securitypolicy

package
v0.9.0-rc0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 14, 2021 License: MIT Imports: 9 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ClosedDoorSecurityPolicyEnforcer 

type ClosedDoorSecurityPolicyEnforcer struct{}

func (*ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (p *ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)

func (*ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (p *ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)

func (*ClosedDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy 

func (p *ClosedDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)

type EncodedSecurityPolicy 

type EncodedSecurityPolicy struct {
	SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}

EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration

type OpenDoorSecurityPolicyEnforcer 

type OpenDoorSecurityPolicyEnforcer struct{}

func (*OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (p *OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)

func (*OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (p *OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)

func (*OpenDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy 

func (p *OpenDoorSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)

type SecurityPolicy 

type SecurityPolicy struct {
	// Flag that when set to true allows for all checks to pass. Currently used
	// to run with security policy enforcement "running dark"; checks can be in
	// place but the default policy that is created on startup has AllowAll set
	// to true, thus making policy enforcement effectively "off" from a logical
	// standpoint. Policy enforcement isn't actually off as the policy is "allow
	// everything:.
	AllowAll bool `json:"allow_all"`
	// Total number of containers in our map
	NumContainers int `json:"num_containers"`
	// One or more containers that are allowed to run
	Containers map[string]SecurityPolicyContainer `json:"containers"`
}

JSON transport version

type SecurityPolicyContainer 

type SecurityPolicyContainer struct {
	// Number of entries that should be in the "Command" map
	NumCommands int `json:"num_commands"`
	// The command that we will allow the container to execute
	Command map[string]string `json:"command"`
	// Number of entries that should be in the "EnvRules" map
	NumEnvRules int `json:"num_env_rules"`
	// The rules for determining if a given environment variable is allowed
	EnvRules map[string]SecurityPolicyEnvironmentVariableRule `json:"env_rules"`
	// Number of entries that should in the "Layers" map
	NumLayers int `json:"num_layers"`
	// An "ordered list" of dm-verity root hashes for each layer that makes up
	// "a container". Containers are constructed as an overlay file system. The
	// order that the layers are overlayed is important and needs to be enforced
	// as part of policy. The map is interpreted as an ordered list by arranging
	// the keys of the map as indexes like 0,1,2,3 to establish the order.
	Layers map[string]string `json:"layers"`
}

SecurityPolicyContainer contains information about a container that should be allowed to run. "Allowed to run" is a bit of misnomer. For example, we enforce that when an overlay file system is constructed that it must be a an ordering of layers (as seen through dm-verity root hashes of devices) that match a listing from Layers in one of any valid SecurityPolicyContainer entries. Once that overlay creation is allowed, the command could not match policy and running the command would be rejected.

type SecurityPolicyEnforcer 

type SecurityPolicyEnforcer interface {
	EnforceDeviceMountPolicy(target string, deviceHash string) (err error)
	EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)
	EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)
}

func NewSecurityPolicyEnforcer 

func NewSecurityPolicyEnforcer(state SecurityPolicyState) (SecurityPolicyEnforcer, error)

type SecurityPolicyEnvironmentVariableRule 

type SecurityPolicyEnvironmentVariableRule struct {
	Strategy string `json:"strategy"`
	Rule     string `json:"rule"`
}

type SecurityPolicyState 

type SecurityPolicyState struct {
	EncodedSecurityPolicy EncodedSecurityPolicy `json:"EncodedSecurityPolicy,omitempty"`
	SecurityPolicy        `json:"SecurityPolicy,omitempty"`
}

SecurityPolicyState is a structure that holds user supplied policy to enforce we keep both the encoded representation and the unmarshalled representation because different components need to have access to either of these

func NewSecurityPolicyState 

func NewSecurityPolicyState(base64Policy string) (*SecurityPolicyState, error)

Constructs SecurityPolicyState from base64Policy string. It first decodes base64 policy and returns the structs security policy struct and encoded security policy for given policy. The security policy is transmitted as json in an annotation, so we first have to remove the base64 encoding that allows the JSON based policy to be passed as a string. From there, we decode the JSONand setup our security policy struct

type StandardSecurityPolicyEnforcer 

type StandardSecurityPolicyEnforcer struct {
	// EncodedSecurityPolicy state is needed for key release
	EncodedSecurityPolicy string
	// Containers from the user supplied security policy.
	Containers []securityPolicyContainer
	// Devices and ContainerIndexToContainerIds are used to build up an
	// understanding of the containers running with a UVM as they come up and
	// map them back to a container definition from the user supplied
	// SecurityPolicy
	//
	// Devices is a listing of dm-verity root hashes seen when mounting a device
	// stored in a "per-container basis". As the UVM goes through its process of
	// bringing up containers, we have to piece together information about what
	// is going on.
	//
	// At the time that devices are being mounted, we do not know a container
	// that they will be used for; only that there is a device with a given root
	// hash that being mounted. We check to make sure that the root hash for the
	// devices is a root hash that exists for 1 or more layers in any container
	// in the supplied SecurityPolicy. Each "seen" layer is recorded in devices
	// as it is mounted. So for example, if a root hash mount is found for the
	// device being mounted and the first layer of the first container then we
	// record the root hash in Devices[0][0].
	//
	// Later, when overlay filesystems  created, we verify that the ordered layers
	// for said overlay filesystem match one of the device orderings in Devices.
	// When a match is found, the index in Devices is the same index in
	// SecurityPolicy.Containers. Overlay filesystem creation is the first time we
	// have a "container id" available to us. The container id identifies the
	// container in question going forward. We record the mapping of Container
	// index to container id so that when we have future operations like "run
	// command" which come with a container id, we can find the corresponding
	// container index and use that to look up the command in the appropriate
	// SecurityPolicyContainer instance.
	//
	// As containers can have exactly the same base image and be "the same" at
	// the time we are doing overlay, the ContainerIndexToContainerIds in an
	// array of possible containers for a given container id.
	//
	// Containers that share the same base image, and perhaps further
	// information, will have an entry per container instance in the
	// SecurityPolicy. For example, a policy that has two containers that
	// use Ubuntu 18.04 will have an entry for each even if they share the same
	// command line.
	//
	// Most of the work that this security policy enforcer does it around managing
	// state needed to map from a container definition in the SecurityPolicy to
	// a specfic container ID as we bring up each container. See
	// enforceCommandPolicy where most of the functionality is handling the case
	// were policy containers share an overlay and have to try to distinguish them
	// based on the command line arguments. enforceEnvironmentVariablePolicy can
	// further narrow based on environment variables if required.
	//
	// implementation details are available in:
	// - EnforceDeviceMountPolicy
	// - EnforceOverlayMountPolicy
	// - enforceCommandPolicy
	// - enforceEnvironmentVariablePolicy
	// - NewStandardSecurityPolicyEnforcer
	Devices                      [][]string
	ContainerIndexToContainerIds map[int][]string
	// contains filtered or unexported fields
}

func NewStandardSecurityPolicyEnforcer 

func NewStandardSecurityPolicyEnforcer(containers []securityPolicyContainer, encoded string) *StandardSecurityPolicyEnforcer

func (*StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error)

func (*StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (policyState *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error)

func (*StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy 

func (policyState *StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.