Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1353720ybb;
        Sat, 11 Apr 2020 01:11:33 -0700 (PDT)
X-Google-Smtp-Source: APiQypKZ5KRXas8U54X0NpIBW9Hn7H4DfTILdSMe/SygQlduwlXfbFEBsSLDEyglYEV1/AMifZha
X-Received: by 2002:a05:620a:20dc:: with SMTP id f28mr7679201qka.216.1586592693175;
        Sat, 11 Apr 2020 01:11:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586592693; cv=none;
        d=google.com; s=arc-20160816;
        b=InczPdMJILQddgiz2vtqgAvORuIlYwVxZAqsECN2DXW6P+HwmQC3HRSlESZtNEbsUI
         gf+IZVl4E4BZqGZeika0Epcp+AJl9aK+AVduKr5fmxaKXdnX0iiUbvvZbBX5Zy/nA+D3
         JGODpAQuVSFZMu/mOZKtEJ8GPHsO8wgFWy2ribyw2ZlVXEbNsHeWbAE/0F4cgFXuKmiK
         YKpXydtxRZvrh8agj/UH2GF1a/O5ej8hZ6NIIbIO3EdrrwSRBzoKMunA1lz/KrBX/tDD
         osD4BGiU7M/5YFmn/IMSm9G0HMHkY6/SxdHviEE8pMcD924BKOlzQwtPAQeaMoihkTMG
         6+zA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :in-reply-to:date:references:subject:cc:to:from;
        bh=0PCphO/eXthqvGBh9UH4gWFQ6WbQ1Aln+8HEgeP25gw=;
        b=WLEX3/WeTT0dKf+th9T7qmPoo15wMP0CsMdC82KJWWpzAGVI44tj9MCU8HoT8gdpZp
         7FnaHA4LrTEd3z+sfcIxJUk4Bm9nhgTGWtrSOswffMKmgNbMQHYytVRXrYd1JPZZnsvz
         Jh7gZLukHpUM/aKZJdQZ2e6e5ZoZAm2BoQ6Z58I60dH5hYDjyD/IftP82NiF30n3SPD7
         1Ud5yUcXGIQCODCZ0fV//XjmUlCfO6lMusiTxXuUs7dCxPct56w1VD0G1OVAab8LldLL
         R6ai02zh+vzynuDfQacZm8Rf1480C2uRyo+Hlt81qdc+21yIfCjdwx3AG67mnPdgkMBv
         +vYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b47si2475217qtc.75.2020.04.11.01.11.29;
        Sat, 11 Apr 2020 01:11:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726010AbgDKIKp (ORCPT <rfc822;toiwoton@gmail.com> + 13 others);
        Sat, 11 Apr 2020 04:10:45 -0400
Received: from agnus.defensec.nl ([80.100.19.56]:32834 "EHLO agnus.defensec.nl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725927AbgDKIKp (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 11 Apr 2020 04:10:45 -0400
Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 0819C2A0DAC;
        Sat, 11 Apr 2020 10:10:43 +0200 (CEST)
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: /dev/vhost-vsock
References: <1863651.PGxljZVUGs@liv> <ypjly2r2lf54.fsf@defensec.nl>
Date:   Sat, 11 Apr 2020 10:10:40 +0200
In-Reply-To: <ypjly2r2lf54.fsf@defensec.nl> (Dominick Grift's message of "Sat,
        11 Apr 2020 08:17:59 +0200")
Message-ID: <ypjlpncel9xb.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Dominick Grift <dominick.grift@defensec.nl> writes:

> Russell Coker <russell@coker.com.au> writes:
>
>> Would vhost_device_t be the right type for /dev/vhost-vsock?
>>
>> https://wiki.qemu.org/Features/VirtioVsock
>>
>> This seems to be the documentation for it.
>
> this is the "ptrace" equivalent for applications that use user
> namespaces like, i think, firefox and flatpak. This event will surface
> if you do a `ps auxZ` when you have a running instance of a application
> the uses user name spaces.
>
> In the case of firefox you would for example append it below this line:
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
> like so:
> allow $2 mozilla_t:cap_userns sys_ptrace;

err, no. its more like "allow $2 self:cap_userns sys_ptrace;"



-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift