Add support for mount policy enforcement. #1311
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
7 times, most recently
from
54491be
to
caa48aa
Compare
SeanTAllen
reviewed
Mar 16, 2022
SeanTAllen
reviewed
Mar 16, 2022
SeanTAllen
reviewed
Mar 16, 2022
|
I worry about the handcrafted nature of the test coverage for the functionality. There's a ton of options and a large number of interleavings that probably aren't covered. I'd personally feel more confident if there were generative tests to cover all the edges. That said, I can imagine that writing them would be a pain as would understanding them without copious comments. Do any of the existing unit tests cover this functionality or is it only the new functional test(s) that provide coverage? |
|
@SeanTAllen , I haven't added any unit tests, only the e2e functional ones. I'll get to the unit tests later. |
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
from
3294385
to
e6966f5
Compare
kevpar
reviewed
Mar 21, 2022
anmaxvl
commented
Mar 21, 2022
kevpar
reviewed
Mar 22, 2022
kevpar
reviewed
Mar 22, 2022
kevpar
reviewed
Mar 22, 2022
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
2 times, most recently
from
69beb99
to
2dbf0a0
Compare
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
3 times, most recently
from
ed88272
to
ead70b4
Compare
kevpar
reviewed
Mar 28, 2022
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
5 times, most recently
from
0b942d6
to
8c92072
Compare
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
3 times, most recently
from
a0536ce
to
15afe54
Compare
|
You have a merge conflict FYI |
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
from
15afe54
to
0ed9bd0
Compare
done resolving |
katiewasnothere
approved these changes
Apr 9, 2022
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
from
0ed9bd0
to
679bf8c
Compare
kevpar
reviewed
Apr 12, 2022
kevpar
reviewed
Apr 12, 2022
| @@ -133,19 +190,28 @@ func NewStandardSecurityPolicyEnforcer(containers []securityPolicyContainer, enc | |||
| func (c Containers) toInternal() ([]securityPolicyContainer, error) { | |||
| containerMapLength := len(c.Elements) | |||
| if c.Length != containerMapLength { | |||
| return nil, fmt.Errorf("container numbers don't match in policy. expected: %d, actual: %d", c.Length, containerMapLength) | |||
There was a problem hiding this comment.
As a general comment, if you have two sets of changes, things that are really important, and some general cleanup that is not important, it can be helpful to put them in separate PRs. That way it's easier for reviewers to focus on the really important part of the changes. This can be especially helpful with GitHub since it's so bad at just showing you the new pieces of a PR that you've looked at already.
There was a problem hiding this comment.
You don't necessarily need to do that here, since it's been around for a while already, but good to consider in the future.
It is possible that a malicious mount can be used to attack an LCOW pod. If the attacker has knowleldge of the workload running, they could possibly change the environment for a container and alter its execution. This PR adds support for describing and enforcing mount policy for a given container. The mount policy closely follows OCI spec to be as explicit as possible to the user. The policy can be made less explicit in the future if needed. The dev tool has been updated to support mount configurations and the configuration spec is similar to CRI config with the exception of unsupported features (e.g., selinux config). The tool translates CRI config to appropriate mount type and options in mount policy. Initial implementation doesn't support any wildcards for the Destination, but supports REGEX for the Source. CRI adds some default mounts for all Linux containers and they had to be hardcoded in this codebase as well. Extra caution is needed in the future, in case the list expands. Additional changes have been made to how sandbox and hugepages mounts are generated to make sure that the same utility functions are used to generate appropriate mount specs. Add positive and negative tests for security policy mount constraints Hide mount enforcement behind a LCOWIntegrity feature flag Update securitypolicy tool docs Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
from
6a15f78
to
682b056
Compare
Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
force-pushed
the
mount-policy-enforcement
branch
from
682b056
to
2af6ba2
Compare
|
@kevpar moved |
anmaxvl
added a commit
to anmaxvl/hcsshim
that referenced
this pull request
Apr 22, 2022
…)" This reverts commit 2028de8. During local testing a gcs with an older version of security policy was used when doing the fix: microsoft#1322. As we can see, the quotations weren't there. However, later a PR was merged, which added them: microsoft#1311 Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
added a commit
that referenced
this pull request
Feb 7, 2023
princepereira
pushed a commit
to princepereira/hcsshim
that referenced
this pull request
Aug 29, 2024
* Add support for mount policy enforcement. It is possible that a malicious mount can be used to attack an LCOW pod. If the attacker has knowleldge of the workload running, they could possibly change the environment for a container and alter its execution. This PR adds support for describing and enforcing mount policy for a given container. The mount policy closely follows OCI spec to be as explicit as possible to the user. The policy can be made less explicit in the future if needed. The dev tool has been updated to support mount configurations and the configuration spec is similar to CRI config with the exception of unsupported features (e.g., selinux config). The tool translates CRI config to appropriate mount type and options in mount policy. Initial implementation doesn't support any wildcards for the Destination, but supports REGEX for the Source. CRI adds some default mounts for all Linux containers and they had to be hardcoded in this codebase as well. Extra caution is needed in the future, in case the list expands. Additional changes have been made to how sandbox and hugepages mounts are generated to make sure that the same utility functions are used to generate appropriate mount specs. Add positive and negative tests for security policy mount constraints Hide mount enforcement behind a LCOWIntegrity feature flag Update securitypolicy tool docs Signed-off-by: Maksim An <maksiman@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It is possible that a malicious mount can be used to attack an LCOW pod.
If the attacker has knowleldge of the workload running, they could
possibly change the environment for a container and alter its execution.
This PR adds support for describing and enforcing mount policy for a
given container. The mount policy closely follows OCI spec to be as
explicit as possible to the user. The policy can be made less explicit
in the future if needed.
The dev tool has been updated to support mount configurations and the
configuration spec is similar to CRI config with the exception of
unsupported features (e.g., selinux config).
The tool translates CRI config to appropriate mount type and options in
mount policy. Initial implementation doesn't support any wildcards and
mount source and destinations are compared directly.
CRI adds some default mounts for all Linux containers and they had to be
hardcoded in this codebase as well. Extra caution is needed in the
future, in case the list expands.
Additional changes have been made to how sandbox and hugepages mounts
are generated to make sure that the same utility functions are used to
generate appropriate mount specs.
TODO:
Signed-off-by: Maksim An maksiman@microsoft.com