Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filter namespace creation args to clone in default seccomp policy #8054

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Filter namespace creation args to clone in default seccomp policy #8054

wants to merge 1 commit into from

Conversation

dgl
Copy link
Contributor

@dgl dgl commented Apr 22, 2024

What type of PR is this?

/kind bug

What this PR does / why we need it:

The default seccomp policy used by cri-o did not previously block clone() with CLONE_NEWNS and other namespace creation flags. This PR blocks those flags. In addition it has to disable clone3 as it is not currently possible to filter a struct argument with seccomp, this matches the approach taken by containerd.

Which issue(s) this PR fixes:

Special notes for your reviewer:

I can't actually get the bats test to pass in my environment, but then I don't see some of the existing seccomp tests pass, so not sure what's happening there.

Does this PR introduce a user-facing change?

The default seccomp policy now blocks clone system calls that create a Linux namespace, this provides defense-in-depth against Linux kernel vulnerabilities and matches the default seccomp policy provided by containerd.

@dgl dgl requested a review from mrunalp as a code owner April 22, 2024 07:02
@openshift-ci openshift-ci bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Apr 22, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 22, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dgl
Once this PR has been reviewed and has the lgtm label, please assign nalind for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 22, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 22, 2024

Hi @dgl. Thanks for your PR.

I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Apr 22, 2024
@dgl dgl force-pushed the seccomp-clone branch 2 times, most recently from 8c27109 to eb9d001 Compare April 22, 2024 07:16
@kannon92
Copy link
Contributor

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 22, 2024
haircommander
haircommander reviewed Apr 22, 2024
View reviewed changes
test/clone-ns.c Outdated
@@ -0,0 +1,17 @@
#define _GNU_SOURCE
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TESTDATA is test/testdata , I think that's a better fit for this anyway and moving it there will fix the test as is I think

@dgl
Filter namespace creation args to clone in default seccomp policy
1d6c0be 
Currently unshare is filtered by the seccomp policy mutator, but clone
isn't. This filters args to clone that can create a namespace, blocking
both ways of creating a namespace. This also unfortunately means clone3
has to be entirely disabled, because it's not possible to filter the
struct with cBPF.

Signed-off-by: David Leadbeater <dgl@dgl.cx>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 23, 2024

@dgl: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ci-rhel-e2e 1d6c0be link true /test ci-rhel-e2e
ci/prow/ci-crun-e2e 1d6c0be link true /test ci-crun-e2e
ci/prow/ci-e2e-conmonrs 1d6c0be link true /test ci-e2e-conmonrs
ci/prow/ci-e2e-evented-pleg 1d6c0be link true /test ci-e2e-evented-pleg
ci/prow/ci-e2e 1d6c0be link true /test ci-e2e
ci/prow/ci-rhel-critest 1d6c0be link true /test ci-rhel-critest
ci/prow/ci-cgroupv2-e2e 1d6c0be link true /test ci-cgroupv2-e2e
ci/prow/ci-cgroupv2-e2e-features 1d6c0be link true /test ci-cgroupv2-e2e-features
ci/prow/ci-cgroupv2-e2e-crun 1d6c0be link true /test ci-cgroupv2-e2e-crun
ci/prow/ci-cgroupv2-integration 1d6c0be link true /test ci-cgroupv2-integration
ci/prow/ci-fedora-critest 1d6c0be link true /test ci-fedora-critest
ci/prow/ci-fedora-integration 1d6c0be link true /test ci-fedora-integration

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 9, 2024
@openshift-merge-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haircommander haircommander haircommander left review comments

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@QiWang19 QiWang19 Awaiting requested review from QiWang19

@wgahnagl wgahnagl Awaiting requested review from wgahnagl

Assignees
No one assigned
