From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=dVvU=53=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9351EC2BA2B
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 11 Apr 2020 08:10:46 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 70E0320692
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 11 Apr 2020 08:10:46 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726010AbgDKIKp (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 11 Apr 2020 04:10:45 -0400
Received: from agnus.defensec.nl ([80.100.19.56]:32834 "EHLO agnus.defensec.nl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725927AbgDKIKp (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 11 Apr 2020 04:10:45 -0400
Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 0819C2A0DAC;
        Sat, 11 Apr 2020 10:10:43 +0200 (CEST)
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: /dev/vhost-vsock
References: <1863651.PGxljZVUGs@liv> <ypjly2r2lf54.fsf@defensec.nl>
Date:   Sat, 11 Apr 2020 10:10:40 +0200
In-Reply-To: <ypjly2r2lf54.fsf@defensec.nl> (Dominick Grift's message of "Sat,
        11 Apr 2020 08:17:59 +0200")
Message-ID: <ypjlpncel9xb.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Dominick Grift <dominick.grift@defensec.nl> writes:

> Russell Coker <russell@coker.com.au> writes:
>
>> Would vhost_device_t be the right type for /dev/vhost-vsock?
>>
>> https://wiki.qemu.org/Features/VirtioVsock
>>
>> This seems to be the documentation for it.
>
> this is the "ptrace" equivalent for applications that use user
> namespaces like, i think, firefox and flatpak. This event will surface
> if you do a `ps auxZ` when you have a running instance of a application
> the uses user name spaces.
>
> In the case of firefox you would for example append it below this line:
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
> like so:
> allow $2 mozilla_t:cap_userns sys_ptrace;

err, no. its more like "allow $2 self:cap_userns sys_ptrace;"



-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift