Skip to content

Commit

Permalink
Remove lockc-runc-wrapper
Browse files Browse the repository at this point in the history 
This change consists of several changes which overall allow to remove
lockc-runc-wrapper and any necessity of configuring containerd for
integration with lockc:

* Using fanotify to monitor runc processes and register containers.
* Using uprobes for registering containers and processes in BPF maps.
  Doing BPF operations from the wrapper had the weird issue - by
  registering the wrapper process, we were in fact preventing the same
  lockc-runc-wrapper process from doing any more BPF map modifications.
  Using uprobes has also an another advantage - it will allow rootless
  containers to work.
* Allowing access to /run directory inside container filesystem. It's
  used both by popular applications (like nginx) and by kubelet to store
  the network namespace (/run/netns).
* Adding containerd v2 CRI-related cgroup mount directories as allowed.
* Proper cleanup of old containers and processes.

Majority of uprobes code on the userspace side comes from
bpfcontain-rs.

Fixes: lockc-project#94
Fixes: lockc-project#52
Fixes: lockc-project#92
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Signed-off-by: William Findlay <william@williamfindlay.com>
  • Loading branch information
@vadorovsky
vadorovsky committed Nov 17, 2021
1 parent 800a5ed commit 4aebcef
Show file tree
Hide file tree
Showing 22 changed files with 1,508 additions and 708 deletions.
1 change: 1 addition & 0 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
[workspace]
members = [
"lockc",
"lockc-uprobes",
"xtask",
]
128 changes: 127 additions & 1 deletion contrib/etc/lockc/lockc.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ allowed_paths_mount_restricted = [
"/var/run/container",
# Storage directory used by CRI containerd.
"/run/containerd/io.containerd.runtime.v1.linux",
# Storage directory used by CRI containerd.
"/run/containerd/io.containerd.runtime.v2.task",
# Data directory used by docker.
"/var/lib/docker/containers",
# Sandbox directory used by containerd.
Expand Down Expand Up @@ -74,6 +76,54 @@ allowed_paths_mount_restricted = [
"/sys/fs/cgroup/systemd/kubepods.slice",
# Cgroup v2 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/unified/kubepods.slice",
# Block I/O controller for kubelet.
"/sys/fs/cgroup/blkio/kubepods-besteffort",
# CPU accounting controller for kubelet.
"/sys/fs/cgroup/cpu,cpuacct/kubepods-besteffort",
# Cpusets for libpod for kubelet.
"/sys/fs/cgroup/cpuset/kubepods-besteffort",
# Device allowlist controller for kubelet.
"/sys/fs/cgroup/devices/kubepods-besteffort",
# Cgroup freezer for kubelet.
"/sys/fs/cgroup/freezer/kubepods-besteffort",
# HugeTLB controller for kubelet.
"/sys/fs/cgroup/hugetlb/kubepods-besteffort",
# Memory controller for kubelet.
"/sys/fs/cgroup/memory/kubepods-besteffort",
# Network classifier and priority controller for kubelet.
"/sys/fs/cgroup/net_cls,net_prio/kubepods-besteffort",
# Perf event controller for kubelet.
"/sys/fs/cgroup/perf_event/kubepods-besteffort",
# Process number controller for kubelet.
"/sys/fs/cgroup/pids/kubepods-besteffort",
# Cgroup v1 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/systemd/kubepods-besteffort",
# Cgroup v2 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/unified/kubepods-besteffort",
# Block I/O controller for containerd.
"/sys/fs/cgroup/blkio/system.slice/containerd.service",
# CPU accounting controller for containerd.
"/sys/fs/cgroup/cpu,cpuacct/system.slice/containerd.service",
# Cpusets for libpod for containerd.
"/sys/fs/cgroup/cpuset/system.slice/containerd.service",
# Device allowlist controller for containerd.
"/sys/fs/cgroup/devices/system.slice/containerd.service",
# Cgroup freezer for containerd.
"/sys/fs/cgroup/freezer/system.slice/containerd.service",
# HugeTLB controller for containerd.
"/sys/fs/cgroup/hugetlb/system.slice/containerd.service",
# Memory controller for containerd.
"/sys/fs/cgroup/memory/system.slice/containerd.service",
# Network classifier and priority controller for containerd.
"/sys/fs/cgroup/net_cls,net_prio/system.slice/containerd.service",
# Perf event controller for containerd.
"/sys/fs/cgroup/perf_event/system.slice/containerd.service",
