securitypolicy

package
v0.15.0-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2026 License: MIT Imports: 28 Imported by: 3

README

Security Policy

This package contains the logic for enabling users to express an attested security policy. This policy provides a series of enforcement points. Each enforcement point contrains one action that the host requests of the guest. The security policies are expressed in Rego, a policy language designed for use in scenarios like this one.

We provide a framework that users can employ to make writing policies easier, but there is no requirement for this framework to be used. Valid policies only need to define the enforcement points which are enumerated in the API namespace.

Adding a New Enforcement Point

When adding a new enforcement point, care must be taken to ensure that it is correctly connected to the rest of the codebase and properly supported. Here is a helpful checklist:

  1. Add the enforcment point to the SecurityPolicyEnforcer interface.
  2. Add stub implementations of the enforcement point to all classes which implement the interface. Some files to look at:
  3. Wrap the call in uvm.go so that it will not happen unless the security policy says it is OK.
  4. Add the enforcement point to api.rego and bump one minor version.
  5. Add the enforcement point rule to policy.rego and open_door.rego.
  6. Add the enforcement point rule logic to framework.rego
  7. Add useful error messages to framework.rego. Be sure to gate them with the rule name.
  8. Update the internal representations of the policy in securitypolicy_internal.go to contain any constraint objects which are needed by the framework logic.
  9. Update the Rego marshalling code in securitypolicy_marshal.go to emit the constraint objects which you added in the previous step.
  10. In securitypolicyenforcer_rego.go, fill out the stub with the input needed for the framework logic.
  11. Add tests to regopolicy_test.go. As a rule, you should add one test which verifies that the rule enforces things correctly, and then at least one test per error condition. Be sure to test that the error messages you are emitting are present in the error message.

Documentation

Index

Constants

View Source 
const (
	SecurityContextDirTemplate = "security-context-*"
	PolicyFilename             = "security-policy-base64"
	HostAMDCertFilename        = "host-amd-cert-base64"
	ReferenceInfoFilename      = "reference-info-base64"
)

Variables

View Source 
var APICode = strings.Replace(apiCodeTemplate, "@@API_VERSION@@", apiVersion, 1)
View Source 
var ErrInvalidOpenDoorPolicy = errors.New("Invalid policy for open-door enforcer")
View Source 
var FrameworkCode = strings.Replace(frameworkCodeTemplate, "@@FRAMEWORK_VERSION@@", frameworkVersion, 1)

Functions

func DefaultCRIMounts 

func DefaultCRIMounts() []oci.Mount

func DefaultCRIPrivilegedMounts 

func DefaultCRIPrivilegedMounts() []oci.Mount

DefaultCRIPrivilegedMounts returns a slice of mounts which are added to the linux container spec when a container runs in a privileged mode.

func DefaultPrivilegedCapabilities added in v0.10.0 

func DefaultPrivilegedCapabilities() []string

func DefaultUnprivilegedCapabilities added in v0.10.0 

func DefaultUnprivilegedCapabilities() []string

func EmptyCapabiltiesSet added in v0.10.0 

func EmptyCapabiltiesSet() []string

func ExtendPolicyWithNetworkingMounts 

func ExtendPolicyWithNetworkingMounts(sandboxID string, enforcer SecurityPolicyEnforcer, spec *oci.Spec) error

func ExtractPolicyDecision added in v0.10.0 

func ExtractPolicyDecision(errorMessage string) (string, error)

func GetAllUserInfo 

func GetAllUserInfo(process *oci.Process, rootPath string) (
	userIDName IDName,
	groupIDNames []IDName,
	umask string,
	err error,
)

func HugePagesMountsDir added in v0.14.0 

func HugePagesMountsDir(sandboxID string) string

HugePagesMountsDir returns hugepages mounts directory inside UVM.

func MarshalFragment added in v0.10.0 

func MarshalFragment(
	namespace string,
	svn string,
	containers []*Container,
	externalProcesses []ExternalProcessConfig,
	fragments []FragmentConfig) (string, error)

func MarshalPolicy added in v0.10.0 

func MarshalPolicy(
	marshaller string,
	allowAll bool,
	containers []*Container,
	externalProcesses []ExternalProcessConfig,
	fragments []FragmentConfig,
	allowPropertiesAccess bool,
	allowDumpStacks bool,
	allowRuntimeLogging bool,
	allowEnvironmentVariableDropping bool,
	allowUnencryptedScratch bool,
	allowCapbilitiesDropping bool,
) (string, error)

func MeasureSeccompProfile added in v0.10.0 

func MeasureSeccompProfile(seccomp *specs.LinuxSeccomp) (string, error)

func NewSecurityPolicyDigest added in v0.10.0 

func NewSecurityPolicyDigest(base64policy string) ([]byte, error)

NewSecurityPolicyDigest decodes base64 encoded policy string, computes and returns sha256 digest

func SandboxMountsDir added in v0.14.0 

func SandboxMountsDir(sandboxID string) string

SandboxMountsDir returns sandbox mounts directory inside UVM/host.

Types

type AuthConfig added in v0.10.0 

type AuthConfig struct {
	Username string `json:"username" toml:"username"`
	Password string `json:"password" toml:"password"`
}

AuthConfig contains toml or JSON config for registry authentication.

type CapabilitiesConfig added in v0.10.0 

type CapabilitiesConfig struct {
	Bounding    []string `json:"bounding" toml:"bounding"`
	Effective   []string `json:"effective" toml:"effective"`
	Inheritable []string `json:"inheritable" toml:"inheritable"`
	Permitted   []string `json:"permitted" toml:"permitted"`
	Ambient     []string `json:"ambient" toml:"ambient"`
}

CapabilitiesConfig contains the toml or JSON config for capabilies security polict constraint description

type ClosedDoorSecurityPolicyEnforcer 

type ClosedDoorSecurityPolicyEnforcer struct{}

func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string

func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(context.Context, string, string, []string, []string, string, []oci.Mount, bool, bool, IDName, []IDName, string, *oci.LinuxCapabilities, string) (EnvList, *oci.LinuxCapabilities, bool, error)

func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicyV2 

func (ClosedDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicyV2(
	ctx context.Context,
	containerID string,
	argList []string,
	envList []string,
	workingDir string,
	mounts []oci.Mount,
	user IDName,
	opts *CreateContainerOptions,
) (EnvList, *oci.LinuxCapabilities, bool, error)

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(context.Context, string, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(context.Context, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(context.Context, []string, []string, string) (EnvList, bool, error)

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy(context.Context, string, []string, []string, string, bool, IDName, []IDName, string, *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error)

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicyV2 

func (ClosedDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicyV2(
	ctx context.Context,
	containerID string,
	argList []string,
	envList []string,
	workingDir string,
	user IDName,
	opts *ExecOptions,
) (EnvList, *oci.LinuxCapabilities, bool, error)

func (ClosedDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(context.Context, string, []string, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy added in v0.10.0 

func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy added in v0.10.0 

func (*ClosedDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceRWDeviceMountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceRWDeviceMountPolicy(context.Context, string, bool, bool, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceRWDeviceUnmountPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceRWDeviceUnmountPolicy(context.Context, string) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceRegistryChangesPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceRegistryChangesPolicy(ctx context.Context, containerID string, registryValues interface{}) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy added in v0.10.0 

func (*ClosedDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy added in v0.10.0 

func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error

func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicyV2 

func (*ClosedDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicyV2(ctx context.Context, containerID string, opts *SignalContainerOptions) error

func (ClosedDoorSecurityPolicyEnforcer) EnforceVerifiedCIMsPolicy 

func (ClosedDoorSecurityPolicyEnforcer) EnforceVerifiedCIMsPolicy(ctx context.Context, containerID string, layerHashes []string) error

func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) ExtendDefaultMounts(_ []oci.Mount) error

func (ClosedDoorSecurityPolicyEnforcer) GetUserInfo added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) GetUserInfo(spec *oci.Process, rootPath string) (IDName, []IDName, string, error)

func (ClosedDoorSecurityPolicyEnforcer) LoadFragment added in v0.10.0 

func (ClosedDoorSecurityPolicyEnforcer) LoadFragment(context.Context, string, string, string) error

type CommandArgs 

type CommandArgs StringArrayMap

func (CommandArgs) MarshalJSON 

func (c CommandArgs) MarshalJSON() ([]byte, error)

type Container 

type Container struct {
	Command              CommandArgs         `json:"command"`
	EnvRules             EnvRules            `json:"env_rules"`
	Layers               Layers              `json:"layers"`
	WorkingDir           string              `json:"working_dir"`
	Mounts               Mounts              `json:"mounts"`
	AllowElevated        bool                `json:"allow_elevated"`
	ExecProcesses        []ExecProcessConfig `json:"-"`
	Signals              []syscall.Signal    `json:"-"`
	AllowStdioAccess     bool                `json:"-"`
	NoNewPrivileges      bool                `json:"-"`
	User                 UserConfig          `json:"-"`
	Capabilities         *CapabilitiesConfig `json:"-"`
	SeccompProfileSHA256 string              `json:"-"`
}

func CreateContainerPolicy added in v0.10.0 

func CreateContainerPolicy(
	command, layers []string,
	envRules []EnvRuleConfig,
	workingDir string,
	mounts []MountConfig,
	allowElevated bool,
	execProcesses []ExecProcessConfig,
	signals []syscall.Signal,
	allowStdioAccess bool,
	noNewPrivileges bool,
	user UserConfig,
	capabilities *CapabilitiesConfig,
	seccompProfileSHA256 string,
) (*Container, error)

CreateContainerPolicy creates a new Container policy instance from the provided constraints or an error if parameter validation fails.

func (*Container) ToInternalContainer 

func (c *Container) ToInternalContainer() (interface{}, error)

Implement ContainerInterface for Container

type ContainerConfig added in v0.10.0 

type ContainerConfig struct {
	ImageName                string              `json:"image_name" toml:"image_name"`
	Command                  []string            `json:"command" toml:"command"`
	Auth                     AuthConfig          `json:"auth" toml:"auth"`
	EnvRules                 []EnvRuleConfig     `json:"env_rules" toml:"env_rule"`
	WorkingDir               string              `json:"working_dir" toml:"working_dir"`
	Mounts                   []MountConfig       `json:"mounts" toml:"mount"`
	AllowElevated            bool                `json:"allow_elevated" toml:"allow_elevated"`
	ExecProcesses            []ExecProcessConfig `json:"exec_processes" toml:"exec_process"`
	Signals                  []syscall.Signal    `json:"signals" toml:"signals"`
	AllowStdioAccess         bool                `json:"allow_stdio_access" toml:"allow_stdio_access"`
	AllowPrivilegeEscalation bool                `json:"allow_privilege_escalation" toml:"allow_privilege_escalation"`
	User                     *UserConfig         `json:"user" toml:"user"`
	Capabilities             *CapabilitiesConfig `json:"capabilities" toml:"capabilities"`
	SeccompProfilePath       string              `json:"seccomp_profile_path" toml:"seccomp_profile_path"`
}

ContainerConfig contains toml or JSON config for container described in security policy.

type ContainerConfigOpt added in v0.10.0 

type ContainerConfigOpt func(config *ContainerConfig) error

func WithAllowElevated added in v0.10.0 

func WithAllowElevated(elevated bool) ContainerConfigOpt

WithAllowElevated allows container to run in an elevated/privileged mode.

func WithAllowPrivilegeEscalation added in v0.10.0 

func WithAllowPrivilegeEscalation(allow bool) ContainerConfigOpt

WithAllowPrivilegeEscalation allows escalating of privileges by clearing the NoNewPrivileges flag

func WithAllowStdioAccess added in v0.10.0 

func WithAllowStdioAccess(stdio bool) ContainerConfigOpt

WithAllowStdioAccess enables or disables container init process stdio.

func WithCapabilities added in v0.10.0 

func WithCapabilities(capabilities *CapabilitiesConfig) ContainerConfigOpt

WithCapabilities sets capabilities in container policy config.

func WithCommand added in v0.10.0 

func WithCommand(cmd []string) ContainerConfigOpt

WithCommand sets ContainerConfig.Command in container policy config.

func WithEnvVarRules added in v0.10.0 

func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt

WithEnvVarRules adds environment variable constraints to container policy config.

func WithExecProcesses added in v0.10.0 

func WithExecProcesses(execs []ExecProcessConfig) ContainerConfigOpt

WithExecProcesses allows specified exec processes.

func WithMountConstraints added in v0.10.0 

func WithMountConstraints(mc []MountConfig) ContainerConfigOpt

WithMountConstraints extends ContainerConfig.Mounts with provided mount constraints.

func WithSeccompProfilePath added in v0.10.0 

func WithSeccompProfilePath(path string) ContainerConfigOpt

WithSeccompProfilePath sets seccomp profile path in container policy config.

func WithUser added in v0.10.0 

func WithUser(user UserConfig) ContainerConfigOpt

WithUser sets user in container policy config.

func WithWorkingDir added in v0.10.0 

func WithWorkingDir(wd string) ContainerConfigOpt

WithWorkingDir sets working directory in container policy config.

type ContainerInterface 

type ContainerInterface interface {
	ToInternalContainer() (interface{}, error)
}

ContainerInterface represents either Container or WindowsContainer

type Containers 

type Containers struct {
	Length   int                  `json:"length"`
	Elements map[string]Container `json:"elements"`
}

func (Containers) MarshalJSON 

func (c Containers) MarshalJSON() ([]byte, error)

type CreateContainerOptions 

type CreateContainerOptions struct {
	SandboxID            string
	Privileged           *bool
	NoNewPrivileges      *bool
	Groups               []IDName
	Umask                string
	Capabilities         *oci.LinuxCapabilities
	SeccompProfileSHA256 string
}

type EncodedSecurityPolicy 

type EncodedSecurityPolicy struct {
	SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}

EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration

type EnvList added in v0.10.0 

type EnvList []string

type EnvRuleConfig added in v0.10.0 

type EnvRuleConfig struct {
	Strategy EnvVarRule `json:"strategy" toml:"strategy"`
	Rule     string     `json:"rule" toml:"rule"`
	Required bool       `json:"required" toml:"required"`
}

EnvRuleConfig contains toml or JSON config for environment variable security policy enforcement.

func NewEnvVarRules added in v0.10.0 

func NewEnvVarRules(envVars []string, required bool) []EnvRuleConfig

NewEnvVarRules creates slice of EnvRuleConfig's from environment variables strings slice.

type EnvRules 

type EnvRules struct {
	Length   int                      `json:"length"`
	Elements map[string]EnvRuleConfig `json:"elements"`
}

func (EnvRules) MarshalJSON 

func (e EnvRules) MarshalJSON() ([]byte, error)

type EnvVarRule 

type EnvVarRule string
const (
	EnvVarRuleString EnvVarRule = "string"
	EnvVarRuleRegex  EnvVarRule = "re2"
)

type ExecOptions 

type ExecOptions struct {
	Groups          []IDName               // optional: empty slice or nil
	Umask           string                 // optional: "" means unspecified
	Capabilities    *oci.LinuxCapabilities // optional: nil means "none"
	NoNewPrivileges *bool                  // optional: nil means "not set"
}

type ExecProcessConfig added in v0.10.0 

type ExecProcessConfig struct {
	Command []string         `json:"command" toml:"command"`
	Signals []syscall.Signal `json:"signals" toml:"signals"`
}

ExecProcessConfig contains toml or JSON config for exec process security policy constraint description

type ExternalProcessConfig added in v0.10.0 

type ExternalProcessConfig struct {
	Command          []string `json:"command" toml:"command"`
	WorkingDir       string   `json:"working_dir" toml:"working_dir"`
	AllowStdioAccess bool     `json:"allow_stdio_access" toml:"allow_stdio_access"`
}

ExternalProcessConfig contains toml or JSON config for running external processes in the UVM.

type FragmentConfig added in v0.10.0 

type FragmentConfig struct {
	Issuer     string   `json:"issuer" toml:"issuer"`
	Feed       string   `json:"feed" toml:"feed"`
	MinimumSVN string   `json:"minimum_svn" toml:"minimum_svn"`
	Includes   []string `json:"includes" toml:"include"`
}

FragmentConfig contains toml or JSON config for including elements from fragments.

type IDName added in v0.10.0 

type IDName struct {
	ID   string
	Name string
}

type IDNameConfig added in v0.10.0 

type IDNameConfig struct {
	Strategy IDNameStrategy `json:"strategy" toml:"strategy"`
	Rule     string         `json:"rule" toml:"rule"`
}

type IDNameStrategy added in v0.10.0 

type IDNameStrategy string
const (
	IDNameStrategyName  IDNameStrategy = "name"
	IDNameStrategyID    IDNameStrategy = "id"
	IDNameStrategyRegex IDNameStrategy = "re2"
	IDNameStrategyAny   IDNameStrategy = "any"
)

type Layers 

type Layers StringArrayMap

func (Layers) MarshalJSON 

func (l Layers) MarshalJSON() ([]byte, error)

type Mount added in v0.10.0 

type Mount struct {
	Source      string  `json:"source"`
	Destination string  `json:"destination"`
	Type        string  `json:"type"`
	Options     Options `json:"options"`
}

type MountConfig added in v0.10.0 

type MountConfig struct {
	HostPath      string `json:"host_path" toml:"host_path"`
	ContainerPath string `json:"container_path" toml:"container_path"`
	Readonly      bool   `json:"readonly" toml:"readonly"`
}

MountConfig contains toml or JSON config for mount security policy constraint description.

type Mounts added in v0.10.0 

type Mounts struct {
	Length   int              `json:"length"`
	Elements map[string]Mount `json:"elements"`
}

func (Mounts) MarshalJSON added in v0.10.0 

func (m Mounts) MarshalJSON() ([]byte, error)

type OSAwareMarshalFunc 

type OSAwareMarshalFunc func(
	allowAll bool,
	linuxContainers []*Container,
	windowsContainers []*WindowsContainer,
	osType string,
	externalProcesses []ExternalProcessConfig,
	fragments []FragmentConfig,
	allowPropertiesAccess bool,
	allowDumpStacks bool,
	allowRuntimeLogging bool,
	allowEnvironmentVariableDropping bool,
	allowUnencryptedScratch bool,
	allowCapabilityDropping bool,
) (string, error)

OSAwareMarshalFunc is like marshalFunc but works with mixed container types

type OpenDoorSecurityPolicyEnforcer 

type OpenDoorSecurityPolicyEnforcer struct {
	// contains filtered or unexported fields
}

func (*OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy added in v0.10.0 

func (oe *OpenDoorSecurityPolicyEnforcer) EncodedSecurityPolicy() string

func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicy(_ context.Context, _, _ string, _ []string, envList []string, _ string, _ []oci.Mount, _ bool, _ bool, _ IDName, _ []IDName, _ string, caps *oci.LinuxCapabilities, _ string) (EnvList, *oci.LinuxCapabilities, bool, error)

func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicyV2 

func (OpenDoorSecurityPolicyEnforcer) EnforceCreateContainerPolicyV2(
	ctx context.Context,
	containerID string,
	argList []string,
	envList []string,
	workingDir string,
	mounts []oci.Mount,
	user IDName,
	opts *CreateContainerOptions,
) (EnvList, *oci.LinuxCapabilities, bool, error)

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceMountPolicy(context.Context, string, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(context.Context, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) EnforceDumpStacksPolicy(context.Context) error

func (OpenDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) EnforceExecExternalProcessPolicy(_ context.Context, _ []string, envList []string, _ string) (EnvList, bool, error)

func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicy(_ context.Context, _ string, _ []string, envList []string, _ string, _ bool, _ IDName, _ []IDName, _ string, caps *oci.LinuxCapabilities) (EnvList, *oci.LinuxCapabilities, bool, error)

func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicyV2 

func (OpenDoorSecurityPolicyEnforcer) EnforceExecInContainerPolicyV2(
	ctx context.Context,
	containerID string,
	argList []string,
	envList []string,
	workingDir string,
	user IDName,
	opts *ExecOptions,
) (EnvList, *oci.LinuxCapabilities, bool, error)

func (OpenDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) EnforceGetPropertiesPolicy(context.Context) error

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayMountPolicy(context.Context, string, []string, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) EnforceOverlayUnmountPolicy(context.Context, string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy added in v0.10.0 

func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9MountPolicy(context.Context, string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy added in v0.10.0 

func (*OpenDoorSecurityPolicyEnforcer) EnforcePlan9UnmountPolicy(context.Context, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceRWDeviceMountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceRWDeviceMountPolicy(context.Context, string, bool, bool, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceRWDeviceUnmountPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceRWDeviceUnmountPolicy(context.Context, string) error

func (OpenDoorSecurityPolicyEnforcer) EnforceRegistryChangesPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceRegistryChangesPolicy(ctx context.Context, containerID string, registryValues interface{}) error

func (OpenDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) EnforceRuntimeLoggingPolicy(context.Context) error

func (OpenDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) EnforceScratchMountPolicy(context.Context, string, bool) error

func (OpenDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) EnforceScratchUnmountPolicy(context.Context, string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy added in v0.10.0 

func (*OpenDoorSecurityPolicyEnforcer) EnforceShutdownContainerPolicy(context.Context, string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy added in v0.10.0 

func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicy(context.Context, string, syscall.Signal, bool, []string) error

func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicyV2 

func (*OpenDoorSecurityPolicyEnforcer) EnforceSignalContainerProcessPolicyV2(ctx context.Context, containerID string, opts *SignalContainerOptions) error

func (OpenDoorSecurityPolicyEnforcer) EnforceVerifiedCIMsPolicy 

func (OpenDoorSecurityPolicyEnforcer) EnforceVerifiedCIMsPolicy(ctx context.Context, containerID string, layerHashes []string) error

func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) ExtendDefaultMounts([]oci.Mount) error

func (OpenDoorSecurityPolicyEnforcer) GetUserInfo added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) GetUserInfo(spec *oci.Process, rootPath string) (IDName, []IDName, string, error)

func (OpenDoorSecurityPolicyEnforcer) LoadFragment added in v0.10.0 

func (OpenDoorSecurityPolicyEnforcer) LoadFragment(context.Context, string, string, string) error

type Options added in v0.10.0 

type Options StringArrayMap

func (Options) MarshalJSON added in v0.10.0 

func (o Options) MarshalJSON() ([]byte, error)

type PolicyConfig added in v0.10.0 

type PolicyConfig struct {
	AllowAll                         bool                    `json:"allow_all" toml:"allow_all"`
	Containers                       []ContainerConfig       `json:"containers" toml:"container"`
	ExternalProcesses                []ExternalProcessConfig `json:"external_processes" toml:"external_process"`
	Fragments                        []FragmentConfig        `json:"fragments" toml:"fragment"`
	AllowPropertiesAccess            bool                    `json:"allow_properties_access" toml:"allow_properties_access"`
	AllowDumpStacks                  bool                    `json:"allow_dump_stacks" toml:"allow_dump_stacks"`
	AllowRuntimeLogging              bool                    `json:"allow_runtime_logging" toml:"allow_runtime_logging"`
	AllowEnvironmentVariableDropping bool                    `json:"allow_environment_variable_dropping" toml:"allow_environment_variable_dropping"`
	// AllowUnencryptedScratch is a global policy configuration that allows
	// all containers within a pod to be run without scratch encryption.
	AllowUnencryptedScratch bool `json:"allow_unencrypted_scratch" toml:"allow_unencrypted_scratch"`
	AllowCapabilityDropping bool `json:"allow_capability_dropping" toml:"allow_capability_dropping"`
}

PolicyConfig contains toml or JSON config for security policy.

func NewPolicyConfig added in v0.10.0 

func NewPolicyConfig(opts ...PolicyConfigOpt) (*PolicyConfig, error)

type PolicyConfigOpt added in v0.10.0 

type PolicyConfigOpt func(config *PolicyConfig) error

func WithAllowCapabilityDropping added in v0.10.0 

func WithAllowCapabilityDropping(allow bool) PolicyConfigOpt

func WithAllowDumpStacks added in v0.10.0 

func WithAllowDumpStacks(allow bool) PolicyConfigOpt

func WithAllowEnvVarDropping added in v0.10.0 

func WithAllowEnvVarDropping(allow bool) PolicyConfigOpt

func WithAllowPropertiesAccess added in v0.10.0 

func WithAllowPropertiesAccess(allow bool) PolicyConfigOpt

func WithAllowRuntimeLogging added in v0.10.0 

func WithAllowRuntimeLogging(allow bool) PolicyConfigOpt

func WithAllowUnencryptedScratch added in v0.10.0 

func WithAllowUnencryptedScratch(allow bool) PolicyConfigOpt

func WithContainers added in v0.10.0 

func WithContainers(containers []ContainerConfig) PolicyConfigOpt

WithContainers adds containers to security policy.

func WithExternalProcesses added in v0.10.0 

func WithExternalProcesses(processes []ExternalProcessConfig) PolicyConfigOpt

type SecurityOptions 

type SecurityOptions struct {
	// state required for the security policy enforcement
	PolicyEnforcer    SecurityPolicyEnforcer
	PolicyEnforcerSet bool
	UvmReferenceInfo  string
	// contains filtered or unexported fields
}

func NewSecurityOptions 

func NewSecurityOptions(enforcer SecurityPolicyEnforcer, enforcerSet bool, uvmReferenceInfo string, logWriter io.Writer) *SecurityOptions

func (*SecurityOptions) InjectFragment 

func (s *SecurityOptions) InjectFragment(ctx context.Context, fragment *guestresource.SecurityPolicyFragment) (err error)

Fragment extends current security policy with additional constraints from the incoming fragment. Note that it is base64 encoded over the bridge/

There are three checking steps: 1 - Unpack the cose document and check it was actually signed with the cert chain inside its header 2 - Check that the issuer field did:x509 identifier is for that cert chain (ie fingerprint of a non leaf cert and the subject matches the leaf cert) 3 - Check that this issuer/feed match the requirement of the user provided security policy (done in the regoby LoadFragment)

func (*SecurityOptions) SetConfidentialOptions 

func (s *SecurityOptions) SetConfidentialOptions(ctx context.Context, enforcerType string, encodedSecurityPolicy string, encodedUVMReference string) error

SetConfidentialOptions takes guestresource.ConfidentialOptions to set up our internal data structures we use to store and enforce security policy. The options can contain security policy enforcer type, encoded security policy and signed UVM reference information The security policy and uvm reference information can be further presented to workload containers for validation and attestation purposes.

func (*SecurityOptions) WriteSecurityContextDir 

func (s *SecurityOptions) WriteSecurityContextDir(spec *specs.Spec) error

Write security policy, signed UVM reference and host AMD certificate to container's rootfs, so that application and sidecar containers can have access to it. The security policy is required by containers which need to extract init-time claims found in the security policy. The directory path containing the files is exposed via UVM_SECURITY_CONTEXT_DIR env var. It may be an error to have a security policy but not expose it to the container as in that case it can never be checked as correct by a verifier.

type SecurityPolicy 

type SecurityPolicy struct {
	// Flag that when set to true allows for all checks to pass. Currently, used
	// to run with security policy enforcement "running dark"; checks can be in
	// place but the default policy that is created on startup has AllowAll set
	// to true, thus making policy enforcement effectively "off" from a logical
	// standpoint. Policy enforcement isn't actually off as the policy is "allow
	// everything".
	AllowAll bool `json:"allow_all"`
	// One or more containers that are allowed to run
	Containers        Containers        `json:"containers"`
	WindowsContainers WindowsContainers `json:"windows_containers"`
}

func NewOpenDoorPolicy added in v0.10.0 

func NewOpenDoorPolicy() *SecurityPolicy

NewOpenDoorPolicy creates a new SecurityPolicy with AllowAll set to `true`

func NewSecurityPolicy added in v0.10.0 

func NewSecurityPolicy(allowAll bool, containers []*Container) *SecurityPolicy

NewSecurityPolicy creates a new SecurityPolicy from the provided values.

func (*SecurityPolicy) EncodeToString added in v0.10.0 

func (sp *SecurityPolicy) EncodeToString() (string, error)

EncodeToString returns base64 encoded string representation of SecurityPolicy.

type SecurityPolicyEnforcer 

type SecurityPolicyEnforcer interface {
	EnforceDeviceMountPolicy(ctx context.Context, target string, deviceHash string) (err error)
	EnforceRWDeviceMountPolicy(ctx context.Context, target string, encrypted, ensureFilesystem bool, filesystem string) (err error)
	EnforceDeviceUnmountPolicy(ctx context.Context, unmountTarget string) (err error)
	EnforceRWDeviceUnmountPolicy(ctx context.Context, unmountTarget string) (err error)
	EnforceOverlayMountPolicy(ctx context.Context, containerID string, layerPaths []string, target string) (err error)
	EnforceOverlayUnmountPolicy(ctx context.Context, target string) (err error)
	EnforceCreateContainerPolicy(
		ctx context.Context,
		sandboxID string,
		containerID string,
		argList []string,
		envList []string,
		workingDir string,
		mounts []oci.Mount,
		privileged bool,
		noNewPrivileges bool,
		user IDName,
		groups []IDName,
		umask string,
		capabilities *oci.LinuxCapabilities,
		seccompProfileSHA256 string,
	) (EnvList, *oci.LinuxCapabilities, bool, error)
	EnforceCreateContainerPolicyV2(
		ctx context.Context,
		containerID string,
		argList []string,
		envList []string,
		workingDir string,
		mounts []oci.Mount,
		user IDName,
		opts *CreateContainerOptions,
	) (EnvList, *oci.LinuxCapabilities, bool, error)
	ExtendDefaultMounts([]oci.Mount) error
	EncodedSecurityPolicy() string
	EnforceExecInContainerPolicy(
		ctx context.Context,
		containerID string,
		argList []string,
		envList []string,
		workingDir string,
		noNewPrivileges bool,
		user IDName,
		groups []IDName,
		umask string,
		capabilities *oci.LinuxCapabilities,
	) (EnvList, *oci.LinuxCapabilities, bool, error)
	EnforceExecInContainerPolicyV2(
		ctx context.Context,
		containerID string,
		argList []string,
		envList []string,
		workingDir string,
		user IDName,
		opts *ExecOptions,
	) (EnvList, *oci.LinuxCapabilities, bool, error)
	EnforceExecExternalProcessPolicy(ctx context.Context, argList []string, envList []string, workingDir string) (EnvList, bool, error)
	EnforceShutdownContainerPolicy(ctx context.Context, containerID string) error
	EnforceSignalContainerProcessPolicy(ctx context.Context, containerID string, signal syscall.Signal, isInitProcess bool, startupArgList []string) error
	EnforceSignalContainerProcessPolicyV2(ctx context.Context, containerID string, opts *SignalContainerOptions) error
	EnforcePlan9MountPolicy(ctx context.Context, target string) (err error)
	EnforcePlan9UnmountPolicy(ctx context.Context, target string) (err error)
	EnforceGetPropertiesPolicy(ctx context.Context) error
	EnforceDumpStacksPolicy(ctx context.Context) error
	EnforceRuntimeLoggingPolicy(ctx context.Context) (err error)
	LoadFragment(ctx context.Context, issuer string, feed string, rego string) error
	EnforceScratchMountPolicy(ctx context.Context, scratchPath string, encrypted bool) (err error)
	EnforceScratchUnmountPolicy(ctx context.Context, scratchPath string) (err error)
	GetUserInfo(spec *oci.Process, rootPath string) (IDName, []IDName, string, error)
	EnforceVerifiedCIMsPolicy(ctx context.Context, containerID string, layerHashes []string) (err error)
	EnforceRegistryChangesPolicy(ctx context.Context, containerID string, registryValues interface{}) error
}

func CreateSecurityPolicyEnforcer added in v0.10.0 

func CreateSecurityPolicyEnforcer(
	enforcer string,
	base64EncodedPolicy string,
	criMounts,
	criPrivilegedMounts []oci.Mount,
	maxErrorMessageLength int,
) (SecurityPolicyEnforcer, error)

CreateSecurityPolicyEnforcer returns an appropriate enforcer for input parameters. Returns an error if the requested `enforcer` implementation isn't registered.

This function can be called both on confidential and non-confidential containers, but in the non-confidential case the policy would be empty. Normally enforcer is not specified, in which case we use either the default for confidential (Rego), or the open door enforcer, depending on whether policy is not empty. However, the host may override this. This override is not measured in the SNP hostData, and so the enforcer must make sure the policy provided is a valid policy for that enforcer. (For example, for open_door, it must either be empty or contain only the "allow_all" field set to true.)

type SignalContainerOptions 

type SignalContainerOptions struct {
	IsInitProcess bool
	// One of these will be set depending on platform
	LinuxSignal   syscall.Signal
	WindowsSignal guestrequest.SignalValueWCOW

	LinuxStartupArgs []string
	WindowsCommand   []string
}

type StringArrayMap added in v0.10.0 

type StringArrayMap struct {
	Length   int               `json:"length"`
	Elements map[string]string `json:"elements"`
}

StringArrayMap wraps an array of strings as a string map.

func (StringArrayMap) MarshalJSON added in v0.10.0 

func (s StringArrayMap) MarshalJSON() ([]byte, error)

type UserConfig added in v0.10.0 

type UserConfig struct {
	UserIDName   IDNameConfig   `json:"user_idname" toml:"user_idname"`
	GroupIDNames []IDNameConfig `json:"group_idnames" toml:"group_idname"`
	Umask        string         `json:"umask" toml:"umask"`
}

type WindowsContainer 

type WindowsContainer struct {
	Command          CommandArgs                    `json:"command"`
	EnvRules         EnvRules                       `json:"env_rules"`
	Layers           Layers                         `json:"layers"`
	WorkingDir       string                         `json:"working_dir"`
	ExecProcesses    []WindowsExecProcessConfig     `json:"-"`
	Signals          []guestrequest.SignalValueWCOW `json:"-"`
	AllowStdioAccess bool                           `json:"-"`
	User             string                         `json:"-"`
}

func (*WindowsContainer) ToInternalContainer 

func (c *WindowsContainer) ToInternalContainer() (interface{}, error)

Implement ContainerInterface for WindowsContainer

type WindowsContainers 

type WindowsContainers struct {
	Length   int                         `json:"length"`
	Elements map[string]WindowsContainer `json:"elements"`
}

type WindowsExecProcessConfig 

type WindowsExecProcessConfig struct {
	Command string                         `json:"command" toml:"command"`
	Signals []guestrequest.SignalValueWCOW `json:"signals" toml:"signals"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.