securitypolicy

package
v0.12.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 16, 2024 License: MIT Imports: 15 Imported by: 0

README

Security Policy

This package contains the logic for enabling users to express an attested security policy. This policy provides a series of enforcement points. Each enforcement point contrains one action that the host requests of the guest. The security policies are expressed in Rego, a policy language designed for use in scenarios like this one.

We provide a framework that users can employ to make writing policies easier, but there is no requirement for this framework to be used. Valid policies only need to define the enforcement points which are enumerated in the API namespace.

Adding a New Enforcement Point

When adding a new enforcement point, care must be taken to ensure that it is correctly connected to the rest of the codebase and properly supported. Here is a helpful checklist:

  1. Add the enforcment point to the SecurityPolicyEnforcer interface.
  2. Add stub implementations of the enforcement point to all classes which implement the interface. Some files to look at:
  3. Wrap the call in uvm.go so that it will not happen unless the security policy says it is OK.
  4. Add the enforcement point to api.rego and bump one minor version.
  5. Add the enforcement point rule to policy.rego and open_door.rego.
  6. Add the enforcement point rule logic to framework.rego
  7. Add useful error messages to framework.rego. Be sure to gate them with the rule name.
  8. Update the internal representations of the policy in securitypolicy_internal.go to contain any constraint objects which are needed by the framework logic.
  9. Update the Rego marshalling code in securitypolicy_marshal.go to emit the constraint objects which you added in the previous step.
  10. In securitypolicyenforcer_rego.go, fill out the stub with the input needed for the framework logic.
  11. Add tests to regopolicy_test.go. As a rule, you should add one test which verifies that the rule enforces things correctly, and then at least one test per error condition. Be sure to test that the error messages you are emitting are present in the error message.

Documentation

Index

Constants

View Source 
const (
	SecurityContextDirTemplate = "security-context-*"
	PolicyFilename             = "security-policy-base64"
	HostAMDCertFilename        = "host-amd-cert-base64"
	ReferenceInfoFilename      = "reference-info-base64"
)

Variables

View Source 
var APICode = strings.Replace(apiCodeTemplate, "@@API_VERSION@@", apiVersion, 1)
View Source 
var ErrInvalidOpenDoorPolicy = errors.New("allow_all cannot be set to 'true' when Containers are non-empty")
View Source 
var FrameworkCode = strings.Replace(frameworkCodeTemplate, "@@FRAMEWORK_VERSION@@", frameworkVersion, 1)

Functions

func DefaultPrivilegedCapabilities 

func DefaultPrivilegedCapabilities() []string

func DefaultUnprivilegedCapabilities 

func DefaultUnprivilegedCapabilities() []string

func EmptyCapabiltiesSet 

func EmptyCapabiltiesSet() []string

func ExtractPolicyDecision 

func ExtractPolicyDecision(errorMessage string) (string, error)

func MarshalFragment 

func MarshalFragment(
	namespace string,
	svn string,
	containers []*Container,
	externalProcesses []ExternalProcessConfig,
	fragments []FragmentConfig) (string, error)

func MarshalPolicy 

func MarshalPolicy(
	marshaller string,
	allowAll bool,
	containers []*Container,
	externalProcesses []ExternalProcessConfig,
	fragments []FragmentConfig,
	allowPropertiesAccess bool,
	allowDumpStacks bool,
	allowRuntimeLogging bool,
	allowEnvironmentVariableDropping bool,
	allowUnencryptedScratch bool,
	allowCapbilitiesDropping bool,
) (string, error)

func MeasureSeccompProfile 

func MeasureSeccompProfile(seccomp *specs.LinuxSeccomp) (string, error)

func NewSecurityPolicyDigest 

func NewSecurityPolicyDigest(base64policy string) ([]byte, error)

NewSecurityPolicyDigest decodes base64 encoded policy string, computes and returns sha256 digest

func WithPrivilegedMounts 

func WithPrivilegedMounts(mounts []oci.Mount) standardEnforcerOpt

WithPrivilegedMounts converts the input mounts to internal mount constraints and extends existing internal mount constraints if the container is allowed to be executed in elevated mode.

Types

type AuthConfig 

type AuthConfig struct {
	Username string `json:"username" toml:"username"`
	Password string `json:"password" toml:"password"`
}

AuthConfig contains toml or JSON config for registry authentication.

type CapabilitiesConfig 

type CapabilitiesConfig struct {
	Bounding    []string `json:"bounding" toml:"bounding"`
	Effective   []string `json:"effective" toml:"effective"`
	Inheritable []string `json:"inheritable" toml:"inheritable"`
	Permitted   []string `json:"permitted" toml:"permitted"`
	Ambient     []string `json:"ambient" toml:"ambient"`
}

CapabilitiesConfig contains the toml or JSON config for capabilies security polict constraint description

type ClosedDoorSecurityPolicyEnforcer 

type ClosedDoorSecurityPolicyEnforcer struct {
	// contains filtered or unexported fields
}

func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string

func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(context.Context, string, string, []string, []string, string, []oci.Mount, bool, bool, IDName, []IDName, string, *oci.LinuxCapabilities, string) (EnvList, *oci.LinuxCapabilities, bool, error)

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(context.Context, string, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(context.Context, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(context.Context, []string, []string, string) (EnvList, bool, error)

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy(context.Context, string, []string, []string, string, bool, IDName, []IDName, string, *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error)

func (ClosedDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(context.Context, string, []string, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy 

func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy 

func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy 

func (*ClosedDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy 

func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error

func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts 

func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts(_ []oci.Mount) error

func (ClosedDoorSecurityPolicyEnforcer) GetUserInfo 

func (ClosedDoorSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error)

func (ClosedDoorSecurityPolicyEnforcer) LoadFragment 

func (ClosedDoorSecurityPolicyEnforcer) LoadFragment(context.Context, string, string, string) error

type CommandArgs 

type CommandArgs StringArrayMap

func (CommandArgs) MarshalJSON 

func (c CommandArgs) MarshalJSON() ([]byte, error)

type Container 

type Container struct {
	Command              CommandArgs         `json:"command"`
	EnvRules             EnvRules            `json:"env_rules"`
	Layers               Layers              `json:"layers"`
	WorkingDir           string              `json:"working_dir"`
	Mounts               Mounts              `json:"mounts"`
	AllowElevated        bool                `json:"allow_elevated"`
	ExecProcesses        []ExecProcessConfig `json:"-"`
	Signals              []syscall.Signal    `json:"-"`
	AllowStdioAccess     bool                `json:"-"`
	NoNewPrivileges      bool                `json:"-"`
	User                 UserConfig          `json:"-"`
	Capabilities         *CapabilitiesConfig `json:"-"`
	SeccompProfileSHA256 string              `json:"-"`
}

func CreateContainerPolicy 

func CreateContainerPolicy(
	command, layers []string,
	envRules []EnvRuleConfig,
	workingDir string,
	mounts []MountConfig,
	allowElevated bool,
	execProcesses []ExecProcessConfig,
	signals []syscall.Signal,
	allowStdioAccess bool,
	noNewPrivileges bool,
	user UserConfig,
	capabilities *CapabilitiesConfig,
	seccompProfileSHA256 string,
) (*Container, error)

CreateContainerPolicy creates a new Container policy instance from the provided constraints or an error if parameter validation fails.

type ContainerConfig 

type ContainerConfig struct {
	ImageName                string              `json:"image_name" toml:"image_name"`
	Command                  []string            `json:"command" toml:"command"`
	Auth                     AuthConfig          `json:"auth" toml:"auth"`
	EnvRules                 []EnvRuleConfig     `json:"env_rules" toml:"env_rule"`
	WorkingDir               string              `json:"working_dir" toml:"working_dir"`
	Mounts                   []MountConfig       `json:"mounts" toml:"mount"`
	AllowElevated            bool                `json:"allow_elevated" toml:"allow_elevated"`
	ExecProcesses            []ExecProcessConfig `json:"exec_processes" toml:"exec_process"`
	Signals                  []syscall.Signal    `json:"signals" toml:"signals"`
	AllowStdioAccess         bool                `json:"allow_stdio_access" toml:"allow_stdio_access"`
	AllowPrivilegeEscalation bool                `json:"allow_privilege_escalation" toml:"allow_privilege_escalation"`
	User                     *UserConfig         `json:"user" toml:"user"`
	Capabilities             *CapabilitiesConfig `json:"capabilities" toml:"capabilities"`
	SeccompProfilePath       string              `json:"seccomp_profile_path" toml:"seccomp_profile_path"`
}

ContainerConfig contains toml or JSON config for container described in security policy.

type ContainerConfigOpt 

type ContainerConfigOpt func(config *ContainerConfig) error

func WithAllowElevated 

func WithAllowElevated(elevated bool) ContainerConfigOpt

WithAllowElevated allows container to run in an elevated/privileged mode.

func WithAllowPrivilegeEscalation 

func WithAllowPrivilegeEscalation(allow bool) ContainerConfigOpt

WithAllowPrivilegeEscalation allows escalating of privileges by clearing the NoNewPrivileges flag

func WithAllowStdioAccess 

func WithAllowStdioAccess(stdio bool) ContainerConfigOpt

WithAllowStdioAccess enables or disables container init process stdio.

func WithCapabilities 

func WithCapabilities(capabilities *CapabilitiesConfig) ContainerConfigOpt

WithCapabilities sets capabilities in container policy config.

func WithCommand 

func WithCommand(cmd []string) ContainerConfigOpt

WithCommand sets ContainerConfig.Command in container policy config.

func WithEnvVarRules 

func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt

WithEnvVarRules adds environment variable constraints to container policy config.

func WithExecProcesses 

func WithExecProcesses(execs []ExecProcessConfig) ContainerConfigOpt

WithExecProcesses allows specified exec processes.

func WithMountConstraints 

func WithMountConstraints(mc []MountConfig) ContainerConfigOpt

WithMountConstraints extends ContainerConfig.Mounts with provided mount constraints.

func WithSeccompProfilePath 

func WithSeccompProfilePath(path string) ContainerConfigOpt

WithSeccompProfilePath sets seccomp profile path in container policy config.

func WithUser 

func WithUser(user UserConfig) ContainerConfigOpt

WithUser sets user in container policy config.

func WithWorkingDir 

func WithWorkingDir(wd string) ContainerConfigOpt

WithWorkingDir sets working directory in container policy config.

type Containers 

type Containers struct {
	Length   int                  `json:"length"`
	Elements map[string]Container `json:"elements"`
}

func (Containers) MarshalJSON 

func (c Containers) MarshalJSON() ([]byte, error)

type EncodedSecurityPolicy 

type EncodedSecurityPolicy struct {
	SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}

EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration

type EnvList 

type EnvList []string

type EnvRuleConfig 

type EnvRuleConfig struct {
	Strategy EnvVarRule `json:"strategy" toml:"strategy"`
	Rule     string     `json:"rule" toml:"rule"`
	Required bool       `json:"required" toml:"required"`
}

EnvRuleConfig contains toml or JSON config for environment variable security policy enforcement.

func NewEnvVarRules 

func NewEnvVarRules(envVars []string, required bool) []EnvRuleConfig

NewEnvVarRules creates slice of EnvRuleConfig's from environment variables strings slice.

type EnvRules 

type EnvRules struct {
	Length   int                      `json:"length"`
	Elements map[string]EnvRuleConfig `json:"elements"`
}

func (EnvRules) MarshalJSON 

func (e EnvRules) MarshalJSON() ([]byte, error)

type EnvVarRule 

type EnvVarRule string
const (
	EnvVarRuleString EnvVarRule = "string"
	EnvVarRuleRegex  EnvVarRule = "re2"
)

type ExecProcessConfig 

type ExecProcessConfig struct {
	Command []string         `json:"command" toml:"command"`
	Signals []syscall.Signal `json:"signals" toml:"signals"`
}

ExecProcessConfig contains toml or JSON config for exec process security policy constraint description

type ExternalProcessConfig 

type ExternalProcessConfig struct {
	Command          []string `json:"command" toml:"command"`
	WorkingDir       string   `json:"working_dir" toml:"working_dir"`
	AllowStdioAccess bool     `json:"allow_stdio_access" toml:"allow_stdio_access"`
}

ExternalProcessConfig contains toml or JSON config for running external processes in the UVM.

type FragmentConfig 

type FragmentConfig struct {
	Issuer     string   `json:"issuer" toml:"issuer"`
	Feed       string   `json:"feed" toml:"feed"`
	MinimumSVN string   `json:"minimum_svn" toml:"minimum_svn"`
	Includes   []string `json:"includes" toml:"include"`
}

FragmentConfig contains toml or JSON config for including elements from fragments.

type IDName 

type IDName struct {
	ID   string
	Name string
}

type IDNameConfig 

type IDNameConfig struct {
	Strategy IDNameStrategy `json:"strategy" toml:"strategy"`
	Rule     string         `json:"rule" toml:"rule"`
}

type IDNameStrategy 

type IDNameStrategy string
const (
	IDNameStrategyName  IDNameStrategy = "name"
	IDNameStrategyID    IDNameStrategy = "id"
	IDNameStrategyRegex IDNameStrategy = "re2"
	IDNameStrategyAny   IDNameStrategy = "any"
)

type Layers 

type Layers StringArrayMap

func (Layers) MarshalJSON 

func (l Layers) MarshalJSON() ([]byte, error)

type Mount 

type Mount struct {
	Source      string  `json:"source"`
	Destination string  `json:"destination"`
	Type        string  `json:"type"`
	Options     Options `json:"options"`
}

type MountConfig 

type MountConfig struct {
	HostPath      string `json:"host_path" toml:"host_path"`
	ContainerPath string `json:"container_path" toml:"container_path"`
	Readonly      bool   `json:"readonly" toml:"readonly"`
}

MountConfig contains toml or JSON config for mount security policy constraint description.

type Mounts 

type Mounts struct {
	Length   int              `json:"length"`
	Elements map[string]Mount `json:"elements"`
}

func (Mounts) MarshalJSON 

func (m Mounts) MarshalJSON() ([]byte, error)

type OpenDoorSecurityPolicyEnforcer 

type OpenDoorSecurityPolicyEnforcer struct {
	// contains filtered or unexported fields
}

func (*OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy 

func (oe *OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string

func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(_ context.Context, _, _ string, _ []string, envList []string, _ string, _ []oci.Mount, _ bool, _ bool, _ IDName, _ []IDName, _ string, caps *oci.LinuxCapabilities, _ string) (EnvList, *oci.LinuxCapabilities, bool, error)

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(context.Context, string, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(context.Context, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error

func (OpenDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(_ context.Context, _ []string, envList []string, _ string) (EnvList, bool, error)

func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy(_ context.Context, _ string, _ []string, envList []string, _ string, _ bool, _ IDName, _ []IDName, _ string, caps *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error)

func (OpenDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(context.Context, string, []string, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy 

func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy 

func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error

func (OpenDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error

func (OpenDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy 

func (*OpenDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy 

func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error

func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts 

func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts([]oci.Mount) error

func (OpenDoorSecurityPolicyEnforcer) GetUserInfo 

func (OpenDoorSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error)

func (OpenDoorSecurityPolicyEnforcer) LoadFragment 

func (OpenDoorSecurityPolicyEnforcer) LoadFragment(context.Context, string, string, string) error

type Options 

type Options StringArrayMap

func (Options) MarshalJSON 

func (o Options) MarshalJSON() ([]byte, error)

type PolicyConfig 

type PolicyConfig struct {
	AllowAll                         bool                    `json:"allow_all" toml:"allow_all"`
	Containers                       []ContainerConfig       `json:"containers" toml:"container"`
	ExternalProcesses                []ExternalProcessConfig `json:"external_processes" toml:"external_process"`
	Fragments                        []FragmentConfig        `json:"fragments" toml:"fragment"`
	AllowPropertiesAccess            bool                    `json:"allow_properties_access" toml:"allow_properties_access"`
	AllowDumpStacks                  bool                    `json:"allow_dump_stacks" toml:"allow_dump_stacks"`
	AllowRuntimeLogging              bool                    `json:"allow_runtime_logging" toml:"allow_runtime_logging"`
	AllowEnvironmentVariableDropping bool                    `json:"allow_environment_variable_dropping" toml:"allow_environment_variable_dropping"`
	// AllowUnencryptedScratch is a global policy configuration that allows
	// all containers within a pod to be run without scratch encryption.
	AllowUnencryptedScratch bool `json:"allow_unencrypted_scratch" toml:"allow_unencrypted_scratch"`
	AllowCapabilityDropping bool `json:"allow_capability_dropping" toml:"allow_capability_dropping"`
}

