rego and hardening: add enforcement and hardening for encrypted scratch #1538
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@SeanTAllen @matajoh @helsaawy putting as draft to get early feedback. The code hasn't been tested yet, working on the unit tests. |
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
2 times, most recently
from
149326b
to
ec141d0
Compare
matajoh
reviewed
Oct 7, 2022
| if err != nil { | ||
| return errors.Wrapf(err, "unmounting scsi device at %s denied by policy", mvd.MountPath) | ||
| } | ||
| if mvd.ReadOnly { |
There was a problem hiding this comment.
Doesn't this logic change behavior? If ReadOnly and Encrypted is false, there is no policy enforcement.
There was a problem hiding this comment.
I think we just missed this during review, but currently we don't have any enforcement for non-readonly devices: https://github.com/microsoft/hcsshim/blob/main/internal/guest/runtime/hcsv2/uvm.go#L657-L668.
SeanTAllen
reviewed
Oct 7, 2022
SeanTAllen
reviewed
Oct 7, 2022
SeanTAllen
reviewed
Oct 7, 2022
|
This doesnt match my understanding of what we were going to be doing. Im going to set up a meeting. |
After discussing more, we came to a conclusion that in the current implementation we're doing more of a hardening inside the policy, instead we should do the hardening in GCS. The plan is to have a policy config that'll tell us whether running with unencrypted scratch is allowed or not and GCS will make sure that the overlays are mounted under encrypted mount points. |
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
from
ec141d0
to
0ef8783
Compare
anmaxvl
changed the title
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
from
0ef8783
to
58eb832
Compare
matajoh
reviewed
Oct 10, 2022
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
2 times, most recently
from
586492b
to
776fe7a
Compare
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
3 times, most recently
from
f557838
to
23cad7b
Compare
helsaawy
requested changes
Oct 14, 2022
| "testing" | ||
| ) | ||
|
|
||
| func Test_Add_Remove_RWDevice(t *testing.T) { |
There was a problem hiding this comment.
probably should add functional or gcs tests for this as well in a future pr
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
2 times, most recently
from
dede668
to
6b8a53f
Compare
helsaawy
approved these changes
Oct 19, 2022
| AllowPropertiesAccess bool | ||
| AllowDumpStacks bool | ||
| AllowRuntimeLogging bool | ||
| Containers []*securityPolicyContainer |
There was a problem hiding this comment.
Hi Maksim, the continued addition of bools to this function signature makes a good case for refactoring. I recommend a type or similar construct to avoid unreadable code at the function invocation:
code, err = marshalRego(
securityPolicy.AllowAll,
containers,
[]ExternalProcessConfig{},
true,
true,
true,
true,
There was a problem hiding this comment.
yeah, we have "post feature complete" list of improvements and this one is on it 😄
| @@ -1968,6 +1968,55 @@ func Test_EnforceRuntimeLogging_Not_Allowed(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| func Test_Rego_Scratch_Mount_Policy(t *testing.T) { | |||
There was a problem hiding this comment.
Kudos for your continued inclusion of test modules. Unit tests should be considered a requirement for all new code, and you consistently are a role model for this habit.
msscotb
reviewed
Oct 22, 2022
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
from
da50fe6
to
62b7ec2
Compare
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
3 times, most recently
from
596f978
to
3407acb
Compare
helsaawy
reviewed
Oct 26, 2022
msscotb
reviewed
Oct 27, 2022
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
from
3407acb
to
e5fc898
Compare
The request to encrypt scratch comes from the host, but in confidential
scenario, the host cannot be trusted and it may attempt to mount the
read-write overlay of a container under an unencrypted path or omit the
encryption request altogether.
To address the issue, add `scratch_mount`, `scratch_unmount` enforcement
points and `allow_unencrypted_scratch` policy config, which can be used
to (you guessed it) allow containers to run with unencrypted scratch.
Since the request to add encrypted read-write scratch disk and mounting
container overlayfs come at different times, we also introduced minimal
(for now) hardening around adding read-write devices to the UVM. We
record the mounted read-write devices when they arrive and at the time
of adding overlayfs we check if the scratch path encrypted or not and
validate against the policy before enforcing overlay policy.
The policy config can be set at the top level, e.g.:
```
allow_unencrypted_scratch := true
containers := [...]
```
The `scratch_mount` enforcement point takes an input with the following
members:
```
{
"target": "<mount target>",
"encrypted": [true|false],
}
```
Add `/internal/guest/runtime/hcsv2/uvm_state.go`, which adds a new
`hostMounts` struct which keeps track of mounted RW devices. This can
be extended in the future for more GCS hardening purposes, e.g. overlay,
RO layer mounts and other container lifecycle management.
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
As part of enforcing encrypted scratch policy, we need to make sure that the source matches. To figure out the source for a SCSI attachment we need to first find the actual controller number where the SCSI is presented, which can be different from what hcsshim has requested originally. Rename and export `fetchActualControllerNumber` as `ActualControllerNumber` and figure out the correct controller before calling to scsi Mount/Unmount. Remove wrappers and update unit tests. Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl
force-pushed
the
encrypted-scratch-policy
branch
from
e5fc898
to
8b4f695
Compare
princepereira
pushed a commit
to princepereira/hcsshim
that referenced
this pull request
Aug 29, 2024
…ch (microsoft#1538) * rego and hardening: add enforcement and hardening for encrypted scratch The request to encrypt scratch comes from the host, but in confidential scenario, the host cannot be trusted and it may attempt to mount the read-write overlay of a container under an unencrypted path or omit the encryption request altogether. To address the issue, add `scratch_mount`, `scratch_unmount` enforcement points and `allow_unencrypted_scratch` policy config, which can be used to (you guessed it) allow containers to run with unencrypted scratch. Since the request to add encrypted read-write scratch disk and mounting container overlayfs come at different times, we also introduced minimal (for now) hardening around adding read-write devices to the UVM. We record the mounted read-write devices when they arrive and at the time of adding overlayfs we check if the scratch path encrypted or not and validate against the policy before enforcing overlay policy. The policy config can be set at the top level, e.g.: ``` allow_unencrypted_scratch := true containers := [...] ``` The `scratch_mount` enforcement point takes an input with the following members: ``` { "target": "<mount target>", "encrypted": [true|false], } ``` Add `/internal/guest/runtime/hcsv2/uvm_state.go`, which adds a new `hostMounts` struct which keeps track of mounted RW devices. This can be extended in the future for more GCS hardening purposes, e.g. overlay, RO layer mounts and other container lifecycle management. * crypt package refactor and adding more unit tests * tests: add e2e tests for scratch encryption policy * export and rename fetchActualControllerNumber As part of enforcing encrypted scratch policy, we need to make sure that the source matches. To figure out the source for a SCSI attachment we need to first find the actual controller number where the SCSI is presented, which can be different from what hcsshim has requested originally. Rename and export `fetchActualControllerNumber` as `ActualControllerNumber` and figure out the correct controller before calling to scsi Mount/Unmount. Remove wrappers and update unit tests. Signed-off-by: Maksim An <maksiman@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
rego and hardening: add enforcement and hardening for encrypted scratch
The request to encrypt scratch comes from the host, but in confidential
scenario, the host cannot be trusted and it may attempt to mount the
read-write overlay of a container under an unencrypted path or omit the
encryption request altogether.
To address the issue, add
scratch_mount,scratch_unmountenforcementpoints and
allow_unencrypted_scratchpolicy config, which can be usedto (you guessed it) allow containers to run with unencrypted scratch.
Since the request to add encrypted read-write scratch disk and mounting
container overlayfs come at different times, we also introduced minimal
(for now) hardening around adding read-write devices to the UVM. We
record the mounted read-write devices when they arrive and at the time
of adding overlayfs we check if the scratch path encrypted or not and
validate against the policy before enforcing overlay policy.
The policy config can be set at the top level, e.g.:
The
scratch_mountenforcement point takes an input with the followingmembers:
Add
/internal/guest/runtime/hcsv2/uvm_state.go, which adds a newhostMountsstruct which keeps track of mounted RW devices. This canbe extended in the future for more GCS hardening purposes, e.g. overlay,
RO layer mounts and other container lifecycle management.
Signed-off-by: Maksim An maksiman@microsoft.com