Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

seccomp: use SYSCALLS_TO_DENY array #419

Merged
merged 1 commit into from
May 2, 2024
Merged

seccomp: use SYSCALLS_TO_DENY array #419

merged 1 commit into from
May 2, 2024

Conversation

dougsland
Copy link
Collaborator

This global array can be loaded externally into tools to check if programs can be added into QM image/yaml that are not allowed or won't work into the QM partition.

In this case: "sched_setscheduler" and "sched_setattr" which QM engineers are following the Risk Assessments rules.

Projects like CentOS Automotive Stream Distribution could be take advanced in the CI/CD pipeline.

Finally, added an example in tool, how could be used in a CI/CD scenario such integration.

@dougsland
Copy link
Collaborator Author

dougsland commented May 1, 2024
edited

cc @alexlarsson @Yarboa

FYI, agent-flood ci/cd is broken as expected due the Network=private change. We will address this soon.
Related issue (agent-flood): #416

@dougsland dougsland force-pushed the cicd-int-qm-auto branch 2 times, most recently from 28d783b to 29c2f99 Compare May 1, 2024 18:02
@dougsland
seccomp: use SYSCALLS_TO_DENY array
632ef89 
This global array can be loaded externally into tools to check
if programs can be added into QM image/yaml that are not allowed
or won't work into the QM partition.

In this case: "sched_setscheduler" and "sched_setattr" which QM
engineers are following the Risk Assessments rules.

Projects like CentOS Automotive Stream Distribution could be take
advanced in the CI/CD pipeline.

Finally, added an example in tool, how could be used in a CI/CD
scenario such integration.

Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
@dougsland
Copy link
Collaborator Author

CI/CD will fail due: #416

@dougsland
Copy link
Collaborator Author

Rebuild the CentOS Automotive with this patch added in the QM repo and the here is the test documented:

The code is included in the create-seccomp-rules, lets see the last lines added:
[root@localhost ~]# tail -n 30 /usr/share/qm/create-seccomp-rules

...
<SNIP>
for syscall in "${SYSCALLS_TO_DENY[@]}"; do
    # Remove syscall entry from the allow list
    remove_seccomp_entry_from_allow "${syscall}" "${QM_PATH_SECCOMP}"

    # Add syscall to the deny list
    add_syscall_deny_list "${syscall}" "${QM_PATH_SECCOMP}"
done

Now lets prove the new version is still working:

[root@localhost ~]# rm -f /usr/share/qm/seccomp.json # removing the seccomp.json from the installation
[root@localhost ~]# /usr/share/qm/create-seccomp-rules # lets generate a new one
[root@localhost ~]# tail -n 30 /usr/share/qm/seccomp.json # lets see the last lines and check if include the denies lines (which include)
<SNIP>
		{
			"names": [
				"sched_setscheduler"
			],
			"action": "SCMP_ACT_ERRNO",
			"args": [],
			"errnoRet": 1,
			"errno": "EPERM"
		},
		{
			"names": [
				"sched_setattr"
			],
			"action": "SCMP_ACT_ERRNO",
			"args": [],
			"errnoRet": 1,
			"errno": "EPERM"
		}
	]
}

Now copy the test file sched_setattr to the virtual machine and compile it with gcc -o test test.c. Later copy it to /usr/lib/qm/rootfs/root to use it inside QM partition.

Now let's go inside QM partition to test it:

podman exec -it qm bash
# cd /root
# ./test
bash-5.1# ./test
Current Scheduling Policy: SCHED_OTHER
Current Priority: 0
sched_setattr failed: Operation not permitted

Everything worked as expected.

@dougsland dougsland merged commit af93c7f into containers:main May 2, 2024
6 of 7 checks passed
@dougsland dougsland mentioned this pull request May 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rhatdan rhatdan Awaiting requested review from rhatdan rhatdan is a code owner

@lsm5 lsm5 Awaiting requested review from lsm5 lsm5 is a code owner

@Yarboa Yarboa Awaiting requested review from Yarboa Yarboa is a code owner

@odra odra Awaiting requested review from odra odra is a code owner

@sandrobonazzola sandrobonazzola Awaiting requested review from sandrobonazzola sandrobonazzola is a code owner

@dennisbrendel dennisbrendel Awaiting requested review from dennisbrendel dennisbrendel is a code owner

@priyverm priyverm Awaiting requested review from priyverm priyverm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@dougsland