Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1290307ybb; Fri, 10 Apr 2020 23:18:15 -0700 (PDT) X-Google-Smtp-Source: APiQypIOnMmDZ8hNfBCtFME+WNFSinKLGsYLw4tQJ3AmBU32QAl/Jc6nMTVmZEsHxJRe8PCC4Rph X-Received: by 2002:ac8:568b:: with SMTP id h11mr2486110qta.197.1586585895008; Fri, 10 Apr 2020 23:18:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586585895; cv=none; d=google.com; s=arc-20160816; b=0vvCtJuK8erLKGAuaUU2VdFEK+sXw/PRGiK2g7ruq5mLiPVoUizVf1E25FOv9WoKnR Xxz5IE4pcWSRGEqZ3wjxdxygu6M87LgLG6jhkxyUuMi80CYhT48b4qjgOpVuYtGheecg glk7zQSyKQKpq93rzRfqEDrvRO3ZhqpE0H1+MegQ6tfwpQoVYdAUjXNZWgE1EQwOYAjr B5/D2s+GwXMRfZyvutDTA94c84k3GVJX2GaEYhv0chR2jkVWoOvWhuoeOk/gblhAJ3m+ f6gQjBw9VJC1iFCy4OAeBWTce8q7dPD5O6pYtY7SZJjcG04SW3OV4siIVyuS57sKAvnz Pqxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from; bh=Mhra0x9zuXKvJoEGI1z0MamEuPTkocoqKd0DBPSBDko=; b=OuCjdWexKtnQil55KhMD4ziX36WfWWkEWD2DsQCwjqyyw9oyVAIGwNj2d63VztN1Oh m5YVakiHuhLMx9puPdkD2V7RtzklOFnQs/30U0kjuN8Poe2W2fZYzocjvtIzPCTgLCUZ 3j2CEwFTwj8ofTW5qhrJFdjAmIfAy/jVc49ulKK06XzXkolk7r/b69oW89R5Qxpk1L2C w8VH2P1qBtjmW3A1teTq+tH3lJpkS5wBD4TitXbDR/PlMTsLzFKWovg2LQDGpSEJ2l0v Bcc44I+emcDHZydwPFff3YdWO7WhqTLovMwzhwlQsXHGG2u5NLCA6aU2CnmR5Y/4k03J Kj5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a26si2534862qkl.18.2020.04.10.23.18.09; Fri, 10 Apr 2020 23:18:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725869AbgDKGSD (ORCPT + 13 others); Sat, 11 Apr 2020 02:18:03 -0400 Received: from agnus.defensec.nl ([80.100.19.56]:32802 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725867AbgDKGSD (ORCPT ); Sat, 11 Apr 2020 02:18:03 -0400 Received: from brutus (brutus [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 318DC2A0DAC; Sat, 11 Apr 2020 08:18:02 +0200 (CEST) From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: /dev/vhost-vsock References: <1863651.PGxljZVUGs@liv> Date: Sat, 11 Apr 2020 08:17:59 +0200 In-Reply-To: <1863651.PGxljZVUGs@liv> (Russell Coker's message of "Sat, 11 Apr 2020 13:55:05 +1000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > Would vhost_device_t be the right type for /dev/vhost-vsock? > > https://wiki.qemu.org/Features/VirtioVsock > > This seems to be the documentation for it. this is the "ptrace" equivalent for applications that use user namespaces like, i think, firefox and flatpak. This event will surface if you do a `ps auxZ` when you have a running instance of a application the uses user name spaces. In the case of firefox you would for example append it below this line: https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40 like so: allow $2 mozilla_t:cap_userns sys_ptrace; -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift