release: label overlayfs state directories

Using `state_t` as the label makes the directories read-only for all unprivileged containers, even if they have access via a host mount. Signed-off-by: Ben Cressey <[email protected]>
bottlerocket-os · Dec 17, 2021 · 29de89f · 29de89f
1 parent 4c7912f
commit 29de89f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/packages/release/prepare-local.service b/packages/release/prepare-local.service
@@ -21,6 +21,10 @@ ExecStart=/usr/bin/mkdir -p \
     ${LOCAL_DIR}/var/lib/kernel-devel/.overlay/work \
     ${LOCAL_DIR}/var/lib/kernel-modules/.overlay/upper \
     ${LOCAL_DIR}/var/lib/kernel-modules/.overlay/work
+ExecStart=/usr/sbin/setfiles -r ${LOCAL_DIR} \
+    -F /etc/selinux/fortified/contexts/files/file_contexts \
+    ${LOCAL_DIR}/var/lib/kernel-devel \
+    ${LOCAL_DIR}/var/lib/kernel-modules
 
 # Create the directories we need to set up a read-write overlayfs for any CNI
 # plugin binaries.
@@ -31,6 +35,9 @@ ExecStart=/usr/bin/mkdir -p \
     ${LOCAL_DIR}/opt/cni/bin \
     ${LOCAL_DIR}/var/lib/cni-plugins/.overlay/upper \
     ${LOCAL_DIR}/var/lib/cni-plugins/.overlay/work
+ExecStart=/usr/sbin/setfiles -r ${LOCAL_DIR} \
+    -F /etc/selinux/fortified/contexts/files/file_contexts \
+    ${LOCAL_DIR}/var/lib/cni-plugins
 
 RemainAfterExit=true
 StandardError=journal+console

diff --git a/packages/selinux-policy/fs.cil b/packages/selinux-policy/fs.cil
@@ -80,6 +80,14 @@
 (filecon "/var/lib/netdog" any lease)
 (filecon "/var/lib/netdog/.*" any lease)
 
+; Label local directories for overlayfs mounts.
+(filecon "/var/lib/cni-plugins" any state)
+(filecon "/var/lib/cni-plugins/.*" any state)
+(filecon "/var/lib/kernel-devel" any state)
+(filecon "/var/lib/kernel-devel/.*" any state)
+(filecon "/var/lib/kernel-modules" any state)
+(filecon "/var/lib/kernel-modules/.*" any state)
+
 ; Label kernel filesystem mounts.
 (filecon "/proc" any proc)
 (filecon "/proc/.*" any ())