Documentation ¶
Index ¶
- type ClosedDoorSecurityPolicyEnforcer
- func (p *ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
- func (p *ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
- func (p *ClosedDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)
- type EncodedSecurityPolicy
- type OpenDoorSecurityPolicyEnforcer
- func (p *OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
- func (p *OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
- func (p *OpenDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)
- type SecurityPolicy
- type SecurityPolicyContainer
- type SecurityPolicyEnforcer
- type SecurityPolicyEnvironmentVariableRule
- type SecurityPolicyState
- type StandardSecurityPolicyEnforcer
- func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
- func (policyState *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
- func (policyState *StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ClosedDoorSecurityPolicyEnforcer ¶
type ClosedDoorSecurityPolicyEnforcer struct{}
func (*ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (p *ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
func (*ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (p *ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
func (*ClosedDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy ¶
func (p *ClosedDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)
type EncodedSecurityPolicy ¶
type EncodedSecurityPolicy struct {
SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}
EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration
type OpenDoorSecurityPolicyEnforcer ¶
type OpenDoorSecurityPolicyEnforcer struct{}
func (*OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (p *OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
func (*OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (p *OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
func (*OpenDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy ¶
func (p *OpenDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)
type SecurityPolicy ¶
type SecurityPolicy struct { // Flag that when set to true allows for all checks to pass. Currently used // to run with security policy enforcement "running dark"; checks can be in // place but the default policy that is created on startup has AllowAll set // to true, thus making policy enforcement effectively "off" from a logical // standpoint. Policy enforcement isn't actually off as the policy is "allow // everything:. AllowAll bool `json:"allow_all"` // Total number of containers in our map NumContainers int `json:"num_containers"` // One or more containers that are allowed to run Containers map[string]SecurityPolicyContainer `json:"containers"` }
JSON transport version
type SecurityPolicyContainer ¶
type SecurityPolicyContainer struct { // Number of entries that should be in the "Command" map NumCommands int `json:"num_commands"` // The command that we will allow the container to execute Command map[string]string `json:"command"` // Number of entries that should be in the "EnvRules" map NumEnvRules int `json:"num_env_rules"` // The rules for determining if a given environment variable is allowed EnvRules map[string]SecurityPolicyEnvironmentVariableRule `json:"env_rules"` // Number of entries that should in the "Layers" map NumLayers int `json:"num_layers"` // An "ordered list" of dm-verity root hashes for each layer that makes up // "a container". Containers are constructed as an overlay file system. The // order that the layers are overlayed is important and needs to be enforced // as part of policy. The map is interpreted as an ordered list by arranging // the keys of the map as indexes like 0,1,2,3 to establish the order. Layers map[string]string `json:"layers"` }
SecurityPolicyContainer contains information about a container that should be allowed to run. "Allowed to run" is a bit of misnomer. For example, we enforce that when an overlay file system is constructed that it must be a an ordering of layers (as seen through dm-verity root hashes of devices) that match a listing from Layers in one of any valid SecurityPolicyContainer entries. Once that overlay creation is allowed, the command could not match policy and running the command would be rejected.
type SecurityPolicyEnforcer ¶
type SecurityPolicyEnforcer interface { EnforceDeviceMountPolicy(target string, deviceHash string) (err error) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error) }
func NewSecurityPolicyEnforcer ¶
func NewSecurityPolicyEnforcer(state SecurityPolicyState) (SecurityPolicyEnforcer, error)
type SecurityPolicyState ¶
type SecurityPolicyState struct { EncodedSecurityPolicy EncodedSecurityPolicy `json:"EncodedSecurityPolicy,omitempty"` SecurityPolicy `json:"SecurityPolicy,omitempty"` }
SecurityPolicyState is a structure that holds user supplied policy to enforce we keep both the encoded representation and the unmarshalled representation because different components need to have access to either of these
func NewSecurityPolicyState ¶
func NewSecurityPolicyState(base64Policy string) (*SecurityPolicyState, error)
Constructs SecurityPolicyState from base64Policy string. It first decodes base64 policy and returns the structs security policy struct and encoded security policy for given policy. The security policy is transmitted as json in an annotation, so we first have to remove the base64 encoding that allows the JSON based policy to be passed as a string. From there, we decode the JSONand setup our security policy struct
type StandardSecurityPolicyEnforcer ¶
type StandardSecurityPolicyEnforcer struct { // EncodedSecurityPolicy state is needed for key release EncodedSecurityPolicy string // Containers from the user supplied security policy. Containers []securityPolicyContainer // Devices and ContainerIndexToContainerIds are used to build up an // understanding of the containers running with a UVM as they come up and // map them back to a container definition from the user supplied // SecurityPolicy // // Devices is a listing of dm-verity root hashes seen when mounting a device // stored in a "per-container basis". As the UVM goes through its process of // bringing up containers, we have to piece together information about what // is going on. // // At the time that devices are being mounted, we do not know a container // that they will be used for; only that there is a device with a given root // hash that being mounted. We check to make sure that the root hash for the // devices is a root hash that exists for 1 or more layers in any container // in the supplied SecurityPolicy. Each "seen" layer is recorded in devices // as it is mounted. So for example, if a root hash mount is found for the // device being mounted and the first layer of the first container then we // record the root hash in Devices[0][0]. // // Later, when overlay filesystems created, we verify that the ordered layers // for said overlay filesystem match one of the device orderings in Devices. // When a match is found, the index in Devices is the same index in // SecurityPolicy.Containers. Overlay filesystem creation is the first time we // have a "container id" available to us. The container id identifies the // container in question going forward. We record the mapping of Container // index to container id so that when we have future operations like "run // command" which come with a container id, we can find the corresponding // container index and use that to look up the command in the appropriate // SecurityPolicyContainer instance. // // As containers can have exactly the same base image and be "the same" at // the time we are doing overlay, the ContainerIndexToContainerIds in an // array of possible containers for a given container id. // // Containers that share the same base image, and perhaps further // information, will have an entry per container instance in the // SecurityPolicy. For example, a policy that has two containers that // use Ubuntu 18.04 will have an entry for each even if they share the same // command line. // // Most of the work that this security policy enforcer does it around managing // state needed to map from a container definition in the SecurityPolicy to // a specfic container ID as we bring up each container. See // enforceCommandPolicy where most of the functionality is handling the case // were policy containers share an overlay and have to try to distinguish them // based on the command line arguments. enforceEnvironmentVariablePolicy can // further narrow based on environment variables if required. // // implementation details are available in: // - EnforceDeviceMountPolicy // - EnforceOverlayMountPolicy // - enforceCommandPolicy // - enforceEnvironmentVariablePolicy // - NewStandardSecurityPolicyEnforcer Devices [][]string ContainerIndexToContainerIds map[int][]string // contains filtered or unexported fields }
func NewStandardSecurityPolicyEnforcer ¶
func NewStandardSecurityPolicyEnforcer(containers []securityPolicyContainer, encoded string) *StandardSecurityPolicyEnforcer
func (*StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy ¶
func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
func (*StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy ¶
func (policyState *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
func (*StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy ¶
func (policyState *StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)