-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Masking files/directories #2282
Comments
It seems to me this should be more of a system-wide policy thing. In which
case, the default profile for all containers would do this automatically. Why
on earth should it be up to the container runtime spec to specify this kind of
host security detail?
…-serge
|
If you control the OCI runtime spec, you can do everything you want security-wise. It's outside of the scope of the spec, but I understand your point, maybe the runtime should be free to add its own security restrictions. |
Is there a reason we can't use |
I guess that makes the behavior slightly different than the OCI spec, since you'd get EPERM instead of a file of zero length when you opened it, but since nobody is presumably looking at these files anyway, it's probably ok. |
It doesn't look like the spec mandates how it should be implemented. I also found this comment that agrees with you :) So, you're right, we could use apparmor. However, I don't feel it means we have to discard the idea of adding a new option. Apparmor vs bind-mount would be an implementation detail, with bind-mount being the fallback when apparmor is not available. |
So that sounds like we want a generic lxc.pathmask mechanism, which would be implemented so as to use apparmor or selinux when active, or a bind mount otherwise? How many users are there who actually aren't using apparmor? (Keeping in mind that the bind mount approach has other implications such as inability to further create nested containers without jumping through hoops) |
Hm, good point. Let's start with apparmor then, we will need a way to add those rules to the profile. |
I'm fine with doing it via |
Yeah, agree, we can revisit at a later time. I'll let you close this issue @brauner if you want. |
So, here's my idea. Doing it via AppArmor by default is fine. But I'm against the |
I was following you until this point. What's the corresponding mount entry? |
Now I'm not following: why is your corresponding mount entry |
Ok, I was not sure you were adding a new mount entry. |
Nope, you're getting me wrong. :) Right now, we have:
and
|
So when you parse
|
My bad, you did say "internal protocol" above. :) Thanks for the clarification. Ok, going back to the AppArmor option. I see that LXD embeds the AppArmor profile in the code, appends the lines passed by the user in Could that work for LXC? If a user specifies Another consideration, if we have 100 applications containers to launch, it seems we would need to generate 100 different profiles then parse them/load them. How bad would be the performance hit? I don't think the cache would help here since it seems name based, but I might be wrong. |
As in "definitely not user visible". :)
If it works for LXD it should work for LXC so you could just copy that logic into C.
Using the cache should help. There's also this comment in LXD that gives some clarification:
|
Do you have an equivalent of If you must make do with an existing profile (
I saw this part, but I guess the caching relies on the name of the file, which is fine for a single container since it's unlikely to change its apparmor profile often. I think it's useful to be able to add custom apparmor bits, but it seems like a complex solution to a simple problem :) |
The Linux section of the OCI runtime spec has an array of strings called
maskedPaths
:Here's an example from the default OCI spec generated by runc:
This is how
runc
handles it:https://github.com/opencontainers/runc/blob/63e6708c74c1cc46091ec92ea9df5aca4d82e803/libcontainer/rootfs_linux.go#L777-L790
Straighforward, but in LXC I don't see a true equivalent. If you know in advance if the target is a file or directory, you can do the right
lxc.mount.entry
. Here, files (/proc/kcore
) and directories (/sys/firmware
) are in the same list, and also some paths might not exist (/proc/latency_stats
for me).The solution I've used is to add both mounts, but both
optional
:brauner@c816bd8
If the target is a file, the first mount should succeed and the second one will fail.
If the target is a directory, the first mount will fail and the second one should succeed.
If the target doesn't exist, both mounts will fail.
There is a gap: if the target exists, but both mounts fail for another reason. We have no way of guaranteeing that at least one mount will succeed if the target exists.
What do you think? Should we add another configuration options to handle this case natively? Any other idea?
The text was updated successfully, but these errors were encountered: