Skip to content

Commit

Permalink
bpf: Hide directories from access
Browse files Browse the repository at this point in the history 
This change adds new BPF programs which restrict the filesystem access
(open) inside containers based on configurable allow and deny BPF maps.
Allow/deny lists of directories are available in the usespace in lockc
configuration.

It can be tested by trying to access a denied directory in a container,
like:

  lockc-control-plane-0:~ # docker run --rm -it busybox sh
  / # ls /sys
  ls: can't open '/sys': Operation not permitted
  / # ls /home
  / #

Fixes: #48
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
  • Loading branch information
@vadorovsky
vadorovsky committed Oct 11, 2021
1 parent 1ca0aef commit 7cd6a88
Show file tree
Hide file tree
Showing 9 changed files with 676 additions and 68 deletions.
175 changes: 173 additions & 2 deletions contrib/etc/lockc/lockc.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,39 +5,100 @@ runtimes = ["runc"]
# filesystem in containers with "restricted" policy.
# By default, these are only directories used by container runtimes (i.e. runc),
# engines (i.e. containerd, cri-o, podman) and kubelet.
allowed_paths_rescricted = [
allowed_paths_mount_restricted = [
# Path to Pseudo-Terminal Device, needed for -it option in container runtimes.
"/dev/pts",
# Storage directory used by libpod (podman, cri-o).
"/var/lib/containers/storage",
# Storage directory used by docker (overlay2 driver).
"/var/lib/docker/overlay2",
# Storage directory used by containerd.
"/var/run/container",
# Storage directory used by CRI containerd.
"/run/containerd/io.containerd.runtime.v1.linux",
# Data directory used by docker.
"/var/lib/docker/containers",
# Sandbox directory used by containerd.
"/run/containerd/io.containerd.grpc.v1.cri/sandboxes",
# Sandbox directory used by containerd.
"/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes",
# Misc cgroup controller.
"/sys/fs/cgroup/misc",
# RDMA controller.
"/sys/fs/cgroup/rdma",
# Block I/O controller for libpod (podman, cri-o).
"/sys/fs/cgroup/blkio/machine.slice",
# CPU accounting controller for libpod (podman, cri-o).
"/sys/fs/cgroup/cpu,cpuacct/machine.slice",
# Cpusets for libpod (podman, cri-o).
"/sys/fs/cgroup/cpuset/machine.slice",
# Device allowlist controller for libpod (podman, cri-o).
"/sys/fs/cgroup/devices/machine.slice",
# Cgroup freezer for libpod (podman, cri-o).
"/sys/fs/cgroup/freezer/machine.slice",
# HugeTLB controller for libpod (podman, cri-o).
"/sys/fs/cgroup/hugetlb/machine.slice",
# Memory controller for libpod (podman, cri-o).
"/sys/fs/cgroup/memory/machine.slice",
# Network classifier and priority controller for libpod (podman, cri-o).
"/sys/fs/cgroup/net_cls,net_prio/machine.slice",
# Perf event controller for libpod (podman, cri-o).
"/sys/fs/cgroup/perf_event/machine.slice",
# Process number controller for libpod (podman, cri-o).
"/sys/fs/cgroup/pids/machine.slice",
# Cgroup v1 hierarchy (used by systemd) for libpod (podman, cri-o).
"/sys/fs/cgroup/systemd/machine.slice",
# Cgroup v2 hierarchy (used by systemd) for libpod (podman, cri-o).
"/sys/fs/cgroup/unified/machine.slice",
# Block I/O controller for kubelet.
"/sys/fs/cgroup/blkio/kubepods.slice",
# CPU accounting controller for kubelet.
"/sys/fs/cgroup/cpu,cpuacct/kubepods.slice",
# Cpusets for libpod for kubelet.
"/sys/fs/cgroup/cpuset/kubepods.slice",
# Device allowlist controller for kubelet.
"/sys/fs/cgroup/devices/kubepods.slice",
# Cgroup freezer for kubelet.
"/sys/fs/cgroup/freezer/kubepods.slice",
# HugeTLB controller for kubelet.
"/sys/fs/cgroup/hugetlb/kubepods.slice",
# Memory controller for kubelet.
"/sys/fs/cgroup/memory/kubepods.slice",
# Network classifier and priority controller for kubelet.
"/sys/fs/cgroup/net_cls,net_prio/kubepods.slice",
# Perf event controller for kubelet.
"/sys/fs/cgroup/perf_event/kubepods.slice",
# Process number controller for kubelet.
"/sys/fs/cgroup/pids/kubepods.slice",
# Cgroup v1 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/systemd/kubepods.slice",
# Cgroup v2 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/unified/kubepods.slice",
# Block I/O controller for docker.
"/sys/fs/cgroup/blkio/docker",
# CPU accounting controller for docker.
"/sys/fs/cgroup/cpu,cpuacct/docker",
# Cpusets for docker.
"/sys/fs/cgroup/cpuset/docker",
# Device allowlist controller for docker.
"/sys/fs/cgroup/devices/docker",
# Cgroup freezer for docker.
"/sys/fs/cgroup/freezer/docker",
# HugeTLB controller for docker.
"/sys/fs/cgroup/hugetlb/docker",
# Memory controller for docker.
"/sys/fs/cgroup/memory/docker",
# Network classifier and priority controller for docker.
"/sys/fs/cgroup/net_cls,net_prio/docker",
# Perf event controller for docker.
"/sys/fs/cgroup/perf_event/docker",
# Process number controller for docker.
"/sys/fs/cgroup/pids/docker",
# Cgroup v1 hierarchy (used by systemd) for docker.
"/sys/fs/cgroup/systemd/docker",
# Cgroup v2 hierarchy (used by systemd) for docker.
"/sys/fs/cgroup/unified/docker",
# State and ephemeral storage for kubelet.
"/var/lib/kubelet/pods",
]

Expand All @@ -47,43 +108,153 @@ allowed_paths_rescricted = [
# * /home
# * /var/data
# * directories used by container runtimes, engines and kubelet
allowed_paths_baseline = [
allowed_paths_mount_baseline = [
# Directories used by container runtimes, engines and kubelet.

# Path to Pseudo-Terminal Device, needed for -it option in container runtimes.
"/dev/pts",
# Storage directory used by libpod (podman, cri-o).
"/var/lib/containers/storage",
# Storage directory used by docker (overlay2 driver).
"/var/lib/docker/overlay2",
# Storage directory used by containerd.
"/var/run/container",
# Storage directory used by CRI containerd.
"/run/containerd/io.containerd.runtime.v1.linux",
# Data directory used by docker.
"/var/lib/docker/containers",
# Sandbox directory used by containerd.
"/run/containerd/io.containerd.grpc.v1.cri/sandboxes",
# Sandbox directory used by containerd.
"/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes",
# Misc cgroup controller.
"/sys/fs/cgroup/misc",
# RDMA controller.
"/sys/fs/cgroup/rdma",
# Block I/O controller for libpod (podman, cri-o).
"/sys/fs/cgroup/blkio/machine.slice",
# CPU accounting controller for libpod (podman, cri-o).
"/sys/fs/cgroup/cpu,cpuacct/machine.slice",
# Cpusets for libpod (podman, cri-o).
"/sys/fs/cgroup/cpuset/machine.slice",
# Device allowlist controller for libpod (podman, cri-o).
"/sys/fs/cgroup/devices/machine.slice",
# Cgroup freezer for libpod (podman, cri-o).
"/sys/fs/cgroup/freezer/machine.slice",
# HugeTLB controller for libpod (podman, cri-o).
"/sys/fs/cgroup/hugetlb/machine.slice",
# Memory controller for libpod (podman, cri-o).
"/sys/fs/cgroup/memory/machine.slice",
# Network classifier and priority controller for libpod (podman, cri-o).
"/sys/fs/cgroup/net_cls,net_prio/machine.slice",
# Perf event controller for libpod (podman, cri-o).
"/sys/fs/cgroup/perf_event/machine.slice",
# Process number controller for libpod (podman, cri-o).
"/sys/fs/cgroup/pids/machine.slice",
# Cgroup v1 hierarchy (used by systemd) for libpod (podman, cri-o).
"/sys/fs/cgroup/systemd/machine.slice",
# Cgroup v2 hierarchy (used by systemd) for libpod (podman, cri-o).
"/sys/fs/cgroup/unified/machine.slice",
# Block I/O controller for kubelet.
"/sys/fs/cgroup/blkio/kubepods.slice",
# CPU accounting controller for kubelet.
"/sys/fs/cgroup/cpu,cpuacct/kubepods.slice",
# Cpusets for libpod for kubelet.
"/sys/fs/cgroup/cpuset/kubepods.slice",
# Device allowlist controller for kubelet.
"/sys/fs/cgroup/devices/kubepods.slice",
# Cgroup freezer for kubelet.
"/sys/fs/cgroup/freezer/kubepods.slice",
# HugeTLB controller for kubelet.
"/sys/fs/cgroup/hugetlb/kubepods.slice",
# Memory controller for kubelet.
"/sys/fs/cgroup/memory/kubepods.slice",
# Network classifier and priority controller for kubelet.
"/sys/fs/cgroup/net_cls,net_prio/kubepods.slice",
# Perf event controller for kubelet.
"/sys/fs/cgroup/perf_event/kubepods.slice",
# Process number controller for kubelet.
"/sys/fs/cgroup/pids/kubepods.slice",
# Cgroup v1 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/systemd/kubepods.slice",
# Cgroup v2 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/unified/kubepods.slice",
# Block I/O controller for docker.
"/sys/fs/cgroup/blkio/docker",
# CPU accounting controller for docker.
"/sys/fs/cgroup/cpu,cpuacct/docker",
# Cpusets for docker.
"/sys/fs/cgroup/cpuset/docker",
# Device allowlist controller for docker.
"/sys/fs/cgroup/devices/docker",
# Cgroup freezer for docker.
"/sys/fs/cgroup/freezer/docker",
# HugeTLB controller for docker.
"/sys/fs/cgroup/hugetlb/docker",
# Memory controller for docker.
"/sys/fs/cgroup/memory/docker",
# Network classifier and priority controller for docker.
"/sys/fs/cgroup/net_cls,net_prio/docker",
# Perf event controller for docker.
"/sys/fs/cgroup/perf_event/docker",
# Process number controller for docker.
"/sys/fs/cgroup/pids/docker",
# Cgroup v1 hierarchy (used by systemd) for docker.
"/sys/fs/cgroup/systemd/docker",
# Cgroup v2 hierarchy (used by systemd) for docker.
"/sys/fs/cgroup/unified/docker",
# State and ephemeral storage for kubelet.
"/var/lib/kubelet/pods",

# Directories mounted by container engine user.

"/home",
"/var/data",
]

allowed_paths_access_restricted = [
"/bin",
"/dev/console",
"/dev/full",
"/dev/null",
"/dev/pts",
"/dev/tty",
"/dev/urandom",
"/dev/zero",
"/etc",
"/home",
"/lib",
"/proc",
"/sys/fs/cgroup",
"/tmp",
"/usr",
"/var",
]

allowed_paths_access_baseline = [
"/bin",
"/dev/console",
"/dev/full",
"/dev/null",
"/dev/pts",
"/dev/tty",
"/dev/urandom",
"/dev/zero",
"/etc",
"/home",
"/lib",
"/proc",
"/sys/fs/cgroup",
"/tmp",
"/usr",
"/var",
]

denied_paths_access_restricted = [
"/proc/acpi",
]

denied_paths_access_baseline = [
"/proc/acpi",
"/proc/sys",
]
1 change: 1 addition & 0 deletions docs/src/SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
- [Use libvirt](terraform/libvirt.md)
- [Use OpenStack](terraform/openstack.md)
- [Policies](policies/README.md)
- [File access](policies/file-access.md)
- [Mount](policies/mount.md)
- [Syslog](policies/syslog.md)
- [Demos](demos/README.md)
Expand Down
62 changes: 62 additions & 0 deletions docs/src/policies/file-access.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
## File access

lockc comes with policies about file access which is based on allow- and
deny-listing. **Baseline** and **restricted** policies have their own pairs of
lists. All those lists should contain path prefixes. All the children of listed
paths/directories are included, since the decision is made by prefix matching.

The deny list has precedence over allow list. That's because main purpose of
the deny list is specifying exceptions whose prefixes are specified in the
allow list, but we don't want to allow them.

To sum it up, when any process in the container tries to access a file, lockc:

1. Checks whether the given path's prefix is in the deny list. If yes, denies
the access.
2. Checks whether the given path's prefix is in the allow list. If yes, allows
the access.
3. In case of no matches, denies the access.

By default, the contents of lists are:

* **baseline**
* allow list
* */bin*
* */dev/console*
* */dev/full*
* */dev/null*
* */dev/pts*
* */dev/tty*
* */dev/urandom*
* */dev/zero*
* */etc*
* */home*
* */lib*
* */proc*
* */sys/fs/cgroup*
* */tmp*
* */usr*
* */var*
* deny list
* */proc/acpi*
* **restricted**
* allow list
* */bin*
* */dev/console*
* */dev/full*
* */dev/null*
* */dev/pts*
* */dev/tty*
* */dev/urandom*
* */dev/zero*
* */etc*
* */home*
* */lib*
* */proc*
* */sys/fs/cgroup*
* */tmp*
* */usr*
* */var*
* deny list
* */proc/acpi*
* */proc/sys*
Loading

0 comments on commit 7cd6a88

Please # to comment.