStatus.TypedSpec().Filesystem.String(), + mountv2.WithSelinuxLabel(volumeConfig.TypedSpec().Mount.SelinuxLabel), )) } diff --git a/internal/app/machined/pkg/startup/tasks.go b/internal/app/machined/pkg/startup/tasks.go index 204734426..cd4744e78 100644 --- a/internal/app/machined/pkg/startup/tasks.go +++ b/internal/app/machined/pkg/startup/tasks.go @@ -17,6 +17,7 @@ import ( "github.com/siderolabs/talos/internal/app/machined/pkg/runtime" "github.com/siderolabs/talos/internal/pkg/environment" "github.com/siderolabs/talos/internal/pkg/mount/v2" + "github.com/siderolabs/talos/internal/pkg/selinux" "github.com/siderolabs/talos/pkg/machinery/constants" "github.com/siderolabs/talos/pkg/machinery/resources/block" ) @@ -34,6 +35,21 @@ func SetupSystemDirectories(ctx context.Context, log *zap.Logger, rt runtime.Run if err := os.MkdirAll(path, 0o700); err != nil { return fmt.Errorf("setupSystemDirectories: %w", err) } + + var label string + + switch path { + case constants.SystemEtcPath: + label = constants.SystemEtcSelinuxLabel + case constants.SystemVarPath: + label = constants.SystemVarSelinuxLabel + default: // /system/state is another mount + label = "" + } + + if err := selinux.SetLabel(path, label); err != nil { + return err + } } for _, path := range []string{constants.SystemRunPath} { diff --git a/internal/app/machined/pkg/system/services/etcd.go b/internal/app/machined/pkg/system/services/etcd.go index a7b7cd11d..0eaeb849a 100644 --- a/internal/app/machined/pkg/system/services/etcd.go +++ b/internal/app/machined/pkg/system/services/etcd.go @@ -40,6 +40,7 @@ import ( "github.com/siderolabs/talos/internal/pkg/containers/image" "github.com/siderolabs/talos/internal/pkg/environment" "github.com/siderolabs/talos/internal/pkg/etcd" + "github.com/siderolabs/talos/internal/pkg/selinux" "github.com/siderolabs/talos/pkg/argsbuilder" "github.com/siderolabs/talos/pkg/conditions" "github.com/siderolabs/talos/pkg/filetree" @@ -93,6 +94,11 @@ func (e *Etcd) PreFunc(ctx context.Context, r runtime.Runtime) error { return err } + // Relabel in case of upgrade from older version or SELinux being disabled and then enabled. + if err := selinux.SetLabel(constants.EtcdDataPath, constants.EtcdDataSELinuxLabel); err != nil { + return err + } + // Make sure etcd user can access files in the data directory. if err := filetree.ChownRecursive(constants.EtcdDataPath, constants.EtcdUserID, constants.EtcdUserID); err != nil { return err diff --git a/internal/app/machined/pkg/system/services/extension.go b/internal/app/machined/pkg/system/services/extension.go index ab09ee43e..4e3ac0827 100644 --- a/internal/app/machined/pkg/system/services/extension.go +++ b/internal/app/machined/pkg/system/services/extension.go @@ -52,6 +52,7 @@ func (svc *Extension) PreFunc(ctx context.Context, r runtime.Runtime) error { // re-mount service rootfs as overlay rw mount to allow containerd to mount there /dev, /proc, etc. rootfsPath := filepath.Join(constants.ExtensionServiceRootfsPath, svc.Spec.Name) + // TODO: label system extensions overlay := mount.NewSystemOverlay( []string{rootfsPath}, rootfsPath, diff --git a/internal/integration/api/selinux.go b/internal/integration/api/selinux.go index 63078d2c3..1527d337e 100644 --- a/internal/integration/api/selinux.go +++ b/internal/integration/api/selinux.go @@ -10,6 +10,7 @@ import ( "bytes" "context" "io" + "maps" "path/filepath" "strconv" "strings" @@ -17,6 +18,7 @@ import ( "github.com/siderolabs/go-pointer" "github.com/siderolabs/go-procfs/procfs" + "golang.org/x/exp/slices" "github.com/siderolabs/talos/cmd/talosctl/pkg/talos/helpers" "github.com/siderolabs/talos/internal/integration/base" @@ -67,30 +69,45 @@ func (suite *SELinuxSuite) getLabel(nodeCtx context.Context, pid int32) string { return string(bytes.TrimSpace(value)) } -// TestRuntimeFileLabels reads labels of runtime-created files from xattrs -// to ensure SELinux labels for files are set when they are created. -func (suite *SELinuxSuite) TestRuntimeFileLabels() { +// TestFileMountLabels reads labels of runtime-created files and mounts from xattrs +// to ensure SELinux labels for files are set when they are created and FS's are mounted with correct labels. +// FIXME: cancel the test in case system was upgraded. +func (suite *SELinuxSuite) TestFileMountLabels() { workers := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeWorker) controlplanes := suite.DiscoverNodeInternalIPsByType(suite.ctx, machine.TypeControlPlane) expectedLabelsWorker := map[string]string{ + // Mounts + constants.SystemPath: constants.SystemSelinuxLabel, + constants.EphemeralMountPoint: constants.EphemeralSelinuxLabel, + constants.StateMountPoint: constants.StateSelinuxLabel, + constants.SystemEtcPath: constants.SystemEtcSelinuxLabel, + constants.SystemVarPath: constants.SystemVarSelinuxLabel, + constants.RunPath: constants.RunSelinuxLabel, + "/var/run": constants.RunSelinuxLabel, + // Runtime files constants.APIRuntimeSocketPath: constants.APIRuntimeSocketLabel, constants.APISocketPath: constants.APISocketLabel, constants.DBusClientSocketPath: constants.DBusClientSocketLabel, constants.UdevRulesPath: constants.UdevRulesLabel, constants.DBusServiceSocketPath: constants.DBusServiceSocketLabel, constants.MachineSocketPath: constants.MachineSocketLabel, + // Overlays + "/etc/cni": constants.CNISELinuxLabel, + constants.KubernetesConfigBaseDir: constants.KubernetesConfigSELinuxLabel, + "/usr/libexec/kubernetes": constants.KubeletPluginsSELinuxLabel, + "/opt": constants.OptSELinuxLabel, + "/opt/cni": "system_u:object_r:cni_plugin_t:s0", + "/opt/containerd": "system_u:object_r:containerd_plugin_t:s0", + // Directories + "/var/lib/containerd": "system_u:object_r:containerd_state_t:s0", + "/var/lib/kubelet": "system_u:object_r:kubelet_state_t:s0", } + // Only running on controlplane expectedLabelsControlPlane := map[string]string{ - constants.APIRuntimeSocketPath: constants.APIRuntimeSocketLabel, - constants.APISocketPath: constants.APISocketLabel, - constants.DBusClientSocketPath: constants.DBusClientSocketLabel, - constants.UdevRulesPath: constants.UdevRulesLabel, - constants.DBusServiceSocketPath: constants.DBusServiceSocketLabel, - constants.MachineSocketPath: constants.MachineSocketLabel, - // Only running on controlplane constants.EtcdPKIPath: constants.EtcdPKISELinuxLabel, + constants.EtcdDataPath: constants.EtcdDataSELinuxLabel, constants.KubernetesAPIServerConfigDir: constants.KubernetesAPIServerConfigDirSELinuxLabel, constants.KubernetesAPIServerSecretsDir: constants.KubernetesAPIServerSecretsDirSELinuxLabel, constants.KubernetesControllerManagerSecretsDir: constants.KubernetesControllerManagerSecretsDirSELinuxLabel, @@ -98,12 +115,19 @@ func (suite *SELinuxSuite) TestRuntimeFileLabels() { constants.KubernetesSchedulerSecretsDir: constants.KubernetesSchedulerSecretsDirSELinuxLabel, constants.TrustdRuntimeSocketPath: constants.TrustdRuntimeSocketLabel, } + maps.Copy(expectedLabelsControlPlane, expectedLabelsWorker) suite.checkFileLabels(workers, expectedLabelsWorker) suite.checkFileLabels(controlplanes, expectedLabelsControlPlane) } +//nolint:gocyclo func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[string]string) { + paths := make([]string, 0, len(expectedLabels)) + for k := range expectedLabels { + paths = append(paths, k) + } + for _, node := range nodes { nodeCtx := client.WithNode(suite.ctx, node) cmdline := suite.ReadCmdline(nodeCtx) @@ -129,6 +153,11 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st suite.Require().NoError(err) suite.Require().NoError(helpers.ReadGRPCStream(stream, func(info *machineapi.FileInfo, node string, multipleNodes bool) error { + // E.g. /var/lib should inherit /var label, while /var/run is a new mountpoint + if slices.Contains(paths, info.Name) && info.Name != path { + return nil + } + suite.Require().NotNil(info.Xattrs) found := false @@ -136,7 +165,7 @@ func (suite *SELinuxSuite) checkFileLabels(nodes []string, expectedLabels map[st for _, l := range info.Xattrs { if l.Name == "security.selinux" { got := string(bytes.Trim(l.Data, "\x00\n")) - suite.Require().Equal(got, label, "expected %s to have label %s, got %s", path, label, got) + suite.Require().Contains(got, label, "expected %s to have label %s, got %s", path, label, got) found = true @@ -225,7 +254,8 @@ func (suite *SELinuxSuite) TestProcessLabels() { } } -// TODO: test for volume labels +// TODO: test for all machined-created files +// TODO: test for system and CRI container labels // TODO: test labels for unconfined system extensions, pods // TODO: test for no avc denials in dmesg // TODO: start a pod and ensure access to restricted resources is denied diff --git a/internal/integration/k8s/tink.go b/internal/integration/k8s/tink.go index 84b2ce948..968312f3b 100644 --- a/internal/integration/k8s/tink.go +++ b/internal/integration/k8s/tink.go @@ -420,10 +420,10 @@ func (suite *TinkSuite) getTinkManifests(namespace, serviceName, ssName, talosIm }, }, xslices.Map( - xslices.Filter(constants.Overlays, func(overlay string) bool { return overlay != "/opt" }), // /opt/cni/bin contains CNI binaries - func(mountPath string) overlayMountSpec { + xslices.Filter(constants.Overlays, func(overlay constants.SELinuxLabeledPath) bool { return overlay.Path != "/opt" }), // /opt/cni/bin contains CNI binaries + func(mnt constants.SELinuxLabeledPath) overlayMountSpec { return overlayMountSpec{ - MountPoint: mountPath, + MountPoint: mnt.Path, Size: "100Mi", } }, diff --git a/internal/pkg/mount/system.go b/internal/pkg/mount/system.go index 6f4b1b268..f0cc88604 100644 --- a/internal/pkg/mount/system.go +++ b/internal/pkg/mount/system.go @@ -42,6 +42,8 @@ func SystemPartitionMount(ctx context.Context, r runtime.Runtime, logger *log.Lo return fmt.Errorf("error getting volume config %q: %w", label, err) } + opts = append(opts, mountv2.WithSelinuxLabel(volumeConfig.TypedSpec().Mount.SelinuxLabel)) + mountpoint := mountv2.NewPoint( volumeStatus.TypedSpec().MountLocation, volumeConfig.TypedSpec().Mount.TargetPath, diff --git a/internal/pkg/mount/v2/mount.go b/internal/pkg/mount/v2/mount.go index 96f1a81bf..2d6e1fe2c 100644 --- a/internal/pkg/mount/v2/mount.go +++ b/internal/pkg/mount/v2/mount.go @@ -18,6 +18,7 @@ import ( "github.com/siderolabs/go-retry/retry" "golang.org/x/sys/unix" + "github.com/siderolabs/talos/internal/pkg/selinux" "github.com/siderolabs/talos/pkg/machinery/constants" ) @@ -29,8 +30,9 @@ type Point struct { flags uintptr data string - shared bool - extraDirs []string + shared bool + extraDirs []string + selinuxLabel string } // NewPointOption is a mount point option. @@ -84,6 +86,13 @@ func WithExtraDirs(dirs ...string) NewPointOption { } } +// WithSelinuxLabel sets the mount SELinux label. +func WithSelinuxLabel(label string) NewPointOption { + return func(p *Point) { + p.selinuxLabel = label + } +} + // NewPoint creates a new mount point. func NewPoint(source, target, fstype string, opts ...NewPointOption) *Point { p := &Point{ @@ -290,7 +299,11 @@ func (p *Point) Move(newTarget string) error { } func (p *Point) mount() error { - return unix.Mount(p.source, p.target, p.fstype, p.flags, p.data) + if err := unix.Mount(p.source, p.target, p.fstype, p.flags, p.data); err != nil { + return err + } + + return selinux.SetLabel(p.target, p.selinuxLabel) } func (p *Point) unmount(printer func(string, ...any)) error { diff --git a/internal/pkg/mount/v2/overlay.go b/internal/pkg/mount/v2/overlay.go index 053998c0b..b4fc871d8 100644 --- a/internal/pkg/mount/v2/overlay.go +++ b/internal/pkg/mount/v2/overlay.go @@ -14,7 +14,7 @@ import ( // OverlayMountPoints returns the mountpoints required to boot the system. // These mountpoints are used as overlays on top of the read only rootfs. func OverlayMountPoints() Points { - return xslices.Map(constants.Overlays, func(target string) *Point { - return NewVarOverlay([]string{target}, target, WithFlags(unix.MS_I_VERSION)) + return xslices.Map(constants.Overlays, func(target constants.SELinuxLabeledPath) *Point { + return NewVarOverlay([]string{target.Path}, target.Path, WithFlags(unix.MS_I_VERSION), WithSelinuxLabel(target.Label)) }) } diff --git a/internal/pkg/mount/v2/pseudo.go b/internal/pkg/mount/v2/pseudo.go index e75ef888c..ce8bbde2b 100644 --- a/internal/pkg/mount/v2/pseudo.go +++ b/internal/pkg/mount/v2/pseudo.go @@ -24,8 +24,8 @@ func Pseudo() Points { // PseudoLate returns the mountpoints mounted later in the boot cycle. func PseudoLate() Points { return Points{ - NewPoint("tmpfs", "/run", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME), WithData("mode=0755")), - NewPoint("tmpfs", "/system", "tmpfs", WithData("mode=0755")), + NewPoint("tmpfs", "/run", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_RELATIME), WithData("mode=0755"), WithSelinuxLabel(constants.RunSelinuxLabel)), + NewPoint("tmpfs", "/system", "tmpfs", WithData("mode=0755"), WithSelinuxLabel(constants.SystemSelinuxLabel)), NewPoint("tmpfs", "/tmp", "tmpfs", WithFlags(unix.MS_NOSUID|unix.MS_NOEXEC|unix.MS_NODEV), WithData("size=64M"), WithData("mode=0755")), } } diff --git a/internal/pkg/selinux/policy/file_contexts b/internal/pkg/selinux/policy/file_contexts index f1d6b05c2..47dd3491c 100644 --- a/internal/pkg/selinux/policy/file_contexts +++ b/internal/pkg/selinux/policy/file_contexts @@ -1,7 +1,13 @@ +/opt(/.*)? system_u:object_r:opt_t:s0 /sbin(/.*)? system_u:object_r:sbin_exec_t:s0 +/etc/cni(/.*)? system_u:object_r:cni_conf_t:s0 +/opt/cni(/.*)? system_u:object_r:cni_plugin_t:s0 /usr/sbin(/.*)? system_u:object_r:sbin_exec_t:s0 /usr/lib/udev(/.*)? system_u:object_r:udev_exec_t:s0 +/etc/kubernetes(/.*)? system_u:object_r:k8s_conf_t:s0 +/opt/containerd(/.*)? system_u:object_r:containerd_plugin_t:s0 /usr/lib/udev/rules.d(/.*)? system_u:object_r:udev_rules_t:s0 +/usr/libexec/kubernetes(/.*)? system_u:object_r:k8s_plugin_t:s0 / system_u:object_r:rootfs_t:s0 /bin/runc system_u:object_r:containerd_exec_t:s0 /sbin/init -- system_u:object_r:init_exec_t:s0 diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33 index 8abf7cf23..9c2fd604c 100644 Binary files a/internal/pkg/selinux/policy/policy.33 and b/internal/pkg/selinux/policy/policy.33 differ diff --git a/internal/pkg/selinux/policy/selinux/common/files.cil b/internal/pkg/selinux/policy/selinux/common/files.cil new file mode 100644 index 000000000..e50448106 --- /dev/null +++ b/internal/pkg/selinux/policy/selinux/common/files.cil @@ -0,0 +1,26 @@ +; Runtime and mounted filesystems +(type system_t) +(call filesystem_f (system_t)) +(allow system_t tmpfs_t (filesystem (associate))) + +(type system_etc_t) +(call system_f (system_etc_t)) +(allow system_etc_t fs_t (filesystem (associate))) +(allow system_etc_t tmpfs_t (filesystem (associate))) +(type system_var_t) +(call system_f (system_var_t)) +(allow system_var_t fs_t (filesystem (associate))) +(allow system_var_t tmpfs_t (filesystem (associate))) + +(type ephemeral_t) +(call filesystem_f (ephemeral_t)) +(type system_state_t) +(call filesystem_f (system_state_t)) + +(type run_t) +(call filesystem_f (run_t)) +(allow run_t tmpfs_t (filesystem (associate))) + +(type opt_t) +(call filesystem_f (opt_t)) +(filecon "/opt(/.*)?" any (system_u object_r opt_t (systemLow systemLow))) diff --git a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil index 55a5af322..9288c081a 100644 --- a/internal/pkg/selinux/policy/selinux/common/typeattributes.cil +++ b/internal/pkg/selinux/policy/selinux/common/typeattributes.cil @@ -61,6 +61,7 @@ ) (allow filesystem_f self (filesystem (associate))) +(allow any_f fs_t (filesystem (associate))) (allow filesystem_f fs_t (filesystem (associate))) (typeattribute service_exec_f) diff --git a/internal/pkg/selinux/policy/selinux/services/cri.cil b/internal/pkg/selinux/policy/selinux/services/cri.cil index 1c1029904..58440404a 100644 --- a/internal/pkg/selinux/policy/selinux/services/cri.cil +++ b/internal/pkg/selinux/policy/selinux/services/cri.cil @@ -2,24 +2,48 @@ (type pod_containerd_t) (call service_p (pod_containerd_t containerd_exec_t)) -; TODO: label /run +(type pod_containerd_socket_t) +(call system_socket_f (pod_containerd_socket_t)) +(typetransition pod_containerd_t run_t sock_file pod_containerd_socket_t) (allow pod_containerd_t pod_p (process2 (nnp_transition nosuid_transition))) (allow pod_containerd_t pod_p (process (transition))) (type pod_t) (call pod_p (pod_t)) -; TODO: label ephemeral +; TODO: What if container is started not from containerd_state_t? +(typetransition pod_containerd_t containerd_state_t process pod_t) +(allow pod_t containerd_state_t (file (entrypoint execute_no_trans))) (type etcd_t) (call pod_p (etcd_t)) -; FIXME: insecure as anyone with access to the pod containerd may obtain this domain (executable in ephemeral) +; FIXME: insecure as anyone with access to the pod containerd may obtain this domain +(allow etcd_t containerd_state_t (file (entrypoint))) (type etcd_pki_t) (call protected_f (etcd_pki_t)) (allow etcd_pki_t tmpfs_t (filesystem (associate))) (allow etcd_t etcd_pki_t (fs_classes (ro))) +(type cni_conf_t) +(call filesystem_f (cni_conf_t)) +(filecon "/etc/cni(/.*)?" any (system_u object_r cni_conf_t (systemLow systemLow))) + +(type cni_plugin_t) +(call filesystem_f (cni_plugin_t)) +(filecon "/opt/cni(/.*)?" any (system_u object_r cni_plugin_t (systemLow systemLow))) + +(type containerd_plugin_t) +(call filesystem_f (containerd_plugin_t)) +(filecon "/opt/containerd(/.*)?" any (system_u object_r containerd_plugin_t (systemLow systemLow))) + +(type etcd_data_t) +(call protected_f (etcd_data_t)) +(allow etcd_t etcd_data_t (fs_classes (rw))) + +(type containerd_state_t) +(call common_f (containerd_state_t)) + (type kube_apiserver_config_t) (call protected_f (kube_apiserver_config_t)) (allow kube_apiserver_config_t tmpfs_t (filesystem (associate))) diff --git a/internal/pkg/selinux/policy/selinux/services/kubelet.cil b/internal/pkg/selinux/policy/selinux/services/kubelet.cil index 041775eaa..d451bf6e6 100644 --- a/internal/pkg/selinux/policy/selinux/services/kubelet.cil +++ b/internal/pkg/selinux/policy/selinux/services/kubelet.cil @@ -1,3 +1,15 @@ (type kubelet_t) (call pod_p (kubelet_t)) -; FIXME: insecure as anyone with access to the pod containerd may obtain this domain (executable in ephemeral) +; FIXME: insecure as anyone with access to the pod containerd may obtain this domain +(allow kubelet_t containerd_state_t (file (entrypoint execute_no_trans))) + +(type k8s_conf_t) +(call filesystem_f (k8s_conf_t)) +(filecon "/etc/kubernetes(/.*)?" any (system_u object_r k8s_conf_t (systemLow systemLow))) + +(type k8s_plugin_t) +(call filesystem_f (k8s_plugin_t)) +(filecon "/usr/libexec/kubernetes(/.*)?" any (system_u object_r k8s_plugin_t (systemLow systemLow))) + +(type kubelet_state_t) +(call system_f (kubelet_state_t)) diff --git a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil index 9744bc57b..2b515625f 100644 --- a/internal/pkg/selinux/policy/selinux/services/system-containerd.cil +++ b/internal/pkg/selinux/policy/selinux/services/system-containerd.cil @@ -9,7 +9,9 @@ (type sys_containerd_t) (call service_p (sys_containerd_t containerd_exec_t)) -; TODO: label /system +(type sys_containerd_socket_t) +(call system_socket_f (sys_containerd_socket_t)) +(typetransition sys_containerd_t system_t sock_file sys_containerd_socket_t) (allow sys_containerd_t system_container_p (process2 (nnp_transition nosuid_transition))) (allow sys_containerd_t system_container_p (process (transition))) @@ -22,4 +24,4 @@ ; Talos installer (type installer_t) (call system_container_p (installer_t)) -; TODO: label /system/var where it's stored +(allow installer_t system_var_t (file (entrypoint execute_no_trans))) diff --git a/internal/pkg/selinux/policy/selinux/services/udev.cil b/internal/pkg/selinux/policy/selinux/services/udev.cil index 37d81fba2..c47fc7e56 100644 --- a/internal/pkg/selinux/policy/selinux/services/udev.cil +++ b/internal/pkg/selinux/policy/selinux/services/udev.cil @@ -14,7 +14,11 @@ (type udev_t) (call service_p (udev_t udev_exec_t)) -; TODO: label /run +(type udev_socket_t) +(call system_socket_f (udev_socket_t)) +(typetransition udev_t run_t sock_file udev_socket_t) +; udevadm called by machined in its context +(allow init_t udev_t (unix_stream_socket (connectto))) (type modprobe_exec_t) (call system_f (modprobe_exec_t)) diff --git a/pkg/machinery/api/resource/definitions/block/block.pb.go b/pkg/machinery/api/resource/definitions/block/block.pb.go index acede9f76..ff9f172b1 100644 --- a/pkg/machinery/api/resource/definitions/block/block.pb.go +++ b/pkg/machinery/api/resource/definitions/block/block.pb.go @@ -898,7 +898,8 @@ type MountSpec struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - TargetPath string `protobuf:"bytes,1,opt,name=target_path,json=targetPath,proto3" json:"target_path,omitempty"` + TargetPath string `protobuf:"bytes,1,opt,name=target_path,json=targetPath,proto3" json:"target_path,omitempty"` + SelinuxLabel string `protobuf:"bytes,2,opt,name=selinux_label,json=selinuxLabel,proto3" json:"selinux_label,omitempty"` } func (x *MountSpec) Reset() { @@ -938,6 +939,13 @@ func (x *MountSpec) GetTargetPath() string { return "" } +func (x *MountSpec) GetSelinuxLabel() string { + if x != nil { + return x.SelinuxLabel + } + return "" +} + // PartitionSpec is the spec for volume partitioning. type PartitionSpec struct { state protoimpl.MessageState @@ -1571,122 +1579,125 @@ var file_resource_definitions_block_block_proto_rawDesc = []byte{ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x65, 0x78, 0x70, 0x72, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x65, 0x64, 0x45, 0x78, 0x70, 0x72, 0x52, 0x05, 0x6d, 0x61, 0x74, - 0x63, 0x68, 0x22, 0x2c, 0x0a, 0x09, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, + 0x63, 0x68, 0x22, 0x51, 0x0a, 0x09, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x61, 0x74, 0x68, - 0x22, 0x8c, 0x01, 0x0a, 0x0d, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, - 0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x69, 0x6e, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x69, 