feat: udev: label device nodes #9779
Conversation
Dockerfile
Outdated
| @@ -731,6 +731,7 @@ COPY --chmod=0644 hack/containerd.toml /rootfs/etc/containerd/config.toml | |||
| COPY --chmod=0644 hack/cri-containerd.toml /rootfs/etc/cri/containerd.toml | |||
| COPY --chmod=0644 hack/cri-plugin.part /rootfs/etc/cri/conf.d/00-base.part | |||
| COPY --chmod=0644 hack/udevd/80-net-name-slot.rules /rootfs/usr/lib/udev/rules.d/ | |||
| COPY --chmod=0644 hack/udevd/xx-selinux.rules /rootfs/usr/lib/udev/rules.d/ | |||
There was a problem hiding this comment.
In what place in order should we place it? Perhaps 99?
There was a problem hiding this comment.
I thought 99 is for user rules? @frezbo ?
So probably somewhere below it?
There was a problem hiding this comment.
90 feels good, maybe we should also do a validation that the user doesn't override these?
There was a problem hiding this comment.
Well, user is the Talos admin, not the k8s admin who we protect the system from. Perhaps should be okay
There was a problem hiding this comment.
I guess it's fine, on second thoughts I believe we allow overwriting existing udev rules, so should be okay
| @@ -0,0 +1,11 @@ | |||
| SUBSYSTEM=="*",SECLABEL{selinux}="system_u:object_r:device_t:s0" | |||
There was a problem hiding this comment.
are these labels like standard? I guess devices can have standard labels
There was a problem hiding this comment.
Apparently (fsuse trans devtmpfs (system_u object_r device_t (systemLow systemLow))) is not sufficient for this to be default
| // Devices labeled by subsystems, labeled by udev | ||
| expectedLabelsDevices := map[string]string{ | ||
| "/dev/rtc0": "system_u:object_r:rtc_device_t:s0", | ||
| "/dev/tpm0": "system_u:object_r:tpm_device_t:s0", |
There was a problem hiding this comment.
hmm /dev/tpm is not available by default on our qemu tests, right? only for secureboot i believe
There was a problem hiding this comment.
Yes. I added an option for test to ignore when file doesn't exist
There was a problem hiding this comment.
actually let's just enable tpm2 for all tests in CI, it shouldn't hurt, better than trying to match on error, probably can do in a different PR
Use udev rules to assign basic device file labels based on their subsystem Signed-off-by: Dmitry Sharshakov <[email protected]>
|
/m |
Use udev rules to assign basic device file labels based on their subsystem
Signed-off-by: Dmitry Sharshakov [email protected]