Add container module

[0xC0ncord]

This adds a container module to refpolicy, bringing minimum viable support for container engines.

The svirt_lxc_net_t type was recycled into container_t in container-selinux. This PR will do the same. This PR tries to maintain best semantics and nomenclature compatibility with container-selinux where possible, with the biggest deviation being that container_runtime_t (container-selinux) is called container_engine_t in this policy.

Types were added for podman and docker as well as for rootless podman having its own type for users. The same goes for spc_t and spc_user_t.

I'm hoping that by the time this is merged it will encourage more contributions to the module in order to support a wider array of container engines, i.e. Docker and Kubernetes. So far I have been building this policy while using podman on a production server.

Some things to consider:

• container_engine_t conflicts with a type of the same name in container-selinux (https://github.com/containers/container-selinux/blob/db7dcc5b8377405ec8d47a940ef78e19199bebea/container.te#L1252)
• Rename container_engine_t to container_manager_t or something else (also helps with the above)
• Split out some access from container_engine_domainintocontainer_engine_t, since most of the testing was done with only podmananddocker` Done
• Create separate types for podman and docker as there are some accesses shared by both that are not used by both Done
• Split out some access from container_t or container_domain to container_net_domain like container-selinux Done
• Also move svirt_lxc_t out of the virt module (probably won't do this since svirt_lxc_t is tied heavily to libvirt)

Fixes: #397
Relates-To: flatcar-linux/Flatcar/issues/479

[pebenito]

Many thanks for working on this! I didn't look too deeply at all of the interfaces, but the overall direction looks good.

[0xC0ncord]

@pebenito I think the policy is very close to being complete, but I want your opinion on this before moving forward: How do you feel about splitting the current implementation of the container_engine_t type?

In its current state, container_engine_t is a monolithic type which covers both podman and docker (like container-selinux). However after some discussion, I think it would be best to split this type into other private types, i.e. docker_t and podman_t as well as podman_rootless_t (names not final). This would allow us to ensure that different container engines only have the accesses they need to function, but also allows us to more strictly confine rootless podman.

I think overall this has a significant advantage over the current implementation, albeit at the cost of a little extra complexity.

[pebenito]

I'm fine with that. We could have a common set of rules between them, and then final docker_t, podman_t, etc.

[0xC0ncord]

I think after a long while this is finally ready. Please go ahead with the review @pebenito !

[pebenito]

BTW I'm reviewing and commenting in order of the diff github shows, since this will take some time.

[ghost]

Just a random comment and heads-up

Are you differentiating between user containers and/or docker instances and system containers and/or docker instances?

If true then you may want to rethink, here is why:

Podman (and I guess Docker as well). by default labels "containers" as per what is specified in lxc_contexts.

For example the "process =" entry tells Podman (and I guess Docker) what label it should manually associate with container processes. (similar for "file", "init_process" etc)

This means in a nutshell that you can only have one default container label set. If you decide to implement more than one container label set (for example by differentiating between user and system containers) then eventually you will end up with issues.

Most of the defaults can be manually overriding on the command line with Podman (and I guess Docker) but not everything.

For example "Pod infra containers" are labeled with (I believe the context specified with "process =" in lxc_contexts and there is (I believe) no way to manually override that context on the Podman (and I guess Docker) command line.

So if you specify for example "proccess = system_u:system_r:system_container_t:s0" then "user pods" will (I believe)) and up with that context and there will be no way to override it (AFAIK)

One take away I have from looking into this matter is that:

"Walsh went too far trying to simplify it" and now "I have to go too far trying get stuff to work"

Granted that back when Docker and Podman were initially conceived there were no usable user name spaces and so it was probably never foreseen that there would eventually not only be a "system instances" but also "user instance(s)".

Now were essentially forced to treat them the same,, with all of the nasties associated with that.

[pebenito]

Again, I really appreciate your effort on this. This is a massive contribution. Thanks!

[0xC0ncord]

Again, I really appreciate your effort on this. This is a massive contribution. Thanks!

Thank you for your support!