Documentation ¶
Index ¶
- Constants
- Variables
- func DefaultPrivilegedCapabilities() []string
- func DefaultUnprivilegedCapabilities() []string
- func EmptyCapabiltiesSet() []string
- func ExtractPolicyDecision(errorMessage string) (string, error)
- func MarshalFragment(namespace string, svn string, containers []*Container, ...) (string, error)
- func MarshalPolicy(marshaller string, allowAll bool, containers []*Container, ...) (string, error)
- func MeasureSeccompProfile(seccomp *specs.LinuxSeccomp) (string, error)
- func NewSecurityPolicyDigest(base64policy string) ([]byte, error)
- func WithPrivilegedMounts(mounts []oci.Mount) standardEnforcerOpt
- type AuthConfig
- type CapabilitiesConfig
- type ClosedDoorSecurityPolicyEnforcer
- func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string
- func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(context.Context, string, string, []string, []string, string, []oci.Mount, bool, ...) (EnvList, *oci.LinuxCapabilities, bool, error)
- func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(context.Context, string, string) error
- func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(context.Context, string) error
- func (ClosedDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error
- func (ClosedDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(context.Context, []string, []string, string) (EnvList, bool, error)
- func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy(context.Context, string, []string, []string, string, bool, IDName, []IDName, ...) (EnvList, *oci.LinuxCapabilities, bool, error)
- func (ClosedDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error
- func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(context.Context, string, []string, string) error
- func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error
- func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error
- func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error
- func (ClosedDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error
- func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error
- func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error
- func (*ClosedDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error
- func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error
- func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts(_ []oci.Mount) error
- func (ClosedDoorSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error)
- func (ClosedDoorSecurityPolicyEnforcer) LoadFragment(context.Context, string, string, string) error
- type CommandArgs
- type Container
- type ContainerConfig
- type ContainerConfigOpt
- func WithAllowElevated(elevated bool) ContainerConfigOpt
- func WithAllowPrivilegeEscalation(allow bool) ContainerConfigOpt
- func WithAllowStdioAccess(stdio bool) ContainerConfigOpt
- func WithCapabilities(capabilities *CapabilitiesConfig) ContainerConfigOpt
- func WithCommand(cmd []string) ContainerConfigOpt
- func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt
- func WithExecProcesses(execs []ExecProcessConfig) ContainerConfigOpt
- func WithMountConstraints(mc []MountConfig) ContainerConfigOpt
- func WithSeccompProfilePath(path string) ContainerConfigOpt
- func WithUser(user UserConfig) ContainerConfigOpt
- func WithWorkingDir(wd string) ContainerConfigOpt
- type Containers
- type EncodedSecurityPolicy
- type EnvList
- type EnvRuleConfig
- type EnvRules
- type EnvVarRule
- type ExecProcessConfig
- type ExternalProcessConfig
- type FragmentConfig
- type IDName
- type IDNameConfig
- type IDNameStrategy
- type Layers
- type Mount
- type MountConfig
- type Mounts
- type OpenDoorSecurityPolicyEnforcer
- func (oe *OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string
- func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(_ context.Context, _, _ string, _ []string, envList []string, _ string, ...) (EnvList, *oci.LinuxCapabilities, bool, error)
- func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(context.Context, string, string) error
- func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(context.Context, string) error
- func (OpenDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error
- func (OpenDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(_ context.Context, _ []string, envList []string, _ string) (EnvList, bool, error)
- func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy(_ context.Context, _ string, _ []string, envList []string, _ string, _ bool, ...) (EnvList, *oci.LinuxCapabilities, bool, error)
- func (OpenDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error
- func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(context.Context, string, []string, string) error
- func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error
- func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error
- func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error
- func (OpenDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error
- func (OpenDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error
- func (OpenDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error
- func (*OpenDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error
- func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error
- func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts([]oci.Mount) error
- func (OpenDoorSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error)
- func (OpenDoorSecurityPolicyEnforcer) LoadFragment(context.Context, string, string, string) error
- type Options
- type PolicyConfig
- type PolicyConfigOpt
- func WithAllowCapabilityDropping(allow bool) PolicyConfigOpt
- func WithAllowDumpStacks(allow bool) PolicyConfigOpt
- func WithAllowEnvVarDropping(allow bool) PolicyConfigOpt
- func WithAllowPropertiesAccess(allow bool) PolicyConfigOpt
- func WithAllowRuntimeLogging(allow bool) PolicyConfigOpt
- func WithAllowUnencryptedScratch(allow bool) PolicyConfigOpt
- func WithContainers(containers []ContainerConfig) PolicyConfigOpt
- func WithExternalProcesses(processes []ExternalProcessConfig) PolicyConfigOpt
- type SecurityPolicy
- type SecurityPolicyEnforcer
- type StandardSecurityPolicyEnforcer
- func (pe *StandardSecurityPolicyEnforcer) EncodedSecurityPolicy() string
- func (pe *StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy(ctx context.Context, sandboxID string, containerID string, argList []string, ...) (allowedEnvs EnvList, allowedCapabilities *oci.LinuxCapabilities, ...)
