Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Socket activation AF_VSOCK (SOCK_STREAM): Client on the host, server on the host #175

Closed
eriksjolund opened this issue Apr 16, 2022 · 2 comments

Comments

@eriksjolund
Copy link

eriksjolund commented Apr 16, 2022

Description

Feature request.

  • Add support for socket activation of an AF_VSOCK (SOCK_STREAM) socket, where the client (socat) and the
    systemd user service are running directly on the same host. (There is no VM involved). The systemd user service
    uses podman to start the container ghcr.io/eriksjolund/socket-activate-echo:vsock.

  • Add support for socket activation of an AF_VSOCK (SOCK_STREAM) socket, where the client (socat) and
    systemd-socket-activate are running directly on the same host. (There is no VM involved). systemd-socket-activate
    uses podman to start the container ghcr.io/eriksjolund/socket-activate-echo:vsock.

Follow these steps to see the audit logs

Open three Bash terminals, terminal 1, terminal 2, terminal 3 on a Fedora 35 Linux computer.

Make sure you are running container-selinux 2.181.0.
I installed the RPM from https://bodhi.fedoraproject.org/updates/FEDORA-2022-32eea4f938

$ rpm -q container-selinux
container-selinux-2.181.0-1.fc35.noarch

Terminal 1 and terminal 3 are used for running commands as the regular user.

Terminal 2 is used for running commands as root.

  1. In terminal 1 run

    git clone https://github.com/eriksjolund/socket-activate-echo.git
    cd socket-activate-echo
    git checkout vsock
    mkdir -p ~/.config/systemd/user
    cp -r systemd/echo* ~/.config/systemd/user
    
  2. In terminal 2 run

    setenforce 0
    
  3. In terminal 1 run

    [esjolund@asus socket-activate-echo]$ systemctl --user daemon-reload
    [esjolund@asus socket-activate-echo]$ systemctl --user start echo@demo.socket
    [esjolund@asus socket-activate-echo]$ date '+%x %T'
    04/16/2022 13:34:23
    [esjolund@asus socket-activate-echo]$ CID=1
    [esjolund@asus socket-activate-echo]$ echo hello | socat - VSOCK-CONNECT:$CID:3000
    hello
    

    The special number 1 in CID=1 means VMADDR_CID_LOCAL (see man vsock)

  4. In terminal 2 run

    [root@asus ~]# ausearch --start 04/16/2022  '13:34:23' --raw > /tmp/raw1
    [root@asus ~]# cat /tmp/raw1 | audit2allow 
    
    
    #============= container_t ==============
    allow container_t container_runtime_t:unix_dgram_socket { getattr getopt };
    allow container_t container_runtime_t:vsock_socket { accept getattr getopt };
    [root@asus ~]# cat /tmp/raw1
    type=AVC msg=audit(1650108867.800:492): avc:  denied  { getattr } for  pid=5390 comm="socket-activate" path="socket:[62505]" dev="sockfs" ino=62505 scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
    type=AVC msg=audit(1650108867.800:493): avc:  denied  { getopt } for  pid=5390 comm="socket-activate" path="/home/esjolund/echo_datagram_sock.demo" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
    type=AVC msg=audit(1650108867.801:494): avc:  denied  { getattr } for  pid=5390 comm="socket-activate" path="socket:[62510]" dev="sockfs" ino=62510 scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    type=AVC msg=audit(1650108867.801:495): avc:  denied  { getopt } for  pid=5390 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    type=AVC msg=audit(1650108867.801:496): avc:  denied  { accept } for  pid=5390 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    [root@asus ~]# cat /tmp/raw1 | ausearch --start 04/16/2022  '13:34:23' 
    ----
    time->Sat Apr 16 13:34:27 2022
    type=AVC msg=audit(1650108867.800:492): avc:  denied  { getattr } for  pid=5390 comm="socket-activate" path="socket:[62505]" dev="sockfs" ino=62505 scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
    ----
    time->Sat Apr 16 13:34:27 2022
    type=AVC msg=audit(1650108867.800:493): avc:  denied  { getopt } for  pid=5390 comm="socket-activate" path="/home/esjolund/echo_datagram_sock.demo" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
    ----
    time->Sat Apr 16 13:34:27 2022
    type=AVC msg=audit(1650108867.801:494): avc:  denied  { getattr } for  pid=5390 comm="socket-activate" path="socket:[62510]" dev="sockfs" ino=62510 scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    ----
    time->Sat Apr 16 13:34:27 2022
    type=AVC msg=audit(1650108867.801:495): avc:  denied  { getopt } for  pid=5390 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    ----
    time->Sat Apr 16 13:34:27 2022
    type=AVC msg=audit(1650108867.801:496): avc:  denied  { accept } for  pid=5390 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c414,c465 tcontext=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    [root@asus ~]# 
    
  5. In terminal 1 run

    [esjolund@asus socket-activate-echo]$ systemd-socket-activate -l /tmp/stream.sock -l 4000 -l vsock:4294967295:4000  podman run --rm --name echo2  --network=none ghcr.io/eriksjolund/socket-activate-echo:vsock  
    Listening on /tmp/stream.sock as 3.
    Listening on [::]:4000 as 4.
    Listening on vsock::4000 as 5.
    
  6. In terminal 3 run

    [esjolund@asus tmp]$ date '+%x %T'
    04/16/2022 13:42:59
    [esjolund@asus tmp]$ echo hello | socat -t 30 - VSOCK-CONNECT:1:4000
    hello
    
  7. In terminal 2 run

    [root@asus ~]# ausearch --start 04/16/2022  '13:42:59' --raw > /tmp/raw2
    [root@asus ~]# cat /tmp/raw2 | audit2allow 
    
    
    #============= container_t ==============
    allow container_t unconfined_t:vsock_socket { accept getattr getopt };
    [root@asus ~]# cat /tmp/raw2 
    type=AVC msg=audit(1650109384.754:497): avc:  denied  { getattr } for  pid=5583 comm="socket-activate" path="socket:[61681]" dev="sockfs" ino=61681 scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    type=AVC msg=audit(1650109384.754:498): avc:  denied  { getopt } for  pid=5583 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    type=AVC msg=audit(1650109384.754:499): avc:  denied  { accept } for  pid=5583 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    [root@asus ~]# cat /tmp/raw2 | ausearch --start 04/16/2022  '13:42:59'
    ----
    time->Sat Apr 16 13:43:04 2022
    type=AVC msg=audit(1650109384.754:497): avc:  denied  { getattr } for  pid=5583 comm="socket-activate" path="socket:[61681]" dev="sockfs" ino=61681 scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    ----
    time->Sat Apr 16 13:43:04 2022
    type=AVC msg=audit(1650109384.754:498): avc:  denied  { getopt } for  pid=5583 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    ----
    time->Sat Apr 16 13:43:04 2022
    type=AVC msg=audit(1650109384.754:499): avc:  denied  { accept } for  pid=5583 comm="socket-activate" scontext=system_u:system_r:container_t:s0:c879,c915 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=vsock_socket permissive=1
    
@eriksjolund
Copy link
Author

I noticed that the audit2allow rules collected in this GitHub issue are identical to the audit2allow rules collected in #176

echo@demo.service

allow container_t container_runtime_t:unix_dgram_socket { getattr getopt };
allow container_t container_runtime_t:vsock_socket { accept getattr getopt };

systemd-socket-activate

allow container_t unconfined_t:vsock_socket { accept getattr getopt };

Probably it would have been enough just creating one GitHub issue instead of two GitHub issues. The results look so similar.

@rhatdan
Copy link
Member

rhatdan commented Apr 18, 2022

Fixed in v2.182.0

@rhatdan rhatdan closed this as completed Apr 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants