Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expand file and process restrictions in the SELinux policy #1464

Merged
merged 2 commits into from
Apr 8, 2021
Merged

expand file and process restrictions in the SELinux policy #1464

merged 2 commits into from
Apr 8, 2021

Conversation

bcressey
Copy link
Contributor

@bcressey bcressey commented Apr 7, 2021
edited
Loading

Issue number:
N/A

Description of changes:
Since host container user data can be used to pass secrets, we should block reads as well as writes to this content. Similarly, because the user data is saved in the datastore, we should also restrict access to those files.

This prevents most processes from sending signals to processes in a different domain, which could trigger unexpected system behavior.

Testing done:
Ran an unprivileged container:

docker run -it --rm --pid=host --security-opt label=type:container_t \
  -v /var/lib/bottlerocket:/datastore -v /local/host-containers:/host-containers \
  amazonlinux:2 bash

Verified that I could not kill a system daemon:

bash-4.2# pkill chronyd
pkill: killing pid 3202 failed: Permission denied
pkill: killing pid 3263 failed: Permission denied

Verified that I could not read host container files:

bash-4.2# ls -latrZ /host-root/local/host-containers/
ls: cannot open directory /host-root/local/host-containers/: Permission denied

Verified that I could not read datastore files:

bash-4.2# ls -latrZ /host-root/var/lib/bottlerocket/
ls: cannot open directory /host-root/var/lib/bottlerocket/: Permission denied

Launched aws-k8s-1.19 aarch64 nodes; sonobuoy run passed.

Launched aws-k8s-1.19 x86_64 nodes; verified that CloudWatch Agent and Fluent Bit could collect logs and post to CloudWatch.

Launched aws-ecs-1 aarch64 node; verified that an ECS task could run and complete.

No AVC denials were logged in these scenarios.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@bcressey
selinux-policy: add file read restrictions
ea35f1b 
Since host container user data can be used to pass secrets, we should
block reads as well as writes to this content. Similarly, because the
user data is saved in the datastore, we should also restrict access
to those files.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
selinux-policy: add process restrictions
9611ed8 
This prevents most processes from sending signals to processes in a
different domain, which could trigger unexpected system behavior.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey bcressey marked this pull request as ready for review April 8, 2021 00:54
@bcressey bcressey added this to the 1.0.8 milestone Apr 8, 2021
@bcressey bcressey merged commit 971519f into bottlerocket-os:develop Apr 8, 2021
@bcressey bcressey deleted the restrict-private branch April 8, 2021 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpculp jpculp jpculp approved these changes

@tjkirch tjkirch tjkirch approved these changes

@samuelkarp samuelkarp Awaiting requested review from samuelkarp

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.0.8
Development

Successfully merging this pull request may close these issues.
3 participants
@bcressey @tjkirch @jpculp