- func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(ctx context.Context, target string, deviceHash string) (err error)
- func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(ctx context.Context, unmountTarget string) (err error)
- func (*StandardSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error
- func (*StandardSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(_ context.Context, _ []string, envList []string, _ string) (EnvList, bool, error)
- func (*StandardSecurityPolicyEnforcer) EnforceExecInContainerPolicy(_ context.Context, _ string, _ []string, envList []string, _ string, _ bool, ...) (EnvList, *oci.LinuxCapabilities, bool, error)
- func (*StandardSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error
- func (pe *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(ctx context.Context, containerID string, layerPaths []string, target string) (err error)
- func (*StandardSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error
- func (*StandardSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error
- func (*StandardSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error
- func (*StandardSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error
- func (StandardSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error
- func (StandardSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error
- func (*StandardSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error
- func (*StandardSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error
- func (pe *StandardSecurityPolicyEnforcer) ExtendDefaultMounts(defaultMounts []oci.Mount) error
- func (StandardSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error)
- func (*StandardSecurityPolicyEnforcer) LoadFragment(context.Context, string, string, string) error
- type StringArrayMap
- type UserConfig
Constants ¶
const ( SecurityContextDirTemplate = "security-context-*" PolicyFilename = "security-policy-base64" HostAMDCertFilename = "host-amd-cert-base64" ReferenceInfoFilename = "reference-info-base64" )
Variables ¶
var APICode = strings.Replace(apiCodeTemplate, "@@API_VERSION@@", apiVersion, 1)
var ErrInvalidOpenDoorPolicy = errors.New("allow_all cannot be set to 'true' when Containers are non-empty")
var FrameworkCode = strings.Replace(frameworkCodeTemplate, "@@FRAMEWORK_VERSION@@", frameworkVersion, 1)
Functions ¶
func DefaultPrivilegedCapabilities ¶ added in v0.10.0
func DefaultPrivilegedCapabilities() []string
func DefaultUnprivilegedCapabilities ¶ added in v0.10.0
func DefaultUnprivilegedCapabilities() []string
func EmptyCapabiltiesSet ¶ added in v0.10.0
func EmptyCapabiltiesSet() []string
func ExtractPolicyDecision ¶ added in v0.10.0
func MarshalFragment ¶ added in v0.10.0
func MarshalFragment( namespace string, svn string, containers []*Container, externalProcesses []ExternalProcessConfig, fragments []FragmentConfig) (string, error)
func MarshalPolicy ¶ added in v0.10.0
func MarshalPolicy( marshaller string, allowAll bool, containers []*Container, externalProcesses []ExternalProcessConfig, fragments []FragmentConfig, allowPropertiesAccess bool, allowDumpStacks bool, allowRuntimeLogging bool, allowEnvironmentVariableDropping bool, allowUnencryptedScratch bool, allowCapbilitiesDropping bool, ) (string, error)
func MeasureSeccompProfile ¶ added in v0.10.0
func NewSecurityPolicyDigest ¶ added in v0.10.0
NewSecurityPolicyDigest decodes base64 encoded policy string, computes and returns sha256 digest
func WithPrivilegedMounts ¶ added in v0.10.0
WithPrivilegedMounts converts the input mounts to internal mount constraints and extends existing internal mount constraints if the container is allowed to be executed in elevated mode.
Types ¶
type AuthConfig ¶ added in v0.10.0
type AuthConfig struct { Username string `json:"username" toml:"username"` Password string `json:"password" toml:"password"` }
AuthConfig contains toml or JSON config for registry authentication.
type CapabilitiesConfig ¶ added in v0.10.0
type CapabilitiesConfig struct { Bounding []string `json:"bounding" toml:"bounding"` Effective []string `json:"effective" toml:"effective"` Inheritable []string `json:"inheritable" toml:"inheritable"` Permitted []string `json:"permitted" toml:"permitted"` Ambient []string `json:"ambient" toml:"ambient"` }
CapabilitiesConfig contains the toml or JSON config for capabilies security polict constraint description
type ClosedDoorSecurityPolicyEnforcer ¶
type ClosedDoorSecurityPolicyEnforcer struct {
// contains filtered or unexported fields
}
func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string
func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy ¶
func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy ¶
func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(context.Context, string) error
func (ClosedDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error
func (ClosedDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error
func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error
func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy ¶ added in v0.10.0
func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error
func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy ¶ added in v0.10.0
func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error
func (ClosedDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error
func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error
func (*ClosedDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy ¶ added in v0.10.0
func (*ClosedDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error
func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts(_ []oci.Mount) error
func (ClosedDoorSecurityPolicyEnforcer) GetUserInfo ¶ added in v0.10.0
func (ClosedDoorSecurityPolicyEnforcer) LoadFragment ¶ added in v0.10.0
type CommandArgs ¶
type CommandArgs StringArrayMap
func (CommandArgs) MarshalJSON ¶
func (c CommandArgs) MarshalJSON() ([]byte, error)
type Container ¶
type Container struct { Command CommandArgs `json:"command"` EnvRules EnvRules `json:"env_rules"` Layers Layers `json:"layers"` WorkingDir string `json:"working_dir"` Mounts Mounts `json:"mounts"` AllowElevated bool `json:"allow_elevated"` ExecProcesses []ExecProcessConfig `json:"-"` Signals []syscall.Signal `json:"-"` AllowStdioAccess bool `json:"-"` NoNewPrivileges bool `json:"-"` User UserConfig `json:"-"` Capabilities *CapabilitiesConfig `json:"-"` SeccompProfileSHA256 string `json:"-"` }
func CreateContainerPolicy ¶ added in v0.10.0
func CreateContainerPolicy( command, layers []string, envRules []EnvRuleConfig, workingDir string, mounts []MountConfig, allowElevated bool, execProcesses []ExecProcessConfig, signals []syscall.Signal, allowStdioAccess bool, noNewPrivileges bool, user UserConfig, capabilities *CapabilitiesConfig, seccompProfileSHA256 string, ) (*Container, error)
CreateContainerPolicy creates a new Container policy instance from the provided constraints or an error if parameter validation fails.
type ContainerConfig ¶ added in v0.10.0
type ContainerConfig struct { ImageName string `json:"image_name" toml:"image_name"` Command []string `json:"command" toml:"command"` Auth AuthConfig `json:"auth" toml:"auth"` EnvRules []EnvRuleConfig `json:"env_rules" toml:"env_rule"` WorkingDir string `json:"working_dir" toml:"working_dir"` Mounts []MountConfig `json:"mounts" toml:"mount"` AllowElevated bool `json:"allow_elevated" toml:"allow_elevated"` ExecProcesses []ExecProcessConfig `json:"exec_processes" toml:"exec_process"` Signals []syscall.Signal `json:"signals" toml:"signals"` AllowStdioAccess bool `json:"allow_stdio_access" toml:"allow_stdio_access"` AllowPrivilegeEscalation bool `json:"allow_privilege_escalation" toml:"allow_privilege_escalation"` User *UserConfig `json:"user" toml:"user"` Capabilities *CapabilitiesConfig `json:"capabilities" toml:"capabilities"` SeccompProfilePath string `json:"seccomp_profile_path" toml:"seccomp_profile_path"` }
ContainerConfig contains toml or JSON config for container described in security policy.
