container: add tunables to allow containers to access public content

Note that container engines only need read access to these files even if
manage access is enabled.

Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>

1 files changed, 30 insertions, 0 deletions

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index d7d27d7cf..fa4145e3d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -18,6 +18,20 @@ gen_tunable(container_mounton_non_security, false)
 
 ## <desc>
 ##	<p>
+##	Allow containers to manage all read-writable public content.
+##	</p>
+## </desc>
+gen_tunable(container_manage_public_content, false)
+
+## <desc>
+##	<p>
+##	Allow containers to read all public content.
+##	</p>
+## </desc>
+gen_tunable(container_read_public_content, false)
+
+## <desc>
+##	<p>
 ##	Allow containers to use NFS filesystems.
 ##	</p>
 ## </desc>
@@ -232,6 +246,14 @@ tunable_policy(`container_manage_cgroup',`
 	fs_manage_cgroup_files(container_domain)
 ')
 
+tunable_policy(`container_manage_public_content',`
+	miscfiles_manage_public_files(container_domain)
+')
+
+tunable_policy(`container_read_public_content',`
+	miscfiles_read_public_files(container_domain)
+')
+
 tunable_policy(`container_use_nfs',`
 	fs_manage_nfs_dirs(container_domain)
 	fs_manage_nfs_files(container_domain)
@@ -515,6 +537,14 @@ ifdef(`init_systemd',`
 	init_run_bpf(container_engine_domain)
 ')
 
+tunable_policy(`container_manage_public_content',`
+	miscfiles_read_public_files(container_engine_domain)
+')
+
+tunable_policy(`container_read_public_content',`
+	miscfiles_read_public_files(container_engine_domain)
+')
+
 tunable_policy(`container_mounton_non_security',`
 	files_mounton_non_security(container_engine_domain)
 ')