github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-19 15:58:25 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10050 from burgerdev/request-hardening

Browse Source 
genpolicy: hardening some agent requests
This commit is contained in:
Aurélien Bombo
2024-08-15 08:31:21 -07:00
committed by GitHub
parent 365df81d5e bce5cb2ce5
commit 0223eedda5
4 changed files with 90 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/tools/genpolicy/genpolicy-settings.json
View File

@@ -296,7 +296,7 @@
] ]
}, },
"CopyFileRequest": [ "CopyFileRequest": [
"^$(cpath)/" "$(sfprefix)"
], ],
"ExecProcessRequest": { "ExecProcessRequest": {
"allowed_commands": [], "allowed_commands": [],

20
src/tools/genpolicy/rules.rego
View File

@@ -15,7 +15,7 @@ default AddSwapRequest := false
default CloseStdinRequest := false default CloseStdinRequest := false
default CopyFileRequest := false default CopyFileRequest := false
default CreateContainerRequest := false default CreateContainerRequest := false
default CreateSandboxRequest := true default CreateSandboxRequest := false
default DestroySandboxRequest := true default DestroySandboxRequest := true
default ExecProcessRequest := false default ExecProcessRequest := false
default GetOOMEventRequest := true default GetOOMEventRequest := true
@@ -1092,12 +1092,23 @@ match_caps(p_caps, i_caps) {
} }
###################################################################### ######################################################################
check_directory_traversal(i_path) {
not regex.match("(^|/)..($|/)", i_path)
}
CopyFileRequest { CopyFileRequest {
print("CopyFileRequest: input.path =", input.path) print("CopyFileRequest: input.path =", input.path)
check_directory_traversal(input.path)
some regex1 in policy_data.request_defaults.CopyFileRequest some regex1 in policy_data.request_defaults.CopyFileRequest
regex2 := replace(regex1, "$(cpath)", policy_data.common.cpath) regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
regex.match(regex2, input.path) regex3 := replace(regex2, "$(cpath)", policy_data.common.mount_source_cpath)
regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
print("CopyFileRequest: regex4 =", regex4)
regex.match(regex4, input.path)
print("CopyFileRequest: true") print("CopyFileRequest: true")
} }
@@ -1106,6 +1117,9 @@ CreateSandboxRequest {
print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
count(input.guest_hook_path) == 0 count(input.guest_hook_path) == 0
print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules)
count(input.kernel_modules) == 0
i_pidns := input.sandbox_pidns i_pidns := input.sandbox_pidns
print("CreateSandboxRequest: i_pidns =", i_pidns) print("CreateSandboxRequest: i_pidns =", i_pidns)
i_pidns == false i_pidns == false

49
src/tools/genpolicy/tests/testdata/copyfile/testcases.json vendored
View File

@@ -6,11 +6,60 @@
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-resolv.conf" "path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-resolv.conf"
} }
}, },
{
"description": "a dirname can have trailing dots",
"allowed": true,
"request": {
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo../bar"
}
},
{ {
"description": "attempt to copy outside of container root", "description": "attempt to copy outside of container root",
"allowed": false, "allowed": false,
"request": { "request": {
"path": "/etc/ssl/cert.pem" "path": "/etc/ssl/cert.pem"
} }
},
{
"description": "attempt to write into container root",
"allowed": false,
"request": {
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc/rootfs/bin/sh"
}
},
{
"description": "attempt to write into container root - guest pull",
"allowed": false,
"request": {
"path": "/run/kata-containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc/rootfs/bin/sh"
}
},
{
"description": "attempted directory traversal",
"allowed": false,
"request": {
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/../../../../../etc/ssl/cert.pem"
}
},
{
"description": "attempted directory traversal - parent directory",
"allowed": false,
"request": {
"path": "/run/kata-containers/shared/containers/81e5f43bc8599c5661e66f959ac28df5bfb30da23c5d583f2dcc6f9e0c5186dc-ce23cfeb91e75aaa-foo/.."
}
},
{
"description": "relative path",
"allowed": false,
"request": {
"path": "etc/ssl/cert.pem"
}
},
{
"description": "relative path - parent directory",
"allowed": false,
"request": {
"path": ".."
}
} }
] ]

23
src/tools/genpolicy/tests/testdata/createsandbox/testcases.json vendored
View File

@@ -5,5 +5,28 @@
"request": { "request": {
"sandbox_pidns": false "sandbox_pidns": false
} }
},
{
"description": "pidns",
"allowed": false,
"request": {
"sandbox_pidns": true
}
},
{
"description": "kernel modules",
"allowed": false,
"request": {
"sandbox_pidns": false,
"kernel_modules": [{"name": "evil.ko"}]
}
},
{
"description": "guest hooks",
"allowed": false,
"request": {
"sandbox_pidns": false,
"guest_hook_path": "/attacker/controlled/path"
}
} }
] ]