type ContainerConfigOpt ¶ added in v0.10.0
type ContainerConfigOpt func(config *ContainerConfig) error
func WithAllowElevated ¶ added in v0.10.0
func WithAllowElevated(elevated bool) ContainerConfigOpt
WithAllowElevated allows container to run in an elevated/privileged mode.
func WithAllowPrivilegeEscalation ¶ added in v0.10.0
func WithAllowPrivilegeEscalation(allow bool) ContainerConfigOpt
WithAllowPrivilegeEscalation allows escalating of privileges by clearing the NoNewPrivileges flag
func WithAllowStdioAccess ¶ added in v0.10.0
func WithAllowStdioAccess(stdio bool) ContainerConfigOpt
WithAllowStdioAccess enables or disables container init process stdio.
func WithCapabilities ¶ added in v0.10.0
func WithCapabilities(capabilities *CapabilitiesConfig) ContainerConfigOpt
WithCapabilities sets capabilities in container policy config.
func WithCommand ¶ added in v0.10.0
func WithCommand(cmd []string) ContainerConfigOpt
WithCommand sets ContainerConfig.Command in container policy config.
func WithEnvVarRules ¶ added in v0.10.0
func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt
WithEnvVarRules adds environment variable constraints to container policy config.
func WithExecProcesses ¶ added in v0.10.0
func WithExecProcesses(execs []ExecProcessConfig) ContainerConfigOpt
WithExecProcesses allows specified exec processes.
func WithMountConstraints ¶ added in v0.10.0
func WithMountConstraints(mc []MountConfig) ContainerConfigOpt
WithMountConstraints extends ContainerConfig.Mounts with provided mount constraints.
func WithSeccompProfilePath ¶ added in v0.10.0
func WithSeccompProfilePath(path string) ContainerConfigOpt
WithSeccompProfilePath sets seccomp profile path in container policy config.
func WithUser ¶ added in v0.10.0
func WithUser(user UserConfig) ContainerConfigOpt
WithUser sets user in container policy config.
func WithWorkingDir ¶ added in v0.10.0
func WithWorkingDir(wd string) ContainerConfigOpt
WithWorkingDir sets working directory in container policy config.
type Containers ¶
type Containers struct { Length int `json:"length"` Elements map[string]Container `json:"elements"` }
func (Containers) MarshalJSON ¶
func (c Containers) MarshalJSON() ([]byte, error)
type EncodedSecurityPolicy ¶
type EncodedSecurityPolicy struct {
SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}
EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration
type EnvRuleConfig ¶ added in v0.10.0
type EnvRuleConfig struct { Strategy EnvVarRule `json:"strategy" toml:"strategy"` Rule string `json:"rule" toml:"rule"` Required bool `json:"required" toml:"required"` }
EnvRuleConfig contains toml or JSON config for environment variable security policy enforcement.
func NewEnvVarRules ¶ added in v0.10.0
func NewEnvVarRules(envVars []string, required bool) []EnvRuleConfig
NewEnvVarRules creates slice of EnvRuleConfig's from environment variables strings slice.
type EnvRules ¶
type EnvRules struct { Length int `json:"length"` Elements map[string]EnvRuleConfig `json:"elements"` }
func (EnvRules) MarshalJSON ¶
type EnvVarRule ¶
type EnvVarRule string
const ( EnvVarRuleString EnvVarRule = "string" EnvVarRuleRegex EnvVarRule = "re2" )
type ExecProcessConfig ¶ added in v0.10.0
type ExecProcessConfig struct { Command []string `json:"command" toml:"command"` Signals []syscall.Signal `json:"signals" toml:"signals"` }
ExecProcessConfig contains toml or JSON config for exec process security policy constraint description
type ExternalProcessConfig ¶ added in v0.10.0
type ExternalProcessConfig struct { Command []string `json:"command" toml:"command"` WorkingDir string `json:"working_dir" toml:"working_dir"` AllowStdioAccess bool `json:"allow_stdio_access" toml:"allow_stdio_access"` }
ExternalProcessConfig contains toml or JSON config for running external processes in the UVM.
type FragmentConfig ¶ added in v0.10.0
type FragmentConfig struct { Issuer string `json:"issuer" toml:"issuer"` Feed string `json:"feed" toml:"feed"` MinimumSVN string `json:"minimum_svn" toml:"minimum_svn"` Includes []string `json:"includes" toml:"include"` }
FragmentConfig contains toml or JSON config for including elements from fragments.
type IDNameConfig ¶ added in v0.10.0
type IDNameConfig struct { Strategy IDNameStrategy `json:"strategy" toml:"strategy"` Rule string `json:"rule" toml:"rule"` }
type IDNameStrategy ¶ added in v0.10.0
type IDNameStrategy string
const ( IDNameStrategyName IDNameStrategy = "name" IDNameStrategyID IDNameStrategy = "id" IDNameStrategyRegex IDNameStrategy = "re2" IDNameStrategyAny IDNameStrategy = "any" )
type MountConfig ¶ added in v0.10.0
type MountConfig struct { HostPath string `json:"host_path" toml:"host_path"` ContainerPath string `json:"container_path" toml:"container_path"` Readonly bool `json:"readonly" toml:"readonly"` }
MountConfig contains toml or JSON config for mount security policy constraint description.
type Mounts ¶ added in v0.10.0
func (Mounts) MarshalJSON ¶ added in v0.10.0
type OpenDoorSecurityPolicyEnforcer ¶
type OpenDoorSecurityPolicyEnforcer struct {
// contains filtered or unexported fields
}
func (*OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy ¶ added in v0.10.0
func (oe *OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string
func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy ¶
func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy ¶
func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(context.Context, string) error
func (OpenDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error
func (OpenDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error
func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error
func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy ¶ added in v0.10.0
func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error
func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy ¶ added in v0.10.0
func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error
func (OpenDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error
func (OpenDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error
func (*OpenDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy ¶ added in v0.10.0
func (*OpenDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error
func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts([]oci.Mount) error
func (OpenDoorSecurityPolicyEnforcer) GetUserInfo ¶ added in v0.10.0
func (OpenDoorSecurityPolicyEnforcer) LoadFragment ¶ added in v0.10.0
type Options ¶ added in v0.10.0
type Options StringArrayMap
func (Options) MarshalJSON ¶ added in v0.10.0
type PolicyConfig ¶ added in v0.10.0
type PolicyConfig struct { AllowAll bool `json:"allow_all" toml:"allow_all"` Containers []ContainerConfig `json:"containers" toml:"container"` ExternalProcesses []ExternalProcessConfig `json:"external_processes" toml:"external_process"` Fragments []FragmentConfig `json:"fragments" toml:"fragment"` AllowPropertiesAccess bool `json:"allow_properties_access" toml:"allow_properties_access"` AllowDumpStacks bool `json:"allow_dump_stacks" toml:"allow_dump_stacks"` AllowRuntimeLogging bool `json:"allow_runtime_logging" toml:"allow_runtime_logging"` AllowEnvironmentVariableDropping bool `json:"allow_environment_variable_dropping" toml:"allow_environment_variable_dropping"` // AllowUnencryptedScratch is a global policy configuration that allows // all containers within a pod to be run without scratch encryption. AllowUnencryptedScratch bool `json:"allow_unencrypted_scratch" toml:"allow_unencrypted_scratch"` AllowCapabilityDropping bool `json:"allow_capability_dropping" toml:"allow_capability_dropping"` }
PolicyConfig contains toml or JSON config for security policy.
func NewPolicyConfig ¶ added in v0.10.0
func NewPolicyConfig(opts ...PolicyConfigOpt) (*PolicyConfig, error)
type PolicyConfigOpt ¶ added in v0.10.0
type PolicyConfigOpt func(config *PolicyConfig) error
func WithAllowCapabilityDropping ¶ added in v0.10.0
func WithAllowCapabilityDropping(allow bool) PolicyConfigOpt
func WithAllowDumpStacks ¶ added in v0.10.0
func WithAllowDumpStacks(allow bool) PolicyConfigOpt
func WithAllowEnvVarDropping ¶ added in v0.10.0
func WithAllowEnvVarDropping(allow bool) PolicyConfigOpt
func WithAllowPropertiesAccess ¶ added in v0.10.0
func WithAllowPropertiesAccess(allow bool) PolicyConfigOpt
func WithAllowRuntimeLogging ¶ added in v0.10.0
func WithAllowRuntimeLogging(allow bool) PolicyConfigOpt
func WithAllowUnencryptedScratch ¶ added in v0.10.0
func WithAllowUnencryptedScratch(allow bool) PolicyConfigOpt
func WithContainers ¶ added in v0.10.0
func WithContainers(containers []ContainerConfig) PolicyConfigOpt
WithContainers adds containers to security policy.
func WithExternalProcesses ¶ added in v0.10.0
func WithExternalProcesses(processes []ExternalProcessConfig) PolicyConfigOpt
type SecurityPolicy ¶
type SecurityPolicy struct { // Flag that when set to true allows for all checks to pass. Currently, used // to run with security policy enforcement "running dark"; checks can be in // place but the default policy that is created on startup has AllowAll set // to true, thus making policy enforcement effectively "off" from a logical // standpoint. Policy enforcement isn't actually off as the policy is "allow // everything". AllowAll bool `json:"allow_all"` // One or more containers that are allowed to run Containers Containers `json:"containers"` }
func NewOpenDoorPolicy ¶ added in v0.10.0
func NewOpenDoorPolicy() *SecurityPolicy
NewOpenDoorPolicy creates a new SecurityPolicy with AllowAll set to `true`
func NewSecurityPolicy ¶ added in v0.10.0
func NewSecurityPolicy(allowAll bool, containers []*Container) *SecurityPolicy
NewSecurityPolicy creates a new SecurityPolicy from the provided values.
func (*SecurityPolicy) EncodeToString ¶ added in v0.10.0
func (sp *SecurityPolicy) EncodeToString() (string, error)
EncodeToString returns base64 encoded string representation of SecurityPolicy.
type SecurityPolicyEnforcer ¶
type SecurityPolicyEnforcer interface { EnforceDeviceMountPolicy(ctx context.Context, target string, deviceHash string) (err error) EnforceDeviceUnmountPolicy(ctx context.Context, unmountTarget string) (err error) EnforceOverlayMountPolicy(ctx context.Context, containerID string, layerPaths []string, target string) (err error) EnforceOverlayUnmountPolicy(ctx context.Context, target string) (err error) EnforceCreateContainerPolicy( ctx context.Context, sandboxID string, containerID string, argList []string, envList []string, workingDir string, mounts []oci.Mount, privileged bool, noNewPrivileges bool, user IDName, groups []IDName, umask string, capabilities *oci.LinuxCapabilities, seccompProfileSHA256 string, ) (EnvList, *oci.LinuxCapabilities, bool, error) ExtendDefaultMounts([]oci.Mount) error EncodedSecurityPolicy() string EnforceExecInContainerPolicy( ctx context.Context, containerID string, argList []string, envList []string, workingDir string, noNewPrivileges bool, user IDName, groups []IDName, umask string, capabilities *oci.LinuxCapabilities, ) (EnvList, *oci.LinuxCapabilities, bool, error) EnforceExecExternalProcessPolicy(ctx context.Context, argList []string, envList []string, workingDir string) (EnvList, bool, error) EnforceShutdownContainerPolicy(ctx context.Context, containerID string) error EnforceSignalContainerProcessPolicy(ctx context.Context, containerID string, signal syscall.Signal, isInitProcess bool, startupArgList []string) error EnforcePlan9MountPolicy(ctx context.Context, target string) (err error) EnforcePlan9UnmountPolicy(ctx context.Context, target string) (err error) EnforceGetPropertiesPolicy(ctx context.Context) error EnforceDumpStacksPolicy(ctx context.Context) error EnforceRuntimeLoggingPolicy(ctx context.Context) (err error) LoadFragment(ctx context.Context, issuer string, feed string, code string) error EnforceScratchMountPolicy(ctx context.Context, scratchPath string, encrypted bool) (err error) EnforceScratchUnmountPolicy(ctx context.Context, scratchPath string) (err error) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error) }
func CreateSecurityPolicyEnforcer ¶ added in v0.10.0
func CreateSecurityPolicyEnforcer( enforcer string, base64EncodedPolicy string, criMounts, criPrivilegedMounts []oci.Mount, maxErrorMessageLength int, ) (SecurityPolicyEnforcer, error)
CreateSecurityPolicyEnforcer returns an appropriate enforcer for input parameters. When `enforcer` isn't return either an AllowAll or default enforcer. Returns an error if the requested `enforcer` implementation isn't registered.
type StandardSecurityPolicyEnforcer ¶
type StandardSecurityPolicyEnforcer struct { // Containers is the internal representation of users' container policies. Containers []*securityPolicyContainer // Devices is a mapping between target and a corresponding root hash. Target // is a path to a particular block device or its mount point inside UVM and // root hash is the dm-verity root hash of that device. Mainly the stored // devices represent read-only container layers, but this may change. // As the UVM goes through its process of bringing up containers, we have to // piece together information about what is going on. Devices map[string]string // ContainerIndexToContainerIds is a mapping between containers in the // SecurityPolicy and possible container IDs that have been created by runc, // but have not yet been run. // // As containers can have exactly the same base image and be "the same" at // the time we are doing overlay, the ContainerIndexToContainerIds is a set // of possible containers for a given container id. Go doesn't have a set // type, so we are doing the idiomatic go thing of using a map[string]struct{} // to represent the set. ContainerIndexToContainerIds map[int]map[string]struct{} // DefaultMounts are mount constraints for container mounts added by CRI and // GCS. Since default mounts will be allowed for all containers in the UVM // they are not added to each individual policy container and kept as global // policy rules. DefaultMounts []mountInternal // DefaultEnvs are environment variable constraints for variables added // by CRI and GCS. Since default envs will be allowed for all containers // in the UVM they are not added to each individual policy container and // kept as global policy rules. DefaultEnvs []EnvRuleConfig // contains filtered or unexported fields }
StandardSecurityPolicyEnforcer implements SecurityPolicyEnforcer interface and is responsible for enforcing various SecurityPolicy constraints.
Most of the work that this security policy enforcer does it around managing state needed to map from a container definition in the SecurityPolicy to a specific container ID as we bring up each container. For example, see EnforceCreateContainerPolicy where most of the functionality is handling the case were policy containers share an overlay and have to try to distinguish them based on the command line arguments, environment variables or working directory.
Containers that share the same base image, and perhaps further information, will have an entry per container instance in the SecurityPolicy. For example, a policy that has two containers that use Ubuntu 18.04 will have an entry for each even if they share the same command line.
func NewStandardSecurityPolicyEnforcer ¶
func NewStandardSecurityPolicyEnforcer( containers []*securityPolicyContainer, encoded string, ) *StandardSecurityPolicyEnforcer
func (*StandardSecurityPolicyEnforcer) EncodedSecurityPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EncodedSecurityPolicy() string
func (*StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy( ctx context.Context, sandboxID string, containerID string, argList []string, envList []string, workingDir string, mounts []oci.Mount, privileged bool, noNewPrivileges bool, user IDName, groups []IDName, umask string, caps *oci.LinuxCapabilities, seccomp string, ) (allowedEnvs EnvList, allowedCapabilities *oci.LinuxCapabilities, stdioAccessAllowed bool, err error)
EnforceCreateContainerPolicy for StandardSecurityPolicyEnforcer validates the input container command, env and working directory against containers in the SecurityPolicy. The enforcement also narrows down the containers that have the same overlays by comparing their command, env and working directory rules.
Devices and ContainerIndexToContainerIds are used to build up an understanding of the containers running with a UVM as they come up and map them back to a container definition from the user supplied SecurityPolicy.
func (*StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(ctx context.Context, target string, deviceHash string) (err error)
EnforceDeviceMountPolicy for StandardSecurityPolicyEnforcer validates that the target block device's root hash matches any container in SecurityPolicy. Block device targets with invalid root hashes are rejected.
At the time that devices are being mounted, we do not know a container that they will be used for; only that there is a device with a given root hash that being mounted. We check to make sure that the root hash for the devices is a root hash that exists for 1 or more layers in any container in the supplied SecurityPolicy. Each "seen" layer is recorded in devices as it is mounted.
func (*StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(ctx context.Context, unmountTarget string) (err error)
EnforceDeviceUnmountPolicy for StandardSecurityPolicyEnforcer first validate that the target mount was one of the allowed devices and then removes it from the mapping.
When proper protocol enforcement is in place, this will also make sure that the device isn't currently used by any running container in an overlay.
func (*StandardSecurityPolicyEnforcer) EnforceDumpStacksPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(_ context.Context, _ []string, envList []string, _ string) (EnvList, bool, error)
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforceExecInContainerPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforceExecInContainerPolicy(_ context.Context, _ string, _ []string, envList []string, _ string, _ bool, _ IDName, _ []IDName, _ string, caps *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error)
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforceGetPropertiesPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(ctx context.Context, containerID string, layerPaths []string, target string) (err error)
EnforceOverlayMountPolicy for StandardSecurityPolicyEnforcer validates that layerPaths represent a valid overlay file system and is allowed by the SecurityPolicy.
When overlay filesystems created, look up the root hash chain for an incoming overlay and verify it against containers in the policy. Overlay filesystem creation is the first time we have a "container ID" available to us. The container id identifies the container in question going forward. We record the mapping of container index in the policy to a set of possible container IDs so that when we have future operations like "run command" which come with a container ID, we can find the corresponding container index and use that to look up the command in the appropriate security policy container instance.
func (*StandardSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforcePlan9MountPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (StandardSecurityPolicyEnforcer) EnforceScratchMountPolicy ¶ added in v0.10.0
func (StandardSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (StandardSecurityPolicyEnforcer) EnforceScratchUnmountPolicy ¶ added in v0.10.0
func (StandardSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforceShutdownContainerPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy ¶ added in v0.10.0
func (*StandardSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
func (*StandardSecurityPolicyEnforcer) ExtendDefaultMounts ¶ added in v0.10.0
func (pe *StandardSecurityPolicyEnforcer) ExtendDefaultMounts(defaultMounts []oci.Mount) error
ExtendDefaultMounts for StandardSecurityPolicyEnforcer adds default mounts added by CRI and GCS to the list of DefaultMounts, which are always allowed.
func (StandardSecurityPolicyEnforcer) GetUserInfo ¶ added in v0.10.0
func (StandardSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error)
Stub. We are deprecating the standard enforcer.
func (*StandardSecurityPolicyEnforcer) LoadFragment ¶ added in v0.10.0
Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.
type StringArrayMap ¶ added in v0.10.0
type StringArrayMap struct { Length int `json:"length"` Elements map[string]string `json:"elements"` }
StringArrayMap wraps an array of strings as a string map.
func (StringArrayMap) MarshalJSON ¶ added in v0.10.0
func (s StringArrayMap) MarshalJSON() ([]byte, error)
type UserConfig ¶ added in v0.10.0
type UserConfig struct { UserIDName IDNameConfig `json:"user_idname" toml:"user_idname"` GroupIDNames []IDNameConfig `json:"group_idnames" toml:"group_idname"` Umask string `json:"umask" toml:"umask"` }