Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

stage1: implement no-new-privs linux isolator #2677

Merged
merged 1 commit into from
May 27, 2016
Merged

stage1: implement no-new-privs linux isolator #2677

merged 1 commit into from
May 27, 2016

Conversation

s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented May 24, 2016
edited
Loading

Fixes #1469

@s-urbaniak s-urbaniak added this to the v1.7.0 milestone May 24, 2016
alban
alban reviewed May 24, 2016
View reviewed changes
stage1/init/common/pod.go
func getAppNoNewPrivileges(isolators types.Isolators) (bool, error) {
noNewPrivs := ""

// TODO(sur): once https://github.com/appc/spec/pull/611 lands, bump appc spec, and use official appc types instead
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the purpose of testing before appc/spec#611 lands, you could have a commit in this PR that patches Godeps/_workspace/src/github.com/appc/spec/ with the patch in appc/spec#611.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good suggestion! :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done (temporarily)

@s-urbaniak
Copy link
Contributor Author

@alban @jonboulle addresses review comments, PTAL

@s-urbaniak
Copy link
Contributor Author

@lucab PTAL

@lucab
Copy link
Member

lucab commented May 25, 2016

Looks good overall. I see this and the appc spec default to false, making this security feature opt-in. I didn't find any reference to discussions about it: do we have plans for making this opt-out in the long term instead?

@alban
Copy link
Member

alban commented May 25, 2016

@lucab There was no discussions about the default as far as I know. During the review of appc/spec#611, I asked that the spec should say it defaults to false so that the spec is clear, but I haven't considered about the reverse. I wonder about compatibility if images use setuid files: for example, Ubuntu has some:

$ sudo docker run ubuntu ls -l /bin|grep rws
-rwsr-xr-x. 1 root root   94792 Sep  2  2015 mount
-rwsr-xr-x. 1 root root   44168 May  7  2014 ping
-rwsr-xr-x. 1 root root   44680 May  7  2014 ping6
-rwsr-xr-x. 1 root root   36936 Jan 27 00:50 su
-rwsr-xr-x. 1 root root   69120 Sep  2  2015 umount

@jonboulle
Copy link
Contributor

yeah per my OP I wasn't sure whether this'd be generally safe or not. I suggest we keep it an image-settable feature for now and then we can consider making it a default opt-out later?

alban
alban reviewed May 25, 2016
View reviewed changes
tests/inspect/inspect.go
uintptr(0), uintptr(0),
)

fmt.Printf("r1: %v err: %v\n", r1, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be printed in a more human-friendly way? e.g. "no_new_privs: 1" or something

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@s-urbaniak s-urbaniak force-pushed the no-new-privs branch 2 times, most recently from 4a870e1 to 7d8c0e9 Compare May 25, 2016 14:31
@s-urbaniak
Copy link
Contributor Author

Agreed that we should set this to false by default for now, it could break many things, we'd need more testing maybe in rktnetes to validate the reverse setting.

@s-urbaniak
Copy link
Contributor Author

@alban PTAL

@alban
Copy link
Member

alban commented May 25, 2016

@s-urbaniak LGTM (after appc/spec has been bumped)

@jonboulle
Copy link
Contributor

https://github.com/appc/spec/releases/tag/v0.8.3

@jonboulle jonboulle mentioned this pull request May 25, 2016
Closed
@s-urbaniak s-urbaniak changed the title [WIP] stage1: implement no-new-privs linux isolator stage1: implement no-new-privs linux isolator May 25, 2016
@s-urbaniak
Copy link
Contributor Author

@steveej @alban @jonboulle @iaguis PTAL

alban
alban reviewed May 25, 2016
View reviewed changes
Godeps/Godeps.json
@@ -406,6 +406,11 @@
"Rev": "a1b8ba5163b7f041b22761461eabd02b70d1f824"
},
{
"ImportPath": "github.com/gogo/protobuf/proto",
"Comment": "v0.1-125-g82d16f7",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also updated by:
#2691, see:

+       {
 +          "ImportPath": "github.com/gogo/protobuf/proto",
 +          "Comment": "v0.2",
 +          "Rev": "4168943e65a2802828518e95310aeeed6d84c4e5"
 +      },

Which one should we take first? :)

It should also use a tagged version.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used the exact same version as appc/spec https://github.com/appc/spec/blob/v0.8.3/Godeps/Godeps.json#L15

@steveej steveej mentioned this pull request May 25, 2016
Merged
@steveej
Copy link
Contributor

steveej commented May 26, 2016

Needs to be rebased on #2697.

@s-urbaniak s-urbaniak merged commit 30d80cf into rkt:master May 27, 2016
@s-urbaniak s-urbaniak deleted the no-new-privs branch November 7, 2016 12:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
area/security kind/enhancement priority/P1
Projects
None yet
Milestone
v1.7.0
Development

Successfully merging this pull request may close these issues.
6 participants
@s-urbaniak @lucab @alban @jonboulle @steveej @iaguis