Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1353720ybb; Sat, 11 Apr 2020 01:11:33 -0700 (PDT) X-Google-Smtp-Source: APiQypKZ5KRXas8U54X0NpIBW9Hn7H4DfTILdSMe/SygQlduwlXfbFEBsSLDEyglYEV1/AMifZha X-Received: by 2002:a05:620a:20dc:: with SMTP id f28mr7679201qka.216.1586592693175; Sat, 11 Apr 2020 01:11:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586592693; cv=none; d=google.com; s=arc-20160816; b=InczPdMJILQddgiz2vtqgAvORuIlYwVxZAqsECN2DXW6P+HwmQC3HRSlESZtNEbsUI gf+IZVl4E4BZqGZeika0Epcp+AJl9aK+AVduKr5fmxaKXdnX0iiUbvvZbBX5Zy/nA+D3 JGODpAQuVSFZMu/mOZKtEJ8GPHsO8wgFWy2ribyw2ZlVXEbNsHeWbAE/0F4cgFXuKmiK YKpXydtxRZvrh8agj/UH2GF1a/O5ej8hZ6NIIbIO3EdrrwSRBzoKMunA1lz/KrBX/tDD osD4BGiU7M/5YFmn/IMSm9G0HMHkY6/SxdHviEE8pMcD924BKOlzQwtPAQeaMoihkTMG 6+zA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from; bh=0PCphO/eXthqvGBh9UH4gWFQ6WbQ1Aln+8HEgeP25gw=; b=WLEX3/WeTT0dKf+th9T7qmPoo15wMP0CsMdC82KJWWpzAGVI44tj9MCU8HoT8gdpZp 7FnaHA4LrTEd3z+sfcIxJUk4Bm9nhgTGWtrSOswffMKmgNbMQHYytVRXrYd1JPZZnsvz Jh7gZLukHpUM/aKZJdQZ2e6e5ZoZAm2BoQ6Z58I60dH5hYDjyD/IftP82NiF30n3SPD7 1Ud5yUcXGIQCODCZ0fV//XjmUlCfO6lMusiTxXuUs7dCxPct56w1VD0G1OVAab8LldLL R6ai02zh+vzynuDfQacZm8Rf1480C2uRyo+Hlt81qdc+21yIfCjdwx3AG67mnPdgkMBv +vYQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b47si2475217qtc.75.2020.04.11.01.11.29; Sat, 11 Apr 2020 01:11:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726010AbgDKIKp (ORCPT + 13 others); Sat, 11 Apr 2020 04:10:45 -0400 Received: from agnus.defensec.nl ([80.100.19.56]:32834 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725927AbgDKIKp (ORCPT ); Sat, 11 Apr 2020 04:10:45 -0400 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 0819C2A0DAC; Sat, 11 Apr 2020 10:10:43 +0200 (CEST) From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: /dev/vhost-vsock References: <1863651.PGxljZVUGs@liv> Date: Sat, 11 Apr 2020 10:10:40 +0200 In-Reply-To: (Dominick Grift's message of "Sat, 11 Apr 2020 08:17:59 +0200") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Dominick Grift writes: > Russell Coker writes: > >> Would vhost_device_t be the right type for /dev/vhost-vsock? >> >> https://wiki.qemu.org/Features/VirtioVsock >> >> This seems to be the documentation for it. > > this is the "ptrace" equivalent for applications that use user > namespaces like, i think, firefox and flatpak. This event will surface > if you do a `ps auxZ` when you have a running instance of a application > the uses user name spaces. > > In the case of firefox you would for example append it below this line: > https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40 > like so: > allow $2 mozilla_t:cap_userns sys_ptrace; err, no. its more like "allow $2 self:cap_userns sys_ptrace;" -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift