Skip to content

Commit

Permalink
Merge pull request #1056 from bcressey/restrict-api-socket
Browse files Browse the repository at this point in the history
isolate host containers and limit access to API socket
  • Loading branch information
bcressey authored Aug 20, 2020
2 parents 23a20e5 + 43e0f6b commit 5110e8c
Show file tree
Hide file tree
Showing 6 changed files with 55 additions and 9 deletions.
2 changes: 2 additions & 0 deletions packages/os/host-containers-tmpfiles.conf
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
d /etc/host-containers 0755 root root -
d /local/host-containers 0700 root root -
T /local/host-containers - - - - security.selinux=system_u:object_r:state_t:s0
2 changes: 2 additions & 0 deletions packages/selinux-policy/fs.cil
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@
(filecon "/var/.*" any ())

; Label local state directories.
(filecon "/local/host-containers" any state)
(filecon "/local/host-containers/.*" any state)
(filecon "/var/lib/chrony" any measure)
(filecon "/var/lib/chrony/.*" any measure)
(filecon "/var/lib/systemd" any state)
Expand Down
8 changes: 7 additions & 1 deletion packages/selinux-policy/object.cil
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@
(roletype object_r private_t)
(context private (system_u object_r private_t s0))

; Files that are the API socket.
(type api_socket_t)
(roletype object_r api_socket_t)
(context api_socket (system_u object_r api_socket_t s0))

; Files for cached container layers.
(type cache_t)
(roletype object_r cache_t)
Expand Down Expand Up @@ -118,4 +123,5 @@
network_exec_t bus_exec_t runtime_exec_t
any_t etc_t unlabeled_t external_t
local_t private_t cache_t
lease_t measure_t state_t))
lease_t measure_t state_t
api_socket_t))
32 changes: 30 additions & 2 deletions packages/selinux-policy/rules.cil
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,11 @@
; objects on local storage.
(typetransition runtime_t local_t process container_t)
(typetransition runtime_t cache_t process container_t)
(typetransition runtime_t state_t process container_t)
(allow runtime_t container_s (processes (transform)))
(allow container_s local_t (file (entrypoint)))
(allow container_s cache_t (file (entrypoint)))
(allow container_s state_t (file (entrypoint)))

; Allow containers to communicate with runtimes via pipes.
(allow container_s runtime_t (files (mutate)))
Expand All @@ -82,6 +84,13 @@
; ... docker's image layers
(typetransition runtime_t local_t dir "overlay2" cache_t)

; If a system process creates a directory for host container state, it
; receives the "state_t" label.
(typetransition system_t local_t dir "host-containers" state_t)

; The socket for the API server gets the "api_socket_t" label.
(typetransition api_t any_t sock_file "api.sock" api_socket_t)

; All subjects are allowed to write to objects with their own label.
; This includes files like the ones under /proc/self.
; They can also set watches on those objects.
Expand All @@ -105,8 +114,19 @@
; mounts for "local" files and directories on /local.
(allow unconfined_s local_t (files (mutate watch mount)))

; Confined subjects cannot modify these "local" files.
; Subjects that control the OS can write to, set watches for, and
; manage mounts for "state" files and directories on /local. Our
; runtimes also need to be able to perform these operations so that
; they can launch host containers.
(allow control_s state_t (files (mutate watch mount)))
(allow runtime_s state_t (files (mutate watch mount)))

; Untrusted subjects cannot modify the "state" files.
(neverallow untrusted_s state_t (files (mutate watch mount)))

; Confined subjects cannot modify either "state" or "local" files.
(neverallow confined_s local_t (files (mutate watch mount)))
(neverallow confined_s state_t (files (mutate watch mount)))

; Trusted components are allowed to manage mounts everywhere.
(allow trusted_s global (files (mount)))
Expand All @@ -126,13 +146,21 @@
(allow clock_s measure_t (files (mutate watch)))
(allow network_s lease_t (files (mutate watch)))
(allow runtime_s cache_t (files (mutate watch)))
(allow system_s state_t (files (mutate watch)))

; Other components should not be permitted to modify these files,
; set watches for them, or to manage mounts for these directories.
(neverallow other_s protected_o (files (mutate watch mount)))
(neverallow other_s immutable_o (files (watch)))

; Only the API server and specific components can use the API
; socket, as this provides a means to escalate privileges and
; persist changes.
(allow api_s api_socket_t (files (mutate watch)))
(allow control_s api_socket_t (files (mutate watch)))

; Untrusted components are not allowed to use the API socket.
(neverallow untrusted_s api_socket_t (files (mutate watch)))

; Only trusted components are allowed to relabel files.
(allow trusted_s global (files (relabel)))

Expand Down
15 changes: 10 additions & 5 deletions packages/selinux-policy/subject.cil
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@
(roletype system_r container_t)
(context container (system_u system_r container_t s0))

; Processes that run inside containers that control the OS.
(type control_t)
(roletype system_r control_t)
(context control (system_u system_r control_t s0))

; Processes that run inside highly privileged containers.
(type super_t)
(roletype system_r super_t)
Expand All @@ -58,7 +63,7 @@
(typeattributeset all_s (
kernel_t init_t system_t api_t
network_t clock_t bus_t runtime_t
container_t super_t))
container_t control_t super_t))

; Subjects that are treated as a trusted part of the OS.
(typeattribute trusted_s)
Expand All @@ -82,7 +87,7 @@

; Subjects that are started from containers.
(typeattribute container_s)
(typeattributeset container_s (container_t super_t))
(typeattributeset container_s (container_t control_t super_t))

; Subjects that are shipped with the OS.
(typeattribute host_s)
Expand All @@ -104,6 +109,6 @@
(typeattribute network_s)
(typeattributeset network_s (network_t system_t super_t))

; Subjects that are allowed to manage system files.
(typeattribute system_s)
(typeattributeset system_s (system_t super_t))
; Subjects that are allowed to control system files.
(typeattribute control_s)
(typeattributeset control_s (control_t system_t super_t))
5 changes: 4 additions & 1 deletion sources/host-ctr/cmd/host-ctr/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ func _main() int {
Source: "/local/host-containers/" + containerID,
}}),
// Mount the rootfs with an SELinux label that makes it writable
withMountLabel("system_u:object_r:local_t:s0"),
withMountLabel("system_u:object_r:state_t:s0"),
// Include conditional options for superpowered containers.
withSuperpowered(superpowered),
)
Expand Down Expand Up @@ -375,8 +375,11 @@ func withMountLabel(label string) oci.SpecOpts {
// when it's `superpowered`.
func withSuperpowered(superpowered bool) oci.SpecOpts {
if !superpowered {
// Set the `control_t` process label so the host container can
// interact with the API and modify its local state files.
return oci.Compose(
seccomp.WithDefaultProfile(),
oci.WithSelinuxLabel("system_u:system_r:control_t:s0"),
)
}

Expand Down

0 comments on commit 5110e8c

Please sign in to comment.