0x6e, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x19, 0x0a, - 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x04, 0x52, - 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x67, 0x72, 0x6f, 0x77, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x67, 0x72, 0x6f, 0x77, 0x12, 0x14, 0x0a, 0x05, - 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, - 0x65, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x79, 0x70, 0x65, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65, 0x55, 0x75, 0x69, 0x64, 0x22, - 0xae, 0x02, 0x0a, 0x10, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, - 0x53, 0x70, 0x65, 0x63, 0x12, 0x53, 0x0a, 0x0d, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x73, 0x65, 0x6c, - 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x74, 0x61, - 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x44, - 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x0c, 0x64, 0x69, 0x73, - 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x56, 0x0a, 0x0e, 0x70, 0x61, 0x72, - 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, - 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, - 0x65, 0x63, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, - 0x63, 0x12, 0x12, 0x0a, 0x04, 0x77, 0x61, 0x76, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x04, 0x77, 0x61, 0x76, 0x65, 0x12, 0x59, 0x0a, 0x0f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, - 0x74, 0x65, 0x6d, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, - 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, - 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, - 0x6b, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x70, 0x65, 0x63, - 0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x53, 0x70, 0x65, 0x63, - 0x22, 0x44, 0x0a, 0x0e, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x70, - 0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x6b, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x73, 0x6b, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x64, - 0x65, 0x76, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x64, - 0x65, 0x76, 0x50, 0x61, 0x74, 0x68, 0x22, 0x30, 0x0a, 0x18, 0x55, 0x73, 0x65, 0x72, 0x44, 0x69, - 0x73, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, - 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x08, 0x52, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x22, 0xac, 0x03, 0x0a, 0x10, 0x56, 0x6f, 0x6c, - 0x75, 0x6d, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1b, 0x0a, - 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x45, 0x0a, 0x04, 0x74, 0x79, - 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, - 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, - 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, - 0x65, 0x12, 0x56, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, - 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, - 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, - 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0c, 0x70, 0x72, 0x6f, - 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x07, 0x6c, 0x6f, 0x63, - 0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x74, 0x61, 0x6c, - 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4c, 0x6f, - 0x63, 0x61, 0x74, 0x6f, 0x72, 0x53, 0x70, 0x65, 0x63, 0x52, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74, - 0x6f, 0x72, 0x12, 0x41, 0x0a, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, - 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x52, 0x05, - 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x50, 0x0a, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, - 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f, - 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x45, 0x6e, 0x63, - 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0a, 0x65, 0x6e, 0x63, - 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa7, 0x05, 0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75, - 0x6d, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x48, 0x0a, 0x05, - 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61, - 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, - 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, - 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, - 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x5f, 0x6d, 0x65, 0x73, 0x73, - 0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, - 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x75, 0x69, 0x64, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, 0x12, 0x25, 0x0a, 0x0e, 0x70, - 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x75, - 0x69, 0x64, 0x12, 0x58, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x5f, 0x70, - 0x68, 0x61, 0x73, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, - 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, - 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x0c, - 0x70, 0x72, 0x65, 0x46, 0x61, 0x69, 0x6c, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0f, - 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, - 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x4c, 0x6f, 0x63, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, - 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x12, - 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x04, 0x52, 0x04, 0x73, 0x69, - 0x7a, 0x65, 0x12, 0x55, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, - 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, + 0x12, 0x23, 0x0a, 0x0d, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78, 0x5f, 