Would vhost_device_t be the right type for /dev/vhost-vsock?
https://wiki.qemu.org/Features/VirtioVsock
This seems to be the documentation for it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Russell Coker <[email protected]> writes:
> Would vhost_device_t be the right type for /dev/vhost-vsock?
>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.
this is the "ptrace" equivalent for applications that use user
namespaces like, i think, firefox and flatpak. This event will surface
if you do a `ps auxZ` when you have a running instance of a application
the uses user name spaces.
In the case of firefox you would for example append it below this line:
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
like so:
allow $2 mozilla_t:cap_userns sys_ptrace;
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
Russell Coker <[email protected]> writes:
> Would vhost_device_t be the right type for /dev/vhost-vsock?
that is what i do:
https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/dev/node_vhost.cil;h=810213c6f2c02db02dfba873cbe740ad7cfaad95;hb=HEAD
>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
Dominick Grift <[email protected]> writes:
> Russell Coker <[email protected]> writes:
>
>> Would vhost_device_t be the right type for /dev/vhost-vsock?
>>
>> https://wiki.qemu.org/Features/VirtioVsock
>>
>> This seems to be the documentation for it.
>
> this is the "ptrace" equivalent for applications that use user
> namespaces like, i think, firefox and flatpak. This event will surface
> if you do a `ps auxZ` when you have a running instance of a application
> the uses user name spaces.
>
> In the case of firefox you would for example append it below this line:
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
> like so:
> allow $2 mozilla_t:cap_userns sys_ptrace;
err, no. its more like "allow $2 self:cap_userns sys_ptrace;"
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift