From bce5cb2ce5fe64f82a9ce3d2b5a6900bfdf9096f Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 19 Jul 2024 14:34:09 +0200 Subject: [PATCH] genpolicy: harden CreateSandboxRequest checks Hooks are executed on the host, so we don't expect to run hooks and thus require that no hook paths are set. Additional Kernel modules expand the attack surface, so require that none are set. If a use case arises, modules should be allowlisted via settings. Signed-off-by: Markus Rudy --- src/tools/genpolicy/rules.rego | 5 +++- .../testdata/createsandbox/testcases.json | 23 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 3db3ed3dc7..a781b4e06e 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -15,7 +15,7 @@ default AddSwapRequest := false default CloseStdinRequest := false default CopyFileRequest := false default CreateContainerRequest := false -default CreateSandboxRequest := true +default CreateSandboxRequest := false default DestroySandboxRequest := true default ExecProcessRequest := false default GetOOMEventRequest := true @@ -1117,6 +1117,9 @@ CreateSandboxRequest { print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path) count(input.guest_hook_path) == 0 + print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules) + count(input.kernel_modules) == 0 + i_pidns := input.sandbox_pidns print("CreateSandboxRequest: i_pidns =", i_pidns) i_pidns == false diff --git a/src/tools/genpolicy/tests/testdata/createsandbox/testcases.json b/src/tools/genpolicy/tests/testdata/createsandbox/testcases.json index 4a024221b1..430c1d7af3 100644 --- a/src/tools/genpolicy/tests/testdata/createsandbox/testcases.json +++ b/src/tools/genpolicy/tests/testdata/createsandbox/testcases.json @@ -5,5 +5,28 @@ "request": { "sandbox_pidns": false } + }, + { + "description": "pidns", + "allowed": false, + "request": { + "sandbox_pidns": true + } + }, + { + "description": "kernel modules", + "allowed": false, + "request": { + "sandbox_pidns": false, + "kernel_modules": [{"name": "evil.ko"}] + } + }, + { + "description": "guest hooks", + "allowed": false, + "request": { + "sandbox_pidns": false, + "guest_hook_path": "/attacker/controlled/path" + } } ]