0x6c, 0x61, 0x62, 0x65, + 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x73, 0x65, 0x6c, 0x69, 0x6e, 0x75, 0x78, + 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x22, 0x8c, 0x01, 0x0a, 0x0d, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x69, 0x6e, 0x5f, 0x73, + 0x69, 0x7a, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x69, 0x6e, 0x53, 0x69, + 0x7a, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x6d, 0x61, 0x78, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x12, 0x0a, + 0x04, 0x67, 0x72, 0x6f, 0x77, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x67, 0x72, 0x6f, + 0x77, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x79, 0x70, 0x65, 0x5f, + 0x75, 0x75, 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x79, 0x70, 0x65, + 0x55, 0x75, 0x69, 0x64, 0x22, 0xae, 0x02, 0x0a, 0x10, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, + 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x53, 0x0a, 0x0d, 0x64, 0x69, 0x73, + 0x6b, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x2e, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, + 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, + 0x6f, 0x63, 0x6b, 0x2e, 0x44, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x52, 0x0c, 0x64, 0x69, 0x73, 0x6b, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x56, + 0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x70, 0x65, 0x63, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x46, - 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79, 0x70, 0x65, 0x52, 0x0a, 0x66, - 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x25, 0x0a, 0x0e, 0x6d, 0x6f, 0x75, - 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, - 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x3d, 0x2e, + 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x50, 0x61, 0x72, 0x74, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, 0x12, 0x12, 0x0a, 0x04, 0x77, 0x61, 0x76, 0x65, 0x18, 0x03, + 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x77, 0x61, 0x76, 0x65, 0x12, 0x59, 0x0a, 0x0f, 0x66, 0x69, + 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, + 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, + 0x6d, 0x53, 0x70, 0x65, 0x63, 0x52, 0x0e, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, + 0x6d, 0x53, 0x70, 0x65, 0x63, 0x22, 0x44, 0x0a, 0x0e, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x44, + 0x69, 0x73, 0x6b, 0x53, 0x70, 0x65, 0x63, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x6b, 0x5f, + 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x73, 0x6b, 0x49, 0x64, + 0x12, 0x19, 0x0a, 0x08, 0x64, 0x65, 0x76, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x64, 0x65, 0x76, 0x50, 0x61, 0x74, 0x68, 0x22, 0x30, 0x0a, 0x18, 0x55, + 0x73, 0x65, 0x72, 0x44, 0x69, 0x73, 0x6b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x72, 0x65, 0x61, 0x64, 0x79, 0x22, 0xac, 0x03, + 0x0a, 0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, + 0x65, 0x63, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x49, 0x64, 0x12, + 0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x31, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, - 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, - 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x52, 0x12, 0x65, 0x6e, - 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, - 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, - 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x53, 0x69, 0x7a, - 0x65, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x61, - 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, - 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x5a, 0x48, 0x67, - 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, - 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, - 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, - 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x2f, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, + 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x56, 0x0a, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, + 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x74, + 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, + 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, + 0x50, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x53, 0x70, 0x65, 0x63, + 0x52, 0x0c, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x12, 0x47, + 0x0a, 0x07, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x2d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, + 0x63, 0x6b, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x53, 0x70, 0x65, 0x63, 0x52, 0x07, + 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x41, 0x0a, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, + 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x2e, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, + 0x70, 0x65, 0x63, 0x52, 0x05, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x50, 0x0a, 0x0a, 0x65, 0x6e, + 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, + 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, + 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, 0x63, + 0x6b, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x70, 0x65, 0x63, + 0x52, 0x0a, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xa7, 0x05, 0x0a, + 0x10, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, + 0x63, 0x12, 0x48, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, + 0x32, 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, + 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, + 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, + 0x68, 0x61, 0x73, 0x65, 0x52, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x6c, + 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6c, + 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x65, 0x72, 0x72, 0x6f, 0x72, + 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, + 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a, 0x04, + 0x75, 0x75, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x75, 0x69, 0x64, + 0x12, 0x25, 0x0a, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x75, 0x75, + 0x69, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x55, 0x75, 0x69, 0x64, 0x12, 0x58, 0x0a, 0x0e, 0x70, 0x72, 0x65, 0x5f, 0x66, + 0x61, 0x69, 0x6c, 0x5f, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x32, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, + 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x50, 0x68, + 0x61, 0x73, 0x65, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x46, 0x61, 0x69, 0x6c, 0x50, 0x68, 0x61, 0x73, + 0x65, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x65, + 0x6e, 0x74, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x70, 0x61, + 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x08, 0x20, + 0x01, 0x28, 0x03, 0x52, 0x0e, 0x70, 0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, + 0x64, 0x65, 0x78, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, + 0x04, 0x52, 0x04, 0x73, 0x69, 0x7a, 0x65, 0x12, 0x55, 0x0a, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, + 0x79, 0x73, 0x74, 0x65, 0x6d, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x74, 0x61, + 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, + 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, + 0x6c, 0x6f, 0x63, 0x6b, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x54, 0x79, + 0x70, 0x65, 0x52, 0x0a, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x25, + 0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4c, 0x6f, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6e, 0x0a, 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01, + 0x28, 0x0e, 0x32, 0x3d, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, + 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, + 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x45, 0x6e, 0x63, 0x72, 0x79, + 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, + 0x65, 0x52, 0x12, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, + 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x65, 0x74, 0x74, 0x79, 0x5f, + 0x73, 0x69, 0x7a, 0x65, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x65, 0x74, + 0x74, 0x79, 0x53, 0x69, 0x7a, 0x65, 0x42, 0x74, 0x0a, 0x28, 0x64, 0x65, 0x76, 0x2e, 0x74, 0x61, + 0x6c, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, + 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x62, 0x6c, 0x6f, + 0x63, 0x6b, 0x5a, 0x48, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, + 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, + 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, + 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, + 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x62, 0x6c, 0x6f, 0x63, 0x6b, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go b/pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go index 640a88e21..4132d9661 100644 --- a/pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go +++ b/pkg/machinery/api/resource/definitions/block/block_vtproto.pb.go @@ -829,6 +829,13 @@ func (m *MountSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) { i -= len(m.unknownFields) copy(dAtA[i:], m.unknownFields) } + if len(m.SelinuxLabel) > 0 { + i -= len(m.SelinuxLabel) + copy(dAtA[i:], m.SelinuxLabel) + i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.SelinuxLabel))) + i-- + dAtA[i] = 0x12 + } if len(m.TargetPath) > 0 { i -= len(m.TargetPath) copy(dAtA[i:], m.TargetPath) @@ -1609,6 +1616,10 @@ func (m *MountSpec) SizeVT() (n int) { if l > 0 { n += 1 + l + protohelpers.SizeOfVarint(uint64(l)) } + l = len(m.SelinuxLabel) + if l > 0 { + n += 1 + l + protohelpers.SizeOfVarint(uint64(l)) + } n += len(m.unknownFields) return n } @@ -4002,6 +4013,38 @@ func (m *MountSpec) UnmarshalVT(dAtA []byte) error { } m.TargetPath = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field SelinuxLabel", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return protohelpers.ErrIntOverflow + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return protohelpers.ErrInvalidLength + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return protohelpers.ErrInvalidLength + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.SelinuxLabel = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := protohelpers.Skip(dAtA[iNdEx:]) diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go index f7f5228ce..d678e5ff9 100644 --- a/pkg/machinery/constants/constants.go +++ b/pkg/machinery/constants/constants.go @@ -193,6 +193,9 @@ const ( // the state path. StateMountPoint = "/system/state" + // StateSelinuxLabel is the label to be assigned to the state mount. + StateSelinuxLabel = "system_u:object_r:system_state_t:s0" + // BootPartitionLabel is the label of the partition to use for mounting at // the boot path. BootPartitionLabel = "BOOT" @@ -209,6 +212,12 @@ const ( // the data path. EphemeralMountPoint = "/var" + // EphemeralSelinuxLabel is the label to be assigned to the ephemeral mount. + EphemeralSelinuxLabel = "system_u:object_r:ephemeral_t:s0" + + // OptSELinuxLabel is the SELinux label to be set for /opt overlay mount. + OptSELinuxLabel = "system_u:object_r:opt_t:s0" + // RootMountPoint is the label of the partition to use for mounting at // the root path. RootMountPoint = "/" @@ -226,6 +235,12 @@ const ( // KubernetesConfigBaseDir is the path to the base Kubernetes configuration directory. KubernetesConfigBaseDir = "/etc/kubernetes" + // KubernetesConfigSELinuxLabel is the SELinux label to be set for the Kubernetes configuration directory overlay mount. + KubernetesConfigSELinuxLabel = "system_u:object_r:k8s_conf_t:s0" + + // KubeletPluginsSELinuxLabel is the SELinux label to be set for the Kubernetes plugin directory overlay mount. + KubeletPluginsSELinuxLabel = "system_u:object_r:k8s_plugin_t:s0" + // DefaultCertificatesDir is the path the Kubernetes PKI directory. DefaultCertificatesDir = KubernetesConfigBaseDir + "/" + "pki" @@ -463,6 +478,9 @@ const ( // EtcdDataPath is the path where etcd stores its' data. EtcdDataPath = "/var/lib/etcd" + // EtcdDataSELinuxLabel is the SELinux label for the etcd data directory. + EtcdDataSELinuxLabel = "system_u:object_r:etcd_data_t:s0" + // EtcdRecoverySnapshotPath is the path where etcd snapshot is uploaded for recovery. EtcdRecoverySnapshotPath = "/var/lib/etcd.snapshot" @@ -681,6 +699,15 @@ const ( // and directories. SystemPath = "/system" + // SystemSelinuxLabel is the SELinux label for runtime system related files and directories. + SystemSelinuxLabel = "system_u:object_r:system_t:s0" + + // RunPath is the path to the system run directory. + RunPath = "/run" + + // RunSelinuxLabel is the SELinux label for the run directory. + RunSelinuxLabel = "system_u:object_r:run_t:s0" + // VarSystemOverlaysPath is the path where overlay mounts are created. VarSystemOverlaysPath = "/var/system/overlays" @@ -690,9 +717,15 @@ const ( // SystemVarPath is the path to the system var directory. SystemVarPath = SystemPath + "/var" + // SystemVarSelinuxLabel is the SELinux label for the system var directory. + SystemVarSelinuxLabel = "system_u:object_r:system_var_t:s0" + // SystemEtcPath is the path to the system etc directory. SystemEtcPath = SystemPath + "/etc" + // SystemEtcSelinuxLabel is the SELinux label for the system etc directory. + SystemEtcSelinuxLabel = "system_u:object_r:system_etc_t:s0" + // SystemLibexecPath is the path to the system libexec directory. SystemLibexecPath = SystemPath + "/libexec" @@ -855,6 +888,9 @@ const ( // NoneCNI is the string to indicate that CNI will not be managed by Talos. NoneCNI = "none" + // CNISELinuxLabel is the SELinux label to be set for CNI configuration overlay mount. + CNISELinuxLabel = "system_u:object_r:cni_conf_t:s0" + // DefaultIPv4PodNet is the IPv4 network to be used for kubernetes Pods. DefaultIPv4PodNet = "10.244.0.0/16" @@ -1202,12 +1238,18 @@ const ( CodeKey = "code" ) +// SELinuxLabeledPath is an object used to describe overlay mounts with SELinux labels applied on creation. +type SELinuxLabeledPath struct { + Path string + Label string +} + // Overlays is the set of paths to create overlay mounts for. -var Overlays = []string{ - "/etc/cni", - KubernetesConfigBaseDir, - "/usr/libexec/kubernetes", - "/opt", +var Overlays = []SELinuxLabeledPath{ + {"/etc/cni", CNISELinuxLabel}, + {KubernetesConfigBaseDir, KubernetesConfigSELinuxLabel}, + {"/usr/libexec/kubernetes", KubeletPluginsSELinuxLabel}, + {"/opt", OptSELinuxLabel}, } // DefaultDroppedCapabilities is the default set of capabilities to drop. diff --git a/pkg/machinery/resources/block/volume_config.go b/pkg/machinery/resources/block/volume_config.go index f444cb5a9..a068f3a35 100644 --- a/pkg/machinery/resources/block/volume_config.go +++ b/pkg/machinery/resources/block/volume_config.go @@ -147,6 +147,8 @@ type EncryptionKey struct { type MountSpec struct { // Mount path for the volume. TargetPath string `yaml:"targetPath" protobuf:"1"` + // SELinux label for the volume. + SelinuxLabel string `yaml:"selinuxLabel" protobuf:"2"` } // NewVolumeConfig initializes a BlockVolumeConfig resource. diff --git a/pkg/provision/providers/docker/node.go b/pkg/provision/providers/docker/node.go index 240bea7e3..8b216a2fb 100644 --- a/pkg/provision/providers/docker/node.go +++ b/pkg/provision/providers/docker/node.go @@ -21,6 +21,7 @@ import ( "github.com/docker/docker/api/types/network" "github.com/docker/go-connections/nat" "github.com/hashicorp/go-multierror" + "github.com/siderolabs/gen/xslices" "github.com/siderolabs/talos/pkg/machinery/config/machine" "github.com/siderolabs/talos/pkg/machinery/constants" @@ -125,7 +126,12 @@ func (p *provisioner) createNode(ctx context.Context, clusterReq provision.Clust }) } - for _, path := range append([]string{constants.EphemeralMountPoint, constants.StateMountPoint}, constants.Overlays...) { + for _, path := range append( + []string{constants.EphemeralMountPoint, constants.StateMountPoint}, + xslices.Map(constants.Overlays, func(overlay constants.SELinuxLabeledPath) string { + return overlay.Path + })..., + ) { mounts = append(mounts, mount.Mount{ Type: mount.TypeVolume, Target: path, diff --git a/website/content/v1.9/reference/api.md b/website/content/v1.9/reference/api.md index 717cf3c26..149a0f102 100644 --- a/website/content/v1.9/reference/api.md +++ b/website/content/v1.9/reference/api.md @@ -1004,6 +1004,7 @@ MountSpec is the spec for volume mount. | Field | Type | Label | Description | | ----- | ---- | ----- | ----------- | | target_path | [string](#string) | | | +| selinux_label | [string](#string) | | |