From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=dVvU=53=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 331A0C2BA2B
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 11 Apr 2020 06:18:05 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 026D320757
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 11 Apr 2020 06:18:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725869AbgDKGSD (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 11 Apr 2020 02:18:03 -0400
Received: from agnus.defensec.nl ([80.100.19.56]:32802 "EHLO agnus.defensec.nl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725867AbgDKGSD (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 11 Apr 2020 02:18:03 -0400
Received: from brutus (brutus [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 318DC2A0DAC;
        Sat, 11 Apr 2020 08:18:02 +0200 (CEST)
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: /dev/vhost-vsock
References: <1863651.PGxljZVUGs@liv>
Date:   Sat, 11 Apr 2020 08:17:59 +0200
In-Reply-To: <1863651.PGxljZVUGs@liv> (Russell Coker's message of "Sat, 11 Apr
        2020 13:55:05 +1000")
Message-ID: <ypjly2r2lf54.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

> Would vhost_device_t be the right type for /dev/vhost-vsock?
>
> https://wiki.qemu.org/Features/VirtioVsock
>
> This seems to be the documentation for it.

this is the "ptrace" equivalent for applications that use user
namespaces like, i think, firefox and flatpak. This event will surface
if you do a `ps auxZ` when you have a running instance of a application
the uses user name spaces.

In the case of firefox you would for example append it below this line:
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/apps/mozilla.if#L40
like so:
allow $2 mozilla_t:cap_userns sys_ptrace;

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift