Add policy enforcement for shutting down a container #1518
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anmaxvl
reviewed
Sep 20, 2022
Adds policy enforcement around shutting down a container. In the supplied framework, shutting down a container is always allowed. We update metadata based on the change in state that will be used by other framework rules. This enforcement point is important for custom policies for metadata tracking and also for allowing the creation of rules like "this container isn't allowed to shutdown if some other container is running". This commit rewrites `signalContainerV2` and gives it a new name. `signalContainerV2` was only called from the kill and shutdown container functions. Despite only having 2 possible signals it could receive, it accepted any signal. There's a replacement method called `signalContainerShutdownV2` that has "the same functionality" as `signalContainerV2`. `signalContainerShutdownV2` doesn't accept arbitrary signals. Instead, it takes a boolean for whether the shutdown should be graceful (aka `SIGTERM`) or if we should do a non-graceful shutdown of `SIGKILL`. This commit aims to keep things "as they are" except for changes that are required for proper and non-evadable policy enforcement. Actual policy enforcement is in a new method `ShutdownContainer` on the `Host` type in `uvm.go`. It is our design goal to have all enforcement functions called from within methods in `uvm.go`. There's an additional new method on the `Host` as well: `SignalContainerProcess`. `SignalContainerProcess` allows for the sending of arbitrary signals from the untrusted host computer to the UVM. The code has been extracted from `signalProcessV2` in the bridge and moved onto the `Host` type. The move was required in order to add additional logic to `SignalContainerProcess` that `signalProcessV2` lacked. `SignalContainerProcess` will check to see if the process being signaled is the init process of the container. If it is and the signal is `SIGTERM` or `SIGKILL` then the shutdown container enforcement rule will be used. We create this "special case" as shutting down a container is the process of sending `SIGTERM` or `SIGKILL` to the container's init process. The information for whether a process is the init process for a container is available, but not from the module that bridge is part of, thus the move of functionality into `Host`. The creation of `SignalContainerProcess` was going to be required for when we add support for enforcing policy around sending arbitrary signals to processes. The current `SignalContainerProcess` was written with that forthcoming changing in mind, but doesn't include any logic for the additional enforcement as that will be coming in a commit that will arrive "in the not so distant future". Shutdown container policy, because it is always allowed by our framework, doesn't require changing the `securitypolicy` policy generation tool as there's no user provided input to the new policy rule `shutdown_container`. When not using an open door policy, a "container not started" error will be returned if a shutdown is attempted on a container identifier that wasn't used to start a container. Signed-off-by: Sean T. Allen <seanallen@microsoft.com> Signed-off-by: Matthew A Johnson <matjoh@microsoft.com>
anmaxvl
approved these changes
Sep 21, 2022
dcantah
approved these changes
Sep 22, 2022
1 task
princepereira
pushed a commit
to princepereira/hcsshim
that referenced
this pull request
Aug 29, 2024
Adds policy enforcement around shutting down a container. In the supplied framework, shutting down a container is always allowed. We update metadata based on the change in state that will be used by other framework rules. This enforcement point is important for custom policies for metadata tracking and also for allowing the creation of rules like "this container isn't allowed to shutdown if some other container is running". This commit rewrites `signalContainerV2` and gives it a new name. `signalContainerV2` was only called from the kill and shutdown container functions. Despite only having 2 possible signals it could receive, it accepted any signal. There's a replacement method called `signalContainerShutdownV2` that has "the same functionality" as `signalContainerV2`. `signalContainerShutdownV2` doesn't accept arbitrary signals. Instead, it takes a boolean for whether the shutdown should be graceful (aka `SIGTERM`) or if we should do a non-graceful shutdown of `SIGKILL`. This commit aims to keep things "as they are" except for changes that are required for proper and non-evadable policy enforcement. Actual policy enforcement is in a new method `ShutdownContainer` on the `Host` type in `uvm.go`. It is our design goal to have all enforcement functions called from within methods in `uvm.go`. There's an additional new method on the `Host` as well: `SignalContainerProcess`. `SignalContainerProcess` allows for the sending of arbitrary signals from the untrusted host computer to the UVM. The code has been extracted from `signalProcessV2` in the bridge and moved onto the `Host` type. The move was required in order to add additional logic to `SignalContainerProcess` that `signalProcessV2` lacked. `SignalContainerProcess` will check to see if the process being signaled is the init process of the container. If it is and the signal is `SIGTERM` or `SIGKILL` then the shutdown container enforcement rule will be used. We create this "special case" as shutting down a container is the process of sending `SIGTERM` or `SIGKILL` to the container's init process. The information for whether a process is the init process for a container is available, but not from the module that bridge is part of, thus the move of functionality into `Host`. The creation of `SignalContainerProcess` was going to be required for when we add support for enforcing policy around sending arbitrary signals to processes. The current `SignalContainerProcess` was written with that forthcoming changing in mind, but doesn't include any logic for the additional enforcement as that will be coming in a commit that will arrive "in the not so distant future". Shutdown container policy, because it is always allowed by our framework, doesn't require changing the `securitypolicy` policy generation tool as there's no user provided input to the new policy rule `shutdown_container`. When not using an open door policy, a "container not started" error will be returned if a shutdown is attempted on a container identifier that wasn't used to start a container. Signed-off-by: Sean T. Allen <seanallen@microsoft.com> Signed-off-by: Matthew A Johnson <matjoh@microsoft.com> Co-authored-by: Sean T. Allen <seanallen@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds policy enforcement around shutting down a container. In the supplied framework, shutting down a container is always allowed. We update metadata based on the change in state that will be used by other framework rules. This enforcement point is important for custom policies for metadata tracking and also for allowing the creation of rules like "this container isn't allowed to shutdown if some other container is running".
This commit rewrites
signalContainerV2and gives it a new name.signalContainerV2was only called from the kill and shutdown container functions. Despite only having 2 possible signals it could receive, it accepted any signal. There's a replacement method calledsignalContainerShutdownV2that has "the same functionality" assignalContainerV2.signalContainerShutdownV2doesn't accept arbitrary signals. Instead, it takes a boolean for whether the shutdown should be graceful (akaSIGTERM) or if we should do a non-graceful shutdown ofSIGKILL.This commit aims to keep things "as they are" except for changes that are required for proper and non-evadable policy enforcement.
Actual policy enforcement is in a new method
ShutdownContaineron theHosttype inuvm.go. It is our design goal to have all enforcement functions called from within methods inuvm.go.There's an additional new method on the
Hostas well:SignalContainerProcess.SignalContainerProcessallows for the sending of arbitrary signals from the untrusted host computer to the UVM. The code has been extracted fromsignalProcessV2in the bridge and moved onto theHosttype. The move was required in order to add additional logic toSignalContainerProcessthatsignalProcessV2lacked.SignalContainerProcesswill check to see if the process being signaled is the init process of the container. If it is and the signal isSIGTERMorSIGKILLthen the shutdown container enforcement rule will be used. We create this "special case" as shutting down a container is the process of sendingSIGTERMorSIGKILLto the container's init process. The information for whether a process is the init process for a container is available, but not from the module that bridge is part of, thus the move of functionality intoHost.The creation of
SignalContainerProcesswas going to be required for when we add support for enforcing policy around sending arbitrary signals to processes. The currentSignalContainerProcesswas written with that forthcoming changing in mind, but doesn't include any logic for the additional enforcement as that will be coming in a commit that will arrive "in the not so distant future".Shutdown container policy, because it is always allowed by our framework, doesn't require changing the
securitypolicypolicy generation tool as there's no user provided input to the new policy ruleshutdown_container.When not using an open door policy, a "container not started" error will be returned if a shutdown is attempted on a container identifier that wasn't used to start a container.