PolicyConfig contains toml or JSON config for security policy.

func NewPolicyConfig 

func NewPolicyConfig(opts ...PolicyConfigOpt) (*PolicyConfig, error)

type PolicyConfigOpt 

type PolicyConfigOpt func(config *PolicyConfig) error

func WithAllowCapabilityDropping 

func WithAllowCapabilityDropping(allow bool) PolicyConfigOpt

func WithAllowDumpStacks 

func WithAllowDumpStacks(allow bool) PolicyConfigOpt

func WithAllowEnvVarDropping 

func WithAllowEnvVarDropping(allow bool) PolicyConfigOpt

func WithAllowPropertiesAccess 

func WithAllowPropertiesAccess(allow bool) PolicyConfigOpt

func WithAllowRuntimeLogging 

func WithAllowRuntimeLogging(allow bool) PolicyConfigOpt

func WithAllowUnencryptedScratch 

func WithAllowUnencryptedScratch(allow bool) PolicyConfigOpt

func WithContainers 

func WithContainers(containers []ContainerConfig) PolicyConfigOpt

WithContainers adds containers to security policy.

func WithExternalProcesses 

func WithExternalProcesses(processes []ExternalProcessConfig) PolicyConfigOpt

type SecurityPolicy 

type SecurityPolicy struct {
	// Flag that when set to true allows for all checks to pass. Currently, used
	// to run with security policy enforcement "running dark"; checks can be in
	// place but the default policy that is created on startup has AllowAll set
	// to true, thus making policy enforcement effectively "off" from a logical
	// standpoint. Policy enforcement isn't actually off as the policy is "allow
	// everything".
	AllowAll bool `json:"allow_all"`
	// One or more containers that are allowed to run
	Containers Containers `json:"containers"`
}

func NewOpenDoorPolicy 

func NewOpenDoorPolicy() *SecurityPolicy

NewOpenDoorPolicy creates a new SecurityPolicy with AllowAll set to `true`

func NewSecurityPolicy 

func NewSecurityPolicy(allowAll bool, containers []*Container) *SecurityPolicy

NewSecurityPolicy creates a new SecurityPolicy from the provided values.

func (*SecurityPolicy) EncodeToString 

func (sp *SecurityPolicy) EncodeToString() (string, error)

EncodeToString returns base64 encoded string representation of SecurityPolicy.

type SecurityPolicyEnforcer 

type SecurityPolicyEnforcer interface {
	EnforceDeviceMountPolicy(ctx context.Context, target string, deviceHash string) (err error)
	EnforceDeviceUnmountPolicy(ctx context.Context, unmountTarget string) (err error)
	EnforceOverlayMountPolicy(ctx context.Context, containerID string, layerPaths []string, target string) (err error)
	EnforceOverlayUnmountPolicy(ctx context.Context, target string) (err error)
	EnforceCreateContainerPolicy(
		ctx context.Context,
		sandboxID string,
		containerID string,
		argList []string,
		envList []string,
		workingDir string,
		mounts []oci.Mount,
		privileged bool,
		noNewPrivileges bool,
		user IDName,
		groups []IDName,
		umask string,
		capabilities *oci.LinuxCapabilities,
		seccompProfileSHA256 string,
	) (EnvList, *oci.LinuxCapabilities, bool, error)
	ExtendDefaultMounts([]oci.Mount) error
	EncodedSecurityPolicy() string
	EnforceExecInContainerPolicy(
		ctx context.Context,
		containerID string,
		argList []string,
		envList []string,
		workingDir string,
		noNewPrivileges bool,
		user IDName,
		groups []IDName,
		umask string,
		capabilities *oci.LinuxCapabilities,
	) (EnvList, *oci.LinuxCapabilities, bool, error)
	EnforceExecExternalProcessPolicy(ctx context.Context, argList []string, envList []string, workingDir string) (EnvList, bool, error)
	EnforceShutdownContainerPolicy(ctx context.Context, containerID string) error
	EnforceSignalContainerProcessPolicy(ctx context.Context, containerID string, signal syscall.Signal, isInitProcess bool, startupArgList []string) error
	EnforcePlan9MountPolicy(ctx context.Context, target string) (err error)
	EnforcePlan9UnmountPolicy(ctx context.Context, target string) (err error)
	EnforceGetPropertiesPolicy(ctx context.Context) error
	EnforceDumpStacksPolicy(ctx context.Context) error
	EnforceRuntimeLoggingPolicy(ctx context.Context) (err error)
	LoadFragment(ctx context.Context, issuer string, feed string, code string) error
	EnforceScratchMountPolicy(ctx context.Context, scratchPath string, encrypted bool) (err error)
	EnforceScratchUnmountPolicy(ctx context.Context, scratchPath string) (err error)
	GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error)
}

func CreateSecurityPolicyEnforcer 

func CreateSecurityPolicyEnforcer(
	enforcer string,
	base64EncodedPolicy string,
	criMounts,
	criPrivilegedMounts []oci.Mount,
	maxErrorMessageLength int,
) (SecurityPolicyEnforcer, error)

CreateSecurityPolicyEnforcer returns an appropriate enforcer for input parameters. When `enforcer` isn't return either an AllowAll or default enforcer. Returns an error if the requested `enforcer` implementation isn't registered.

type StandardSecurityPolicyEnforcer 

type StandardSecurityPolicyEnforcer struct {

	// Containers is the internal representation of users' container policies.
	Containers []*securityPolicyContainer
	// Devices is a mapping between target and a corresponding root hash. Target
	// is a path to a particular block device or its mount point inside UVM and
	// root hash is the dm-verity root hash of that device. Mainly the stored
	// devices represent read-only container layers, but this may change.
	// As the UVM goes through its process of bringing up containers, we have to
	// piece together information about what is going on.
	Devices map[string]string
	// ContainerIndexToContainerIds is a mapping between containers in the
	// SecurityPolicy and possible container IDs that have been created by runc,
	// but have not yet been run.
	//
	// As containers can have exactly the same base image and be "the same" at
	// the time we are doing overlay, the ContainerIndexToContainerIds is a set
	// of possible containers for a given container id. Go doesn't have a set
	// type, so we are doing the idiomatic go thing of using a map[string]struct{}
	// to represent the set.
	ContainerIndexToContainerIds map[int]map[string]struct{}

	// DefaultMounts are mount constraints for container mounts added by CRI and
	// GCS. Since default mounts will be allowed for all containers in the UVM
	// they are not added to each individual policy container and kept as global
	// policy rules.
	DefaultMounts []mountInternal
	// DefaultEnvs are environment variable constraints for variables added
	// by CRI and GCS. Since default envs will be allowed for all containers
	// in the UVM they are not added to each individual policy container and
	// kept as global policy rules.
	DefaultEnvs []EnvRuleConfig
	// contains filtered or unexported fields
}

StandardSecurityPolicyEnforcer implements SecurityPolicyEnforcer interface and is responsible for enforcing various SecurityPolicy constraints.

Most of the work that this security policy enforcer does it around managing state needed to map from a container definition in the SecurityPolicy to a specific container ID as we bring up each container. For example, see EnforceCreateContainerPolicy where most of the functionality is handling the case were policy containers share an overlay and have to try to distinguish them based on the command line arguments, environment variables or working directory.

Containers that share the same base image, and perhaps further information, will have an entry per container instance in the SecurityPolicy. For example, a policy that has two containers that use Ubuntu 18.04 will have an entry for each even if they share the same command line.

func NewStandardSecurityPolicyEnforcer 

func NewStandardSecurityPolicyEnforcer(
	containers []*securityPolicyContainer,
	encoded string,
) *StandardSecurityPolicyEnforcer

func (*StandardSecurityPolicyEnforcer) EncodedSecurityPolicy 

func (pe *StandardSecurityPolicyEnforcer) EncodedSecurityPolicy() string

func (*StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceCreateContainerPolicy(
	ctx context.Context,
	sandboxID string,
	containerID string,
	argList []string,
	envList []string,
	workingDir string,
	mounts []oci.Mount,
	privileged bool,
	noNewPrivileges bool,
	user IDName,
	groups []IDName,
	umask string,
	caps *oci.LinuxCapabilities,
	seccomp string,
) (allowedEnvs EnvList,
	allowedCapabilities *oci.LinuxCapabilities,
	stdioAccessAllowed bool,
	err error)

EnforceCreateContainerPolicy for StandardSecurityPolicyEnforcer validates the input container command, env and working directory against containers in the SecurityPolicy. The enforcement also narrows down the containers that have the same overlays by comparing their command, env and working directory rules.

Devices and ContainerIndexToContainerIds are used to build up an understanding of the containers running with a UVM as they come up and map them back to a container definition from the user supplied SecurityPolicy.

func (*StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(ctx context.Context, target string, deviceHash string) (err error)

EnforceDeviceMountPolicy for StandardSecurityPolicyEnforcer validates that the target block device's root hash matches any container in SecurityPolicy. Block device targets with invalid root hashes are rejected.

At the time that devices are being mounted, we do not know a container that they will be used for; only that there is a device with a given root hash that being mounted. We check to make sure that the root hash for the devices is a root hash that exists for 1 or more layers in any container in the supplied SecurityPolicy. Each "seen" layer is recorded in devices as it is mounted.

func (*StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(ctx context.Context, unmountTarget string) (err error)

EnforceDeviceUnmountPolicy for StandardSecurityPolicyEnforcer first validate that the target mount was one of the allowed devices and then removes it from the mapping.

When proper protocol enforcement is in place, this will also make sure that the device isn't currently used by any running container in an overlay.

func (*StandardSecurityPolicyEnforcer) EnforceDumpStacksPolicy 

func (*StandardSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy 

func (*StandardSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(_ context.Context, _ []string, envList []string, _ string) (EnvList, bool, error)

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforceExecInContainerPolicy 

func (*StandardSecurityPolicyEnforcer) EnforceExecInContainerPolicy(_ context.Context, _ string, _ []string, envList []string, _ string, _ bool, _ IDName, _ []IDName, _ string, caps *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error)

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforceGetPropertiesPolicy 

func (*StandardSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (pe *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(ctx context.Context, containerID string, layerPaths []string, target string) (err error)

EnforceOverlayMountPolicy for StandardSecurityPolicyEnforcer validates that layerPaths represent a valid overlay file system and is allowed by the SecurityPolicy.

When overlay filesystems created, look up the root hash chain for an incoming overlay and verify it against containers in the policy. Overlay filesystem creation is the first time we have a "container ID" available to us. The container id identifies the container in question going forward. We record the mapping of container index in the policy to a set of possible container IDs so that when we have future operations like "run command" which come with a container ID, we can find the corresponding container index and use that to look up the command in the appropriate security policy container instance.

func (*StandardSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy 

func (*StandardSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforcePlan9MountPolicy 

func (*StandardSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy 

func (*StandardSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy 

func (*StandardSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (StandardSecurityPolicyEnforcer) EnforceScratchMountPolicy 

func (StandardSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (StandardSecurityPolicyEnforcer) EnforceScratchUnmountPolicy 

func (StandardSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforceShutdownContainerPolicy 

func (*StandardSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy 

func (*StandardSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

func (*StandardSecurityPolicyEnforcer) ExtendDefaultMounts 

func (pe *StandardSecurityPolicyEnforcer) ExtendDefaultMounts(defaultMounts []oci.Mount) error

ExtendDefaultMounts for StandardSecurityPolicyEnforcer adds default mounts added by CRI and GCS to the list of DefaultMounts, which are always allowed.

func (StandardSecurityPolicyEnforcer) GetUserInfo 

func (StandardSecurityPolicyEnforcer) GetUserInfo(containerID string, spec *oci.Process) (IDName, []IDName, string, error)

Stub. We are deprecating the standard enforcer.

func (*StandardSecurityPolicyEnforcer) LoadFragment 

func (*StandardSecurityPolicyEnforcer) LoadFragment(context.Context, string, string, string) error

Stub. We are deprecating the standard enforcer. Newly added enforcement points are simply allowed.

type StringArrayMap 

type StringArrayMap struct {
	Length   int               `json:"length"`
	Elements map[string]string `json:"elements"`
}

StringArrayMap wraps an array of strings as a string map.

func (StringArrayMap) MarshalJSON 

func (s StringArrayMap) MarshalJSON() ([]byte, error)

type UserConfig 

type UserConfig struct {
	UserIDName   IDNameConfig   `json:"user_idname" toml:"user_idname"`
	GroupIDNames []IDNameConfig `json:"group_idnames" toml:"group_idname"`
	Umask        string         `json:"umask" toml:"umask"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.