Documentation
¶
Index ¶
- type ClosedDoorSecurityPolicyEnforcer
- func (p *ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(containerID string, argList []string, envList []string) (err error)
- func (p *ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
- func (p *ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(target string) (err error)
- func (p *ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
- type CommandArgs
- type Container
- type Containers
- type EncodedSecurityPolicy
- type EnvRule
- type EnvRules
- type EnvVarRule
- type Layers
- type OpenDoorSecurityPolicyEnforcer
- func (p *OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(containerID string, argList []string, envList []string) (err error)
- func (p *OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
- func (p *OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(target string) (err error)
- func (p *OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
- type SecurityPolicy
- type SecurityPolicyEnforcer
- type SecurityPolicyState
- type StandardSecurityPolicyEnforcer
- func (pe *StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy(containerID string, argList []string, envList []string) (err error)
- func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
- func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(unmountTarget string) (err error)
- func (pe *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClosedDoorSecurityPolicyEnforcer ¶
type ClosedDoorSecurityPolicyEnforcer struct{}
func (*ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy ¶
func (p *ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(containerID string, argList []string, envList []string) (err error)
func (*ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (p *ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
func (*ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy ¶
func (p *ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(target string) (err error)
func (*ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (p *ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
type CommandArgs ¶
type CommandArgs struct {
Length int `json:"length"`
// an ordered list of args where the key is in the index for ordering
Elements map[string]string `json:"elements"`
}
func (CommandArgs) MarshalJSON ¶
func (c CommandArgs) MarshalJSON() ([]byte, error)
type Container ¶
type Container struct {
Command CommandArgs `json:"command"`
EnvRules EnvRules `json:"env_rules"`
Layers Layers `json:"layers"`
}
type Containers ¶
type Containers struct {
Length int `json:"length"`
Elements map[string]Container `json:"elements"`
}
func (Containers) MarshalJSON ¶
func (c Containers) MarshalJSON() ([]byte, error)
Custom JSON marshalling to add `lenth` field that matches the number of elements present in the `elements` field.
type EncodedSecurityPolicy ¶
type EncodedSecurityPolicy struct {
SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}
EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration
type EnvRule ¶
type EnvRule struct {
Strategy EnvVarRule `json:"strategy"`
Rule string `json:"rule"`
}
type EnvRules ¶
func (EnvRules) MarshalJSON ¶
type EnvVarRule ¶
type EnvVarRule string
const ( EnvVarRuleString EnvVarRule = "string" EnvVarRuleRegex EnvVarRule = "re2" )
type Layers ¶
type Layers struct {
Length int `json:"length"`
// an ordered list of args where the key is in the index for ordering
Elements map[string]string `json:"elements"`
}
func (Layers) MarshalJSON ¶
type OpenDoorSecurityPolicyEnforcer ¶
type OpenDoorSecurityPolicyEnforcer struct{}
func (*OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy ¶
func (p *OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(containerID string, argList []string, envList []string) (err error)
func (*OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (p *OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
func (*OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy ¶
func (p *OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(target string) (err error)
func (*OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (p *OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
type SecurityPolicy ¶
type SecurityPolicy struct {
// Flag that when set to true allows for all checks to pass. Currently used
// to run with security policy enforcement "running dark"; checks can be in
// place but the default policy that is created on startup has AllowAll set
// to true, thus making policy enforcement effectively "off" from a logical
// standpoint. Policy enforcement isn't actually off as the policy is "allow
// everything:.
AllowAll bool `json:"allow_all"`
// One or more containers that are allowed to run
Containers Containers `json:"containers"`
}
type SecurityPolicyEnforcer ¶
type SecurityPolicyEnforcer interface {
EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
EnforceDeviceUnmountPolicy(unmountTarget string) (err error)
EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
EnforceCreateContainerPolicy(containerID string, argList []string, envList []string) (err error)
}
func NewSecurityPolicyEnforcer ¶
func NewSecurityPolicyEnforcer(state SecurityPolicyState) (SecurityPolicyEnforcer, error)
type SecurityPolicyState ¶
type SecurityPolicyState struct {
EncodedSecurityPolicy EncodedSecurityPolicy `json:"EncodedSecurityPolicy,omitempty"`
SecurityPolicy `json:"SecurityPolicy,omitempty"`
}
SecurityPolicyState is a structure that holds user supplied policy to enforce we keep both the encoded representation and the unmarshalled representation because different components need to have access to either of these
func NewSecurityPolicyState ¶
func NewSecurityPolicyState(base64Policy string) (*SecurityPolicyState, error)
Constructs SecurityPolicyState from base64Policy string. It first decodes base64 policy and returns the structs security policy struct and encoded security policy for given policy. The security policy is transmitted as json in an annotation, so we first have to remove the base64 encoding that allows the JSON based policy to be passed as a string. From there, we decode the JSONand setup our security policy struct
type StandardSecurityPolicyEnforcer ¶
type StandardSecurityPolicyEnforcer struct {
// EncodedSecurityPolicy state is needed for key release
EncodedSecurityPolicy string
// Containers from the user supplied security policy.
Containers []securityPolicyContainer
// Devices and ContainerIndexToContainerIds are used to build up an
// understanding of the containers running with a UVM as they come up and
// map them back to a container definition from the user supplied
// SecurityPolicy
//
// Devices is a listing of targets seen when mounting a device
// stored in a "per-container basis". As the UVM goes through its process of
// bringing up containers, we have to piece together information about what
// is going on.
//
// At the time that devices are being mounted, we do not know a container
// that they will be used for; only that there is a device with a given root
// hash that being mounted. We check to make sure that the root hash for the
// devices is a root hash that exists for 1 or more layers in any container
// in the supplied SecurityPolicy. Each "seen" layer is recorded in devices
// as it is mounted. So for example, if a root hash mount is found for the
// device being mounted and the first layer of the first container then we
// record the device target in Devices[0][0].
//
// Later, when overlay filesystems created, we verify that the ordered layers
// for said overlay filesystem match one of the device orderings in Devices.
// When a match is found, the index in Devices is the same index in
// SecurityPolicy.Containers. Overlay filesystem creation is the first time we
// have a "container id" available to us. The container id identifies the
// container in question going forward. We record the mapping of Container
// index to container id so that when we have future operations like "run
// command" which come with a container id, we can find the corresponding
// container index and use that to look up the command in the appropriate
// SecurityPolicyContainer instance.
//
// As containers can have exactly the same base image and be "the same" at
// the time we are doing overlay, the ContainerIndexToContainerIds in a
// set of possible containers for a given container id. Go doesn't have a set
// type so we are doing the idiomatic go thing of using a map[string]struct{}
// to represent the set.
//
// Containers that share the same base image, and perhaps further
// information, will have an entry per container instance in the
// SecurityPolicy. For example, a policy that has two containers that
// use Ubuntu 18.04 will have an entry for each even if they share the same
// command line.
//
// Most of the work that this security policy enforcer does it around managing
// state needed to map from a container definition in the SecurityPolicy to
// a specfic container ID as we bring up each container. See
// enforceCommandPolicy where most of the functionality is handling the case
// were policy containers share an overlay and have to try to distinguish them
// based on the command line arguments. enforceEnvironmentVariablePolicy can
// further narrow based on environment variables if required.
//
// implementation details are available in:
// - EnforceDeviceMountPolicy
// - EnforceOverlayMountPolicy
// - enforceCommandPolicy
// - enforceEnvironmentVariablePolicy
// - NewStandardSecurityPolicyEnforcer
Devices [][]string
ContainerIndexToContainerIds map[int]map[string]struct{}
// contains filtered or unexported fields
}
func NewStandardSecurityPolicyEnforcer ¶
func NewStandardSecurityPolicyEnforcer(containers []securityPolicyContainer, encoded string) *StandardSecurityPolicyEnforcer
func (*StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy(containerID string, argList []string, envList []string) (err error)
func (*StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
func (*StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(unmountTarget string) (err error)
func (*StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (pe *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
Source Files
Click to show internal directories.
Click to hide internal directories.