securitypolicy

package
v0.10.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 12, 2022 License: MIT Imports: 17 Imported by: 2

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrInvalidAllowAllPolicy = errors.New("allow_all cannot be set to 'true' when Containers are non-empty")

Functions

func NewSecurityPolicyDigest added in v0.10.0 

func NewSecurityPolicyDigest(base64policy string) ([]byte, error)

NewSecurityPolicyDigest decodes base64 encoded policy string, computes and returns sha256 digest

func WithPrivilegedMounts added in v0.10.0 

func WithPrivilegedMounts(mounts []oci.Mount) standardEnforcerOpt

WithPrivilegedMounts converts the input mounts to internal mount constraints and extends existing internal mount constraints if the container is allowed to be executed in elevated mode.

Types

type AuthConfig added in v0.10.0 

type AuthConfig struct {
	Username string `json:"username" toml:"username"`
	Password string `json:"password" toml:"password"`
}

AuthConfig contains toml or JSON config for registry authentication.

type ClosedDoorSecurityPolicyEnforcer 

type ClosedDoorSecurityPolicyEnforcer struct {
	// contains filtered or unexported fields
}

func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string

func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(_ string, _ []string, _ []string, _ string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(_ string, _ string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(_ string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceMountPolicy(_, _ string, _ *oci.Spec) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(_ string, _ []string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceWaitMountPointsPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceWaitMountPointsPolicy(_ string, _ *oci.Spec) error

func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts(_ []oci.Mount) error

type CommandArgs 

type CommandArgs StringArrayMap

func (CommandArgs) MarshalJSON 

func (c CommandArgs) MarshalJSON() ([]byte, error)

type Container 

type Container struct {
	Command         CommandArgs     `json:"command"`
	EnvRules        EnvRules        `json:"env_rules"`
	Layers          Layers          `json:"layers"`
	WorkingDir      string          `json:"working_dir"`
	WaitMountPoints WaitMountPoints `json:"wait_mount_points"`
	Mounts          Mounts          `json:"mounts"`
	AllowElevated   bool            `json:"allow_elevated"`
}

func CreateContainerPolicy added in v0.10.0 

func CreateContainerPolicy(
	command, layers []string,
	envRules []EnvRuleConfig,
	workingDir string,
	eMounts []string,
	mounts []MountConfig,
	allowElevated bool,
) (*Container, error)

CreateContainerPolicy creates a new Container policy instance from the provided constraints or an error if parameter validation fails.

type ContainerConfig added in v0.10.0 

type ContainerConfig struct {
	ImageName       string          `json:"image_name" toml:"image_name"`
	Command         []string        `json:"command" toml:"command"`
	Auth            AuthConfig      `json:"auth" toml:"auth"`
	EnvRules        []EnvRuleConfig `json:"env_rules" toml:"env_rule"`
	WorkingDir      string          `json:"working_dir" toml:"working_dir"`
	WaitMountPoints []string        `json:"wait_mount_points" toml:"wait_mount_points"`
	Mounts          []MountConfig   `json:"mounts" toml:"mount"`
	AllowElevated   bool            `json:"allow_elevated" toml:"allow_elevated"`
}

ContainerConfig contains toml or JSON config for container described in security policy.

type ContainerConfigOpt added in v0.10.0 

type ContainerConfigOpt func(*ContainerConfig) error

func WithAllowElevated added in v0.10.0 

func WithAllowElevated(elevated bool) ContainerConfigOpt

WithAllowElevated allows container to run in an elevated/privileged mode.

func WithCommand added in v0.10.0 

func WithCommand(cmd []string) ContainerConfigOpt

WithCommand sets ContainerConfig.Command in container policy config.

func WithEnvVarRules added in v0.10.0 

func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt

WithEnvVarRules adds environment variable constraints to container policy config.

func WithMountConstraints added in v0.10.0 

func WithMountConstraints(mc []MountConfig) ContainerConfigOpt

WithMountConstraints extends ContainerConfig.Mounts with provided mount constraints.

func WithWaitMountPoints 

func WithWaitMountPoints(em []string) ContainerConfigOpt

WithWaitMountPoints adds expected mounts to container policy config.

func WithWorkingDir added in v0.10.0 

func WithWorkingDir(wd string) ContainerConfigOpt

WithWorkingDir sets working directory in container policy config.

type Containers 

type Containers struct {
	Length   int                  `json:"length"`
	Elements map[string]Container `json:"elements"`
}

func (Containers) MarshalJSON 

func (c Containers) MarshalJSON() ([]byte, error)

type EncodedSecurityPolicy 

type EncodedSecurityPolicy struct {
	SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}

EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration

type EnvRuleConfig added in v0.10.0 

type EnvRuleConfig struct {
	Strategy EnvVarRule `json:"strategy" toml:"strategy"`
	Rule     string     `json:"rule" toml:"rule"`
}

EnvRuleConfig contains toml or JSON config for environment variable security policy enforcement.

func NewEnvVarRules added in v0.10.0 

func NewEnvVarRules(envVars []string) []EnvRuleConfig

NewEnvVarRules creates slice of EnvRuleConfig's from environment variables strings slice.

type EnvRules 

type EnvRules struct {
	Length   int                      `json:"length"`
	Elements map[string]EnvRuleConfig `json:"elements"`
}

func (EnvRules) MarshalJSON 

func (e EnvRules) MarshalJSON() ([]byte, error)

type EnvVarRule 

type EnvVarRule string
const (
	EnvVarRuleString EnvVarRule = "string"
	EnvVarRuleRegex  EnvVarRule = "re2"
)

type Layers 

type Layers StringArrayMap

func (Layers) MarshalJSON 

func (l Layers) MarshalJSON() ([]byte, error)

type Mount added in v0.10.0 

type Mount struct {
	Source      string  `json:"source"`
	Destination string  `json:"destination"`
	Type        string  `json:"type"`
	Options     Options `json:"options"`
}

type MountConfig added in v0.10.0 

type MountConfig struct {
	HostPath      string `json:"host_path" toml:"host_path"`
	ContainerPath string `json:"container_path" toml:"container_path"`
	Readonly      bool   `json:"readonly" toml:"readonly"`
}

MountConfig contains toml or JSON config for mount security policy constraint description.

type Mounts added in v0.10.0 

type Mounts struct {
	Length   int              `json:"length"`
	Elements map[string]Mount `json:"elements"`
}

func (Mounts) MarshalJSON added in v0.10.0 

func (m Mounts) MarshalJSON() ([]byte, error)

type OpenDoorSecurityPolicyEnforcer 

type OpenDoorSecurityPolicyEnforcer struct {
	// contains filtered or unexported fields
}

func (*OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy added in v0.10.0 

func (oe *OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string

func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(_ string, _ []string, _ []string, _ string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(_ string, _ string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(_ string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceMountPolicy(_, _ string, _ *oci.Spec) error

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(_ string, _ []string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceWaitMountPointsPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceWaitMountPointsPolicy(_ string, _ *oci.Spec) error

func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts(_ []oci.Mount) error

type Options added in v0.10.0 

type Options StringArrayMap

func (Options) MarshalJSON added in v0.10.0 

func (o Options) MarshalJSON() ([]byte, error)

type PolicyConfig added in v0.10.0 

type PolicyConfig struct {
	AllowAll   bool              `json:"allow_all" toml:"allow_all"`
	Containers []ContainerConfig `json:"containers" toml:"container"`
}

PolicyConfig contains toml or JSON config for security policy.

type SecurityPolicy 

type SecurityPolicy struct {
	// Flag that when set to true allows for all checks to pass. Currently, used
	// to run with security policy enforcement "running dark"; checks can be in
	// place but the default policy that is created on startup has AllowAll set
	// to true, thus making policy enforcement effectively "off" from a logical
	// standpoint. Policy enforcement isn't actually off as the policy is "allow
	// everything".
	AllowAll bool `json:"allow_all"`
	// One or more containers that are allowed to run
	Containers Containers `json:"containers"`
}

func NewOpenDoorPolicy added in v0.10.0 

func NewOpenDoorPolicy() *SecurityPolicy

NewOpenDoorPolicy creates a new SecurityPolicy with AllowAll set to `true`

func NewSecurityPolicy added in v0.10.0 

func NewSecurityPolicy(allowAll bool, containers []*Container) *SecurityPolicy

NewSecurityPolicy creates a new SecurityPolicy from the provided values.

func (*SecurityPolicy) EncodeToString added in v0.10.0 

func (sp *SecurityPolicy) EncodeToString() (string, error)

EncodeToString returns base64 encoded string representation of SecurityPolicy.

type SecurityPolicyEnforcer 

type SecurityPolicyEnforcer interface {
	EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
	EnforceDeviceUnmountPolicy(unmountTarget string) (err error)
	EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
	EnforceCreateContainerPolicy(containerID string, argList []string, envList []string, workingDir string) (err error)
	EnforceWaitMountPointsPolicy(containerID string, spec *oci.Spec) error
	EnforceMountPolicy(sandboxID, containerID string, spec *oci.Spec) error
	ExtendDefaultMounts([]oci.Mount) error
	EncodedSecurityPolicy() string
}

func NewSecurityPolicyEnforcer 

func NewSecurityPolicyEnforcer(state SecurityPolicyState, eOpts ...standardEnforcerOpt) (SecurityPolicyEnforcer, error)

type SecurityPolicyState 

type SecurityPolicyState struct {
	EncodedSecurityPolicy EncodedSecurityPolicy `json:"EncodedSecurityPolicy,omitempty"`
	SecurityPolicy        `json:"SecurityPolicy,omitempty"`
}

SecurityPolicyState is a structure that holds user supplied policy to enforce we keep both the encoded representation and the unmarshalled representation because different components need to have access to either of these

func NewSecurityPolicyState 

func NewSecurityPolicyState(base64Policy string) (*SecurityPolicyState, error)

NewSecurityPolicyState constructs SecurityPolicyState from base64Policy string. It first decodes base64 policy and returns the security policy struct and encoded security policy for given policy. The security policy is transmitted as json in an annotation, so we first have to remove the base64 encoding that allows the JSON based policy to be passed as a string. From there, we decode the JSON and set up our security policy struct

type StandardSecurityPolicyEnforcer 

type StandardSecurityPolicyEnforcer struct {

	// Containers is the internal representation of users' container policies.
	Containers []*securityPolicyContainer
	// Devices is a mapping between target and a corresponding root hash. Target
	// is a path to a particular block device or its mount point inside UVM and
	// root hash is the dm-verity root hash of that device. Mainly the stored
	// devices represent read-only container layers, but this may change.
	// As the UVM goes through its process of bringing up containers, we have to
	// piece together information about what is going on.
	Devices map[string]string
	// ContainerIndexToContainerIds is a mapping between containers in the
	// SecurityPolicy and possible container IDs that have been created by runc,
	// but have not yet been run.
	//
	// As containers can have exactly the same base image and be "the same" at
	// the time we are doing overlay, the ContainerIndexToContainerIds is a set
	// of possible containers for a given container id. Go doesn't have a set
	// type, so we are doing the idiomatic go thing of using a map[string]struct{}
	// to represent the set.
	ContainerIndexToContainerIds map[int]map[string]struct{}

	// DefaultMounts are mount constraints for container mounts added by CRI and
	// GCS. Since default mounts will be allowed for all containers in the UVM
	// they are not added to each individual policy container and kept as global
	// policy rules.
	DefaultMounts []mountInternal
	// DefaultEnvs are environment variable constraints for variables added
	// by CRI and GCS. Since default envs will be allowed for all containers
	// in the UVM they are not added to each individual policy container and
	// kept as global policy rules.
	DefaultEnvs []EnvRuleConfig
	// contains filtered or unexported fields
}

StandardSecurityPolicyEnforcer implements SecurityPolicyEnforcer interface and is responsible for enforcing various SecurityPolicy constraints.

Most of the work that this security policy enforcer does it around managing state needed to map from a container definition in the SecurityPolicy to a specific container ID as we bring up each container. For example, see EnforceCreateContainerPolicy where most of the functionality is handling the case were policy containers share an overlay and have to try to distinguish them based on the command line arguments, environment variables or working directory.

Containers that share the same base image, and perhaps further information, will have an entry per container instance in the SecurityPolicy. For example, a policy that has two containers that use Ubuntu 18.04 will have an entry for each even if they share the same command line.

func NewStandardSecurityPolicyEnforcer 

func NewStandardSecurityPolicyEnforcer(
	containers []*securityPolicyContainer,
	encoded string,
) *StandardSecurityPolicyEnforcer

func (*StandardSecurityPolicyEnforcer) EncodedSecurityPolicy 

func (pe *StandardSecurityPolicyEnforcer) EncodedSecurityPolicy() string

func (*StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy(
	containerID string,
	argList []string,
	envList []string,
	workingDir string,
) (err error)

EnforceCreateContainerPolicy for StandardSecurityPolicyEnforcer validates the input container command, env and working directory against containers in the SecurityPolicy. The enforcement also narrows down the containers that have the same overlays by comparing their command, env and working directory rules.

Devices and ContainerIndexToContainerIds are used to build up an understanding of the containers running with a UVM as they come up and map them back to a container definition from the user supplied SecurityPolicy

func (*StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)

EnforceDeviceMountPolicy for StandardSecurityPolicyEnforcer validates that the target block device's root hash matches any container in SecurityPolicy. Block device targets with invalid root hashes are rejected.

At the time that devices are being mounted, we do not know a container that they will be used for; only that there is a device with a given root hash that being mounted. We check to make sure that the root hash for the devices is a root hash that exists for 1 or more layers in any container in the supplied SecurityPolicy. Each "seen" layer is recorded in devices as it is mounted.

func (*StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(unmountTarget string) (err error)

EnforceDeviceUnmountPolicy for StandardSecurityPolicyEnforcer first validate that the target mount was one of the allowed devices and then removes it from the mapping.

When proper protocol enforcement is in place, this will also make sure that the device isn't currently used by any running container in an overlay.

func (*StandardSecurityPolicyEnforcer) EnforceMountPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceMountPolicy(sandboxID, containerID string, spec *oci.Spec) (err error)

EnforceMountPolicy for StandardSecurityPolicyEnforcer validates various default mounts injected into container spec by GCS or containerD. As part of the enforcement, the method also narrows down possible container IDs with the same overlay.

func (*StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)

EnforceOverlayMountPolicy for StandardSecurityPolicyEnforcer validates that layerPaths represent a valid overlay file system and is allowed by the SecurityPolicy.

When overlay filesystems created, look up the root hash chain for an incoming overlay and verify it against containers in the policy. Overlay filesystem creation is the first time we have a "container ID" available to us. The container id identifies the container in question going forward. We record the mapping of container index in the policy to a set of possible container IDs so that when we have future operations like "run command" which come with a container ID, we can find the corresponding container index and use that to look up the command in the appropriate security policy container instance.

func (*StandardSecurityPolicyEnforcer) EnforceWaitMountPointsPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceWaitMountPointsPolicy(containerID string, spec *oci.Spec) error

EnforceWaitMountPointsPolicy for StandardSecurityPolicyEnforcer injects a hooks.CreateRuntime hook into container spec and the hook ensures that the expected mounts appear prior container start. At the moment enforcement is expected to take place inside LCOW UVM.

Expected mount is provided as a path under a sandbox mount path inside container, e.g., sandbox mount is at path "/path/in/container" and wait path is "/path/in/container/wait/path", which corresponds to "/run/gcs/c/<podID>/sandboxMounts/path/on/the/host/wait/path"

Iterates through container mounts to identify the correct sandbox mount where the wait path is nested under. The mount spec will be something like: 

{
   "source": "/run/gcs/c/<podID>/sandboxMounts/path/on/host",
   "destination": "/path/in/container"
}

The wait path will be "/path/in/container/wait/path". To find the corresponding sandbox mount do a prefix match on wait path against all container mounts Destination and resolve the full path inside UVM. For example above it becomes "/run/gcs/c/<podID>/sandboxMounts/path/on/host/wait/path"

func (*StandardSecurityPolicyEnforcer) ExtendDefaultMounts added in v0.10.0 

func (pe *StandardSecurityPolicyEnforcer) ExtendDefaultMounts(defaultMounts []oci.Mount) error

ExtendDefaultMounts for StandardSecurityPolicyEnforcer adds default mounts added by CRI and GCS to the list of DefaultMounts, which are always allowed.

type StringArrayMap added in v0.10.0 

type StringArrayMap struct {
	Length   int               `json:"length"`
	Elements map[string]string `json:"elements"`
}

StringArrayMap wraps an array of strings as a string map.

func (StringArrayMap) MarshalJSON added in v0.10.0 

func (s StringArrayMap) MarshalJSON() ([]byte, error)

type WaitMountPoints 

type WaitMountPoints StringArrayMap

func (WaitMountPoints) MarshalJSON 

func (wm WaitMountPoints) MarshalJSON() ([]byte, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.