Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding policy enforcement for User. #1669

Merged
merged 10 commits into from
Mar 3, 2023
Merged

Adding policy enforcement for User. #1669

merged 10 commits into from
Mar 3, 2023

Conversation

matajoh
Copy link
Member

@matajoh matajoh commented Feb 21, 2023

This PR adds policy enforcement for the User property of container processes. Policy authors can now explicitly allow and deny users, groups, and umasks associated with the init process and exec processes that they define on containers.

@matajoh matajoh requested a review from a team as a code owner February 21, 2023 17:27
anmaxvl
anmaxvl reviewed Feb 27, 2023
View reviewed changes
internal/guest/runtime/hcsv2/uvm.go Outdated Show resolved Hide resolved
pkg/securitypolicy/securitypolicyenforcer.go Show resolved Hide resolved
internal/guest/runtime/hcsv2/uvm.go Outdated Show resolved Hide resolved
internal/guest/runtime/hcsv2/uvm.go Outdated Show resolved Hide resolved
internal/guest/runtime/hcsv2/uvm.go Outdated Show resolved Hide resolved
helsaawy
helsaawy reviewed Mar 1, 2023
View reviewed changes
Copy link
Contributor

@helsaawy helsaawy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comments below, but in tandem, does GetUserInfo actually need to be exposed? Its doesnt do anything for Open/ClosedDoorSecurityPolicyEnforcer, and its returns are only ever passed to (SecurityPolicyEnforcer) EnforceCreateContainerPolicy and (SecurityPolicyEnforcer) EnforceExecInContainerPolicy, so the userinfo retrieval logic could probably be hidden in those two functions, without needing to change the function signatures

pkg/securitypolicy/securitypolicyenforcer_rego.go Outdated Show resolved Hide resolved
pkg/securitypolicy/securitypolicyenforcer.go Show resolved Hide resolved
@matajoh
Adding policy enforcement for User.
2ed246e 
This PR adds policy enforcement for the User property of container processes.
Policy authors can now explicitly allow and deny users, groups, and umasks
associated with the init process and exec processes that they define on
containers.

Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Addressing PR comments
7c1966e 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Addressing PR comments
6f5fb91 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Fixing linting error
0c5cc54 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Moving GetUserInfo to the interface
f16869a 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Fixing issues passwd and group are not present
158706d 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Fixing issues with the init process
b4b5656 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Setting defaults correctly on JSON containers
d8513be 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Fixing issue with encrypted scratch on non-SNP hardware
300df51 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Removing comment
6541eb6 
Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
@matajoh
Copy link
Member Author

matajoh commented Mar 2, 2023

So @helsaawy the current design change was made to avoid the cost of checking the password and group files when the data is not needed, i.e. with Standard and OpenDoor policies. However, if as you say we collapse the functionality into the different methods (EnforceCreateContainerPolicy and EnforceExecInContainerPolicy) then we have a situation where those methods become considerably more difficult to test, as we would have to mock the file system calls to read the passwd and group files. Having it this way is a compromise that avoids that.

@anmaxvl
Copy link
Contributor

anmaxvl commented Mar 3, 2023

lgtm

@anmaxvl anmaxvl merged commit 8994d86 into microsoft:main Mar 3, 2023
princepereira pushed a commit to princepereira/hcsshim that referenced this pull request Aug 29, 2024
@matajoh
Adding policy enforcement for User. (microsoft#1669)
009b711 
This PR adds policy enforcement for the User property of container processes.
Policy authors can now explicitly allow and deny users, groups, and umasks
associated with the init process and exec processes that they define on
containers.

Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anmaxvl anmaxvl anmaxvl approved these changes

@helsaawy helsaawy helsaawy approved these changes

Assignees

@helsaawy helsaawy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@matajoh @anmaxvl @helsaawy