# Process number controller for containerd.
"/sys/fs/cgroup/pids/system.slice/containerd.service",
# Cgroup v1 hierarchy (used by systemd) for containerd.
"/sys/fs/cgroup/systemd/system.slice/containerd.service",
# Cgroup v2 hierarchy (used by systemd) for containerd.
"/sys/fs/cgroup/unified/system.slice/containerd.service",
# Block I/O controller for docker.
"/sys/fs/cgroup/blkio/docker",
# CPU accounting controller for docker.
Expand Down Expand Up @@ -121,6 +171,8 @@ allowed_paths_mount_baseline = [
"/var/run/container",
# Storage directory used by CRI containerd.
"/run/containerd/io.containerd.runtime.v1.linux",
# Storage directory used by CRI containerd.
"/run/containerd/io.containerd.runtime.v2.task",
# Data directory used by docker.
"/var/lib/docker/containers",
# Sandbox directory used by containerd.
Expand Down Expand Up @@ -179,6 +231,54 @@ allowed_paths_mount_baseline = [
"/sys/fs/cgroup/systemd/kubepods.slice",
# Cgroup v2 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/unified/kubepods.slice",
# Block I/O controller for kubelet.
"/sys/fs/cgroup/blkio/kubepods-besteffort",
# CPU accounting controller for kubelet.
"/sys/fs/cgroup/cpu,cpuacct/kubepods-besteffort",
# Cpusets for libpod for kubelet.
"/sys/fs/cgroup/cpuset/kubepods-besteffort",
# Device allowlist controller for kubelet.
"/sys/fs/cgroup/devices/kubepods-besteffort",
# Cgroup freezer for kubelet.
"/sys/fs/cgroup/freezer/kubepods-besteffort",
# HugeTLB controller for kubelet.
"/sys/fs/cgroup/hugetlb/kubepods-besteffort",
# Memory controller for kubelet.
"/sys/fs/cgroup/memory/kubepods-besteffort",
# Network classifier and priority controller for kubelet.
"/sys/fs/cgroup/net_cls,net_prio/kubepods-besteffort",
# Perf event controller for kubelet.
"/sys/fs/cgroup/perf_event/kubepods-besteffort",
# Process number controller for kubelet.
"/sys/fs/cgroup/pids/kubepods-besteffort",
# Cgroup v1 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/systemd/kubepods-besteffort",
# Cgroup v2 hierarchy (used by systemd) for kubelet.
"/sys/fs/cgroup/unified/kubepods-besteffort",
# Block I/O controller for containerd.
"/sys/fs/cgroup/blkio/system.slice/containerd.service",
# CPU accounting controller for containerd.
"/sys/fs/cgroup/cpu,cpuacct/system.slice/containerd.service",
# Cpusets for libpod for containerd.
"/sys/fs/cgroup/cpuset/system.slice/containerd.service",
# Device allowlist controller for containerd.
"/sys/fs/cgroup/devices/system.slice/containerd.service",
# Cgroup freezer for containerd.
"/sys/fs/cgroup/freezer/system.slice/containerd.service",
# HugeTLB controller for containerd.
"/sys/fs/cgroup/hugetlb/system.slice/containerd.service",
# Memory controller for containerd.
"/sys/fs/cgroup/memory/system.slice/containerd.service",
# Network classifier and priority controller for containerd.
"/sys/fs/cgroup/net_cls,net_prio/system.slice/containerd.service",
# Perf event controller for containerd.
"/sys/fs/cgroup/perf_event/system.slice/containerd.service",
# Process number controller for containerd.
"/sys/fs/cgroup/pids/system.slice/containerd.service",
# Cgroup v1 hierarchy (used by systemd) for containerd.
"/sys/fs/cgroup/systemd/system.slice/containerd.service",
# Cgroup v2 hierarchy (used by systemd) for containerd.
"/sys/fs/cgroup/unified/system.slice/containerd.service",
# Block I/O controller for docker.
"/sys/fs/cgroup/blkio/docker",
# CPU accounting controller for docker.
Expand Down Expand Up @@ -213,6 +313,15 @@ allowed_paths_mount_baseline = [
]

allowed_paths_access_restricted = [
"cgroup:",
"ipc:",
"mnt:",
"net:",
"pid:",
"pipe:",
"time:",
"user:",
"uts:",
"/bin",
"/dev/console",
"/dev/full",
Expand All @@ -224,14 +333,27 @@ allowed_paths_access_restricted = [
"/etc",
"/home",
"/lib",
"/lib64",
"/pause",
"/proc",
"/run",
"/sys/fs/cgroup",
"/sys/kernel/mm",
"/tmp",
"/usr",
"/var",
]

allowed_paths_access_baseline = [
"cgroup:",
"ipc:",
"mnt:",
"net:",
"pid:",
"pipe:",
"time:",
"user:",
"uts:",
"/bin",
"/dev/console",
"/dev/full",
Expand All @@ -243,18 +365,22 @@ allowed_paths_access_baseline = [
"/etc",
"/home",
"/lib",
"/lib64",
"/pause",
"/proc",
"/run",
"/sys/fs/cgroup",
"/sys/kernel/mm",
"/tmp",
"/usr",
"/var",
]

denied_paths_access_restricted = [
"/proc/acpi",
"/proc/sys",
]

denied_paths_access_baseline = [
"/proc/acpi",
"/proc/sys",
]
4 changes: 0 additions & 4 deletions contrib/guestfs/build.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,6 @@ set -eux

virt-customize -a \
${LOCKC_IMAGE} \
--mkdir /etc/containerd \
--mkdir /etc/docker \
--copy-in provision/etc/containerd/config.toml:/etc/containerd/ \
--copy-in provision/etc/docker/daemon.json:/etc/docker/ \
--copy-in provision/etc/modules-load.d/99-k8s.conf:/etc/modules-load.d/ \
--copy-in provision/etc/sysctl.d/99-k8s.conf:/etc/sysctl.d/ \
--copy-in provision/systemd/containerd.service:/etc/systemd/system/ \
Expand Down
69 changes: 0 additions & 69 deletions contrib/guestfs/provision/etc/containerd/config.toml
View file

This file was deleted.

14 changes: 0 additions & 14 deletions contrib/guestfs/provision/etc/docker/daemon.json
View file

This file was deleted.

2 changes: 0 additions & 2 deletions contrib/guestfs/provision/provision.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,6 @@ EOF
### Rebuild initrd with dracut
mkinitrd

mv /etc/containerd/config.toml.rpmorig /etc/containerd/config.toml

systemctl enable containerd
systemctl enable docker

Expand Down
4 changes: 3 additions & 1 deletion contrib/systemd/lockcd.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ Description=lockc daemon
After=network-online.target

[Service]
Type=oneshot
Type=simple
Restart=always
RestartSec=1
ExecStart={{ bindir }}/lockcd
StandardOutput=journal

Expand Down
4 changes: 2 additions & 2 deletions docs/src/architecture.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ The project consists of 3 parts:
policies per container/pod is yet to be implemented)
- **lockcd** - the userspace program (written in Rust)
- loads the BPF programs into the kernel, pins them in BPFFS
- monitors runc processes, registers new containers and determines which
policy should be applied on a container
- in future, it's going to serve as the configuration manager and log
collector
- **lockc-runc-wrapper** - a wraper for runc which registers new containers
and determines which policy should be applied on a container
2 changes: 1 addition & 1 deletion docs/src/policies/mount.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ By default, with the **baseline** policy level, this is a good example of
not allowed behavior:

```bash
# podman --runtime $(pwd)/build/src/lockc-runc-wrapper run -ti -v /:/rootfs --rm registry.opensuse.org/opensuse/toolbox:latest
# docker run -ti -v /:/rootfs --rm registry.opensuse.org/opensuse/toolbox:latest
Error: container create failed (no logs from conmon): EOF
```
2 changes: 1 addition & 1 deletion docs/src/policies/syslog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ By default, with the **baseline** policy level, checking the kernel logs from
the container is not allowed:

```bash
# podman --runtime $(pwd)/build/src/lockc-runc-wrapper run -ti --rm registry.opensuse.org/opensuse/toolbox:latest
# docker run -it --rm registry.opensuse.org/opensuse/toolbox:latest
b10f9fa4a385:/ # dmesg
dmesg: read kernel buffer failed: Operation not permitted
```
5 changes: 3 additions & 2 deletions docs/src/use/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,9 @@ sudo bpftool prog
btf_id 18711
```

To check if containers get "hardened" by lockc, check if you are able to
see the kernel logs from inside the container wrapped by **lockc-runc-wrapper**.
To check if containers get "hardened" by lockc, check if you are able to see
parts of container filesystem which are restricted by lockc.

Example:

```bash
Expand Down
9 changes: 9 additions & 0 deletions lockc-uprobes/Cargo.toml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[package]
name = "lockc-uprobes"
version = "0.1.0"
edition = "2021"

license = "Apache-2.0"

[dependencies]
libc = "0.2"
13 changes: 13 additions & 0 deletions lockc-uprobes/src/lib.rs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
use libc::pid_t;

#[no_mangle]
#[inline(never)]
pub extern "C" fn add_container(_retp: *mut i32, _container_id: u32, _pid: pid_t, _policy: i32) {}

#[no_mangle]
#[inline(never)]
pub extern "C" fn delete_container(_retp: *mut i32, _container_id: u32) {}

#[no_mangle]
#[inline(never)]
pub extern "C" fn add_process(_retp: *mut i32, _container_id: u32, _pid: pid_t) {}
Loading

0 comments on commit 4aebcef

Please # to comment.