Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Allow types to hand out security snippets #326
Conversation
niemeyer
reviewed
Jan 14, 2016
| + | ||
| +package caps | ||
| + | ||
| +// NOTE: all the security constants are used by Type.SecuritySnippet() |
niemeyer
Jan 14, 2016
Contributor
The note doesn't seem necessary, and will likely be wrong soon. The constants are used wherever they are used.
niemeyer
reviewed
Jan 14, 2016
| +// NOTE: all the security constants are used by Type.SecuritySnippet() | ||
| +const ( | ||
| + // Identifier of the apparmor security system. | ||
| + SecurityApparmor = "apparmor" |
niemeyer
Jan 14, 2016
Contributor
These constants should be typed. Please define a type SecuritySystem above, and then:
SecurityApparmor SecuritySystem = "apparmor"
etc.
niemeyer
Jan 14, 2016
Contributor
Also, can the comments be dropped or is golint also enforcing them? They're not adding any useful information on top of the code.
zyga
Jan 14, 2016
Contributor
Golint is enforcing them but since they will likely stay package-local I can just make them private.
niemeyer
Jan 14, 2016
Contributor
Well, not really. It doesn't make sense to have a public API that depends on private constants.
zyga
added some commits
Jan 14, 2016
niemeyer
reviewed
Jan 14, 2016
| @@ -31,6 +31,9 @@ type Type interface { | ||
| Name() string | ||
| // Sanitize a capability (altering if necessary). | ||
| Sanitize(c *Capability) error | ||
| + // Obtain the security snippet for the given security system. | ||
| + // If no security snippet is needed, hand out empty string. |
niemeyer
Jan 14, 2016
Contributor
// SecuritySnippet returns the configuration snippet that should be used by
// the given security system to enable this capability to be consumed.
// An empty snippet is returned when the capability doesn't require anything
// from the security system to work, in addition to the default configuration.
// ErrUnknownSecurity is returned when the capability cannot deal with the
// requested security system.
niemeyer
reviewed
Jan 14, 2016
| @@ -31,6 +31,9 @@ type Type interface { | ||
| Name() string | ||
| // Sanitize a capability (altering if necessary). | ||
| Sanitize(c *Capability) error | ||
| + // Obtain the security snippet for the given security system. | ||
| + // If no security snippet is needed, hand out empty string. | ||
| + SecuritySnippet(c *Capability, securitySystem string) (string, error) |
niemeyer
Jan 14, 2016
Contributor
Considering the data nature, I think the most appropriate result type here is actually a []byte.
zyga
added some commits
Jan 14, 2016
niemeyer
reviewed
Jan 14, 2016
| @@ -60,6 +63,24 @@ func (t *BoolFileType) Sanitize(c *Capability) error { | ||
| return nil | ||
| } | ||
| +// SecuritySnippet for bool-file capability type. |
niemeyer
reviewed
Jan 14, 2016
| + // Allow read,write and lock on the file designated by the path. | ||
| + return fmt.Sprintf("%s rwl,\n", path), nil | ||
| + case SecuritySeccomp: | ||
| + return "", nil |
niemeyer
Jan 14, 2016
Contributor
If Seccomp is active, will this capability work if nothing is configured? If it won't, then we shouldn't return an empty snippet, as that indicates nothing is required for it to work.
zyga
Jan 14, 2016
Contributor
From what I read so far seccomp defaults are sufficient for bool-file (open, read, write are all there). @jdstrand can you confirm this please?
niemeyer
Jan 14, 2016
Contributor
If we can open/read/write any file, what else is being restricted?
niemeyer
reviewed
Jan 14, 2016
| + case SecurityDBus: | ||
| + return "", nil | ||
| + default: | ||
| + return "", fmt.Errorf("unknown security system %q", securitySystem) |
niemeyer
Jan 14, 2016
Contributor
This should be ErrUnknownSecurity so we can differentiate the capability blowing up with a known security system for whatever reason from it not being able to handle the given security system at all.
niemeyer
reviewed
Jan 14, 2016
| +func (t *TestType) SecuritySnippet(c *Capability, securitySystem string) (string, error) { | ||
| + switch securitySystem { | ||
| + case SecurityApparmor: | ||
| + fallthrough |
niemeyer
Jan 14, 2016
Contributor
Seems wrong to fallthrough here. It's trivial to return an empty snippet, and if any of these are actually implemented the actual implementation will definitely not be common.
On another angle, what security system would be unsupported for the test type, considering it doesn't require anything at all from the system to implement the capability? Might be worth returning an empty snippet in all cases, and maybe allow a callback similar to Sanitize if that turns out to be useful?
zyga
Jan 14, 2016
Contributor
Changed, let me know what you think. I've opted for simplicity so there's no callback yet. Once we have a need for one it can be easily added.
niemeyer
reviewed
Jan 14, 2016
| +type SecuritySystem string | ||
| + | ||
| +const ( | ||
| + securityApparmor SecuritySystem = "apparmor" |
zyga
Jan 14, 2016
Contributor
Fixed. I tweaked the comments around each constant below. Golint is now happy but I don't know if they provide any useful value.
|
The structure looks good. Please ping again when the details above are addressed. |
zyga
added some commits
Jan 14, 2016
niemeyer
reviewed
Jan 14, 2016
| + // TODO: switch to the real path later | ||
| + path := c.Attrs["path"] | ||
| + // Allow read, write and lock on the file designated by the path. | ||
| + return ([]byte)(fmt.Sprintf("%s rwl,\n", path)), nil |
|
LGTM.. just a trivial above. |
|
Looks good. |
zyga commentedJan 14, 2016
This patch commences the work on the security side of capabilities. Each
capability type now has a way to hand out "snippets" of security
information applicable to a given security system. The information
describes alterations of the security system needed to consume a given
capability.
The patch defines three security system names: