Draft: Confine ssh-generator

policy/modules/services/ssh.if

@@ -1072,6 +1072,25 @@ interface(`ssh_use_ptys',`
 	allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Get attributes of sshd unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ssh_getattr_unit_file',`
+	gen_require(`
+		type sshd_unit_file_t;
+	')
+
+	systemd_search_unit_dirs($1)
+	allow $1 sshd_unit_file_t:file getattr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute sshd server in the sshd domain.
@@ -1113,3 +1132,21 @@ interface(`ssh_read_state',`
 
 	read_files_pattern($1, ssh_t, ssh_t)
 ')
+
+#######################################
+## <summary>
+##	Allow caller to create vsock socket for sshd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_create_vsock_socket',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:vsock_socket create_stream_socket_perms;
+')

policy/modules/system/init.te

@@ -854,6 +854,7 @@ optional_policy(`
 
 optional_policy(`
 	ssh_getattr_server_keys(init_t)
+	ssh_create_vsock_socket(init_t)
 ')
 
 optional_policy(`

policy/modules/system/systemd.fc

@@ -85,6 +85,7 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /usr/lib/systemd/system-generators/systemd-getty-generator	--	gen_context(system_u:object_r:systemd_getty_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	--	gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-rc-local-generator	--	gen_context(system_u:object_r:systemd_rc_local_generator_exec_t,s0)
+/usr/lib/systemd/system-generators/systemd-ssh-generator	--	gen_context(system_u:object_r:systemd_ssh_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-sysv-generator	--	gen_context(system_u:object_r:systemd_sysv_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/zram-generator	--	gen_context(system_u:object_r:systemd_zram_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/.+	--	gen_context(system_u:object_r:systemd_generic_generator_exec_t,s0)

policy/modules/system/systemd.te

@@ -204,6 +204,8 @@ systemd_generator_template(systemd_getty_generator)
 systemd_generator_template(systemd_gpt_generator)
 # rc-local-generator
 systemd_generator_template(systemd_rc_local_generator)
+# ssh-generator
+systemd_generator_template(systemd_ssh_generator)
 # sysv-generator
 systemd_generator_template(systemd_sysv_generator)
 # zram-generator
@@ -1295,6 +1297,18 @@ allow systemd_rc_local_generator_t self:process setfscreate;
 
 init_exec_script_files(systemd_rc_local_generator_t)
 
+### ssh generator
+allow systemd_ssh_generator_t self:process setfscreate;
+allow systemd_ssh_generator_t self:vsock_socket create;
+allow systemd_ssh_generator_t vsock_device_t:chr_file { ioctl open read };
+
+dev_read_sysfs(systemd_ssh_generator_t)
+
+optional_policy(`
+	ssh_domtrans(systemd_ssh_generator_t)
+	ssh_getattr_unit_file(systemd_ssh_generator_t)
+')
+
 ### sysv generator
 init_read_script_files(systemd_sysv_generator_t)
 
@@ -1303,16 +1317,21 @@ allow systemd_zram_generator_t systemd_fstab_generator_unit_file_t:file write_fi
 
 # for systemd-detect-virt - needs to be confined
 corecmd_exec_bin(systemd_zram_generator_t)
+dev_read_sysfs(systemd_zram_generator_t)
 storage_getattr_fixed_disk_dev(systemd_zram_generator_t)
 
 optional_policy(`
 	fstools_domtrans(systemd_zram_generator_t)
 ')
 
+optional_policy(`
+	modutils_domtrans_kmod(systemd_zram_generator_t)
+')
+
 
 #######################################
 #
-# systemd_network_generator domain
+# systemd_network_generator service domain
 #
 
 init_named_pid_filetrans(systemd_network_generator_t, net_conf_t, dir, "network")