Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

bpf: Hide directories from access #74

Merged
merged 1 commit into from
Oct 14, 2021
Merged

bpf: Hide directories from access #74

merged 1 commit into from
Oct 14, 2021

Conversation

vadorovsky
Copy link
Member

@vadorovsky vadorovsky commented Oct 11, 2021
edited
Loading

This change adds new BPF programs which restrict the filesystem access
(open) inside containers based on configurable allow and deny BPF maps.
Allow/deny lists of directories are available in the usespace in lockc
configuration.

It can be tested by trying to access a denied directory in a container,
like:

lockc-control-plane-0:~ # docker run --rm -it busybox sh
/ # ls /sys
ls: can't open '/sys': Operation not permitted
/ # ls /home
/ #

Fixes: #48
Signed-off-by: Michal Rostecki mrostecki@opensuse.org

@vadorovsky vadorovsky force-pushed the hide-fs-v2 branch 4 times, most recently from 3ee31d4 to 8a562dc Compare October 11, 2021 23:05
@vadorovsky vadorovsky marked this pull request as ready for review October 11, 2021 23:06
@vadorovsky
bpf: Hide directories from access
7cd6a88 
This change adds new BPF programs which restrict the filesystem access
(open) inside containers based on configurable allow and deny BPF maps.
Allow/deny lists of directories are available in the usespace in lockc
configuration.

It can be tested by trying to access a denied directory in a container,
like:

  lockc-control-plane-0:~ # docker run --rm -it busybox sh
  / # ls /sys
  ls: can't open '/sys': Operation not permitted
  / # ls /home
  / #

Fixes: lockc-project#48
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
mjura
mjura approved these changes Oct 12, 2021
View reviewed changes
Copy link
Collaborator

@mjura mjura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, good job

manuelbuil
manuelbuil reviewed Oct 13, 2021
View reviewed changes
lockc/src/bpf/lockc.bpf.c
Comment on lines +474 to +475
* If anyone can show or contribute the better solution, I owe them a
* beer!
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A beer is a too small reward for this problem ;)

@vadorovsky vadorovsky requested a review from flavio October 13, 2021 15:19
@vadorovsky
Copy link
Member Author

/cc @flavio

@vadorovsky vadorovsky merged commit 94e7be0 into lockc-project:main Oct 14, 2021
@vadorovsky vadorovsky deleted the hide-fs-v2 branch October 14, 2021 15:47
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@mjura mjura mjura approved these changes

@manuelbuil manuelbuil manuelbuil approved these changes

@nickgerace nickgerace nickgerace approved these changes

@briandowns briandowns Awaiting requested review from briandowns

@flavio flavio Awaiting requested review from flavio

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hide unnecessary kernel subystems
4 participants
@vadorovsky @mjura @manuelbuil @nickgerace