Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

bpf: Hide directories from access #74

Merged
merged 1 commit into from
Oct 14, 2021
Merged

bpf: Hide directories from access #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
175 changes: 173 additions & 2 deletions contrib/etc/lockc/lockc.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,39 +5,100 @@ runtimes = ["runc"]
# filesystem in containers with "restricted" policy.
# By default, these are only directories used by container runtimes (i.e. runc),
# engines (i.e. containerd, cri-o, podman) and kubelet.
allowed_paths_rescricted = [
allowed_paths_mount_restricted = [
# Path to Pseudo-Terminal Device, needed for -it option in container runtimes.
"/dev/pts",
# Storage directory used by libpod (podman, cri-o).
"/var/lib/containers/storage",
# Storage directory used by docker (overlay2 driver).
"/var/lib/docker/overlay2",
# Storage directory used by containerd.
"/var/run/container",
# Storage directory used by CRI containerd.
"/run/containerd/io.containerd.runtime.v1.linux",
# Data directory used by docker.
"/var/lib/docker/containers",
# Sandbox directory used by containerd.
"/run/containerd/io.containerd.grpc.v1.cri/sandboxes",
# Sandbox directory used by containerd.
"/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes",
# Misc cgroup controller.
"/sys/fs/cgroup/misc",
# RDMA controller.
"/sys/fs/cgroup/rdma",
# Block I/O controller for libpod (podman, cri-o).
"/sys/fs/cgroup/blkio/machine.slice",
# CPU accounting controller for libpod (podman, cri-o).
"/sys/fs/cgroup/cpu,cpuacct/machine.slice",
# Cpusets for libpod (podman, cri-o).
"/sys/fs/cgroup/cpuset/machine.slice",
# Device allowlist controller for libpod (podman, cri-o).
"/sys/fs/cgroup/devices/machine.slice",
# Cgroup freezer for libpod (podman, cri-o).
"/sys/fs/cgroup/freezer/machine.slice",
# HugeTLB controller for libpod (podman, cri-o).
"/sys/fs/cgroup/hugetlb/machine.slice",
# Memory controller for libpod (podman, cri-o).
"/sys/fs/cgroup/memory/machine.slice",
# Network classifier and priority controller for libpod (podman, cri-o).
"/sys/fs/cgroup/net_cls,net_prio/machine.slice",
# Perf event controller for libpod (podman, cri-o).
"/sys/fs/cgroup/perf_event/machine.slice",
# Process number controller for libpod (podman, cri-o).
"/sys/fs/cgroup/pids/machine.slice",
# Cgroup v1 hierarchy (used by systemd) for libpod (podman, cri-o).
"/sys/fs/cgroup/systemd/machine.slice",
# Cgroup v2 hierarchy (used by systemd) for libpod (podman, cri-o).
"/sys/fs/cgroup/unified/machine.slice",
# Block I/O controller for kubelet.
"/sys/fs/cgroup/blkio/kubepods.slice",
# CPU accounting controller for kubelet.
"/sys/fs/cgroup/cpu,cpuacct/kubepods.slice",
# Cpusets for libpod for kubelet.
"/sys/fs/cgroup/cpuset/kubepods.slice",
# Device allowlist controller for kubelet.
"/sys/fs/cgroup/devices/kubepods.slice",
# Cgroup freezer for kubelet.
"/sys/fs/cgroup/freezer/kubepods.slice",
# HugeTLB controller for kubelet.
"/sys/fs/cgroup/hugetlb/kubepods.slice",
# Memory controller for kubelet.
"/sys/fs/cgroup/memory/kubepods.slice",
# Network classifier and priority controller for kubelet.
"/sys/fs/cgroup/net_cls,net_prio/kubepods.slice",
# Perf event controller for kubelet.
"/sys/fs/cgroup/perf_event/kubepods.slice",
# Process number controller for kubelet.
"/sys/fs/cgroup/pids/kubepods.slice",
# Cgroup v1 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/systemd/kubepods.slice",
# Cgroup v2 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/unified/kubepods.slice",
# Block I/O controller for docker.
"/sys/fs/cgroup/blkio/docker",
# CPU accounting controller for docker.
"/sys/fs/cgroup/cpu,cpuacct/docker",
# Cpusets for docker.
"/sys/fs/cgroup/cpuset/docker",
# Device allowlist controller for docker.
"/sys/fs/cgroup/devices/docker",
# Cgroup freezer for docker.
"/sys/fs/cgroup/freezer/docker",
# HugeTLB controller for docker.
"/sys/fs/cgroup/hugetlb/docker",
# Memory controller for docker.
"/sys/fs/cgroup/memory/docker",
# Network classifier and priority controller for docker.
"/sys/fs/cgroup/net_cls,net_prio/docker",
# Perf event controller for docker.
"/sys/fs/cgroup/perf_event/docker",
# Process number controller for docker.
"/sys/fs/cgroup/pids/docker",
# Cgroup v1 hierarchy (used by systemd) for docker.
"/sys/fs/cgroup/systemd/docker",
# Cgroup v2 hierarchy (used by systemd) for docker.
"/sys/fs/cgroup/unified/docker",
# State and ephemeral storage for kubelet.
"/var/lib/kubelet/pods",
]

Expand All @@ -47,43 +108,153 @@ allowed_paths_rescricted = [
# * /home
# * /var/data
# * directories used by container runtimes, engines and kubelet
allowed_paths_baseline = [
allowed_paths_mount_baseline = [
# Directories used by container runtimes, engines and kubelet.

# Path to Pseudo-Terminal Device, needed for -it option in container runtimes.
"/dev/pts",
# Storage directory used by libpod (podman, cri-o).
"/var/lib/containers/storage",
# Storage directory used by docker (overlay2 driver).
"/var/lib/docker/overlay2",
# Storage directory used by containerd.
"/var/run/container",
# Storage directory used by CRI containerd.
"/run/containerd/io.containerd.runtime.v1.linux",
# Data directory used by docker.
"/var/lib/docker/containers",
# Sandbox directory used by containerd.
"/run/containerd/io.containerd.grpc.v1.cri/sandboxes",
# Sandbox directory used by containerd.
"/var/lib/containerd/io.containerd.grpc.v1.cri/sandboxes",
# Misc cgroup controller.
"/sys/fs/cgroup/misc",
# RDMA controller.
"/sys/fs/cgroup/rdma",
# Block I/O controller for libpod (podman, cri-o).
"/sys/fs/cgroup/blkio/machine.slice",
# CPU accounting controller for libpod (podman, cri-o).
"/sys/fs/cgroup/cpu,cpuacct/machine.slice",
# Cpusets for libpod (podman, cri-o).
"/sys/fs/cgroup/cpuset/machine.slice",
# Device allowlist controller for libpod (podman, cri-o).
"/sys/fs/cgroup/devices/machine.slice",
# Cgroup freezer for libpod (podman, cri-o).
"/sys/fs/cgroup/freezer/machine.slice",
# HugeTLB controller for libpod (podman, cri-o).
"/sys/fs/cgroup/hugetlb/machine.slice",
# Memory controller for libpod (podman, cri-o).
"/sys/fs/cgroup/memory/machine.slice",
# Network classifier and priority controller for libpod (podman, cri-o).
"/sys/fs/cgroup/net_cls,net_prio/machine.slice",
# Perf event controller for libpod (podman, cri-o).
"/sys/fs/cgroup/perf_event/machine.slice",
# Process number controller for libpod (podman, cri-o).
"/sys/fs/cgroup/pids/machine.slice",
# Cgroup v1 hierarchy (used by systemd) for libpod (podman, cri-o).
"/sys/fs/cgroup/systemd/machine.slice",
# Cgroup v2 hierarchy (used by systemd) for libpod (podman, cri-o).
"/sys/fs/cgroup/unified/machine.slice",
# Block I/O controller for kubelet.
"/sys/fs/cgroup/blkio/kubepods.slice",
# CPU accounting controller for kubelet.
"/sys/fs/cgroup/cpu,cpuacct/kubepods.slice",
# Cpusets for libpod for kubelet.
"/sys/fs/cgroup/cpuset/kubepods.slice",
# Device allowlist controller for kubelet.
"/sys/fs/cgroup/devices/kubepods.slice",
# Cgroup freezer for kubelet.
"/sys/fs/cgroup/freezer/kubepods.slice",
# HugeTLB controller for kubelet.
"/sys/fs/cgroup/hugetlb/kubepods.slice",
# Memory controller for kubelet.
"/sys/fs/cgroup/memory/kubepods.slice",
# Network classifier and priority controller for kubelet.
"/sys/fs/cgroup/net_cls,net_prio/kubepods.slice",
# Perf event controller for kubelet.
"/sys/fs/cgroup/perf_event/kubepods.slice",
# Process number controller for kubelet.
"/sys/fs/cgroup/pids/kubepods.slice",
# Cgroup v1 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/systemd/kubepods.slice",
# Cgroup v2 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/unified/kubepods.slice",
# Block I/O controller for docker.
"/sys/fs/cgroup/blkio/docker",
# CPU accounting controller for docker.
"/sys/fs/cgroup/cpu,cpuacct/docker",
# Cpusets for docker.
"/sys/fs/cgroup/cpuset/docker",
# Device allowlist controller for docker.
"/sys/fs/cgroup/devices/docker",
# Cgroup freezer for docker.
"/sys/fs/cgroup/freezer/docker",
# HugeTLB controller for docker.
"/sys/fs/cgroup/hugetlb/docker",
# Memory controller for docker.
"/sys/fs/cgroup/memory/docker",
# Network classifier and priority controller for docker.
"/sys/fs/cgroup/net_cls,net_prio/docker",
# Perf event controller for docker.
"/sys/fs/cgroup/perf_event/docker",
# Process number controller for docker.
"/sys/fs/cgroup/pids/docker",
# Cgroup v1 hierarchy (used by systemd) for docker.
"/sys/fs/cgroup/systemd/docker",
# Cgroup v2 hierarchy (used by systemd) for docker.
"/sys/fs/cgroup/unified/docker",
# State and ephemeral storage for kubelet.
"/var/lib/kubelet/pods",

# Directories mounted by container engine user.

"/home",
"/var/data",
]

allowed_paths_access_restricted = [
"/bin",
"/dev/console",
"/dev/full",
"/dev/null",
"/dev/pts",
"/dev/tty",
"/dev/urandom",
"/dev/zero",
"/etc",
"/home",
"/lib",
"/proc",
"/sys/fs/cgroup",
"/tmp",
"/usr",
"/var",
]

allowed_paths_access_baseline = [
"/bin",
"/dev/console",
"/dev/full",
"/dev/null",
"/dev/pts",
"/dev/tty",
"/dev/urandom",
"/dev/zero",
"/etc",
"/home",
"/lib",
"/proc",
"/sys/fs/cgroup",
"/tmp",
"/usr",
"/var",
]

denied_paths_access_restricted = [
"/proc/acpi",
]

denied_paths_access_baseline = [
"/proc/acpi",
"/proc/sys",
]
1 change: 1 addition & 0 deletions docs/src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
- [Use libvirt](terraform/libvirt.md)
- [Use OpenStack](terraform/openstack.md)
- [Policies](policies/README.md)
- [File access](policies/file-access.md)
- [Mount](policies/mount.md)
- [Syslog](policies/syslog.md)
- [Demos](demos/README.md)
Expand Down
62 changes: 62 additions & 0 deletions docs/src/policies/file-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
## File access

lockc comes with policies about file access which is based on allow- and
deny-listing. **Baseline** and **restricted** policies have their own pairs of
lists. All those lists should contain path prefixes. All the children of listed
paths/directories are included, since the decision is made by prefix matching.

The deny list has precedence over allow list. That's because main purpose of
the deny list is specifying exceptions whose prefixes are specified in the
allow list, but we don't want to allow them.

To sum it up, when any process in the container tries to access a file, lockc:

1. Checks whether the given path's prefix is in the deny list. If yes, denies
the access.
2. Checks whether the given path's prefix is in the allow list. If yes, allows
the access.
3. In case of no matches, denies the access.

By default, the contents of lists are:

* **baseline**
* allow list
* */bin*
* */dev/console*
* */dev/full*
* */dev/null*
* */dev/pts*
* */dev/tty*
* */dev/urandom*
* */dev/zero*
* */etc*
* */home*
* */lib*
* */proc*
* */sys/fs/cgroup*
* */tmp*
* */usr*
* */var*
* deny list
* */proc/acpi*
* **restricted**
* allow list
* */bin*
* */dev/console*
* */dev/full*
* */dev/null*
* */dev/pts*
* */dev/tty*
* */dev/urandom*
* */dev/zero*
* */etc*
* */home*
* */lib*
* */proc*
* */sys/fs/cgroup*
* */tmp*
* */usr*
* */var*
* deny list
* */proc/acpi*
* */proc/sys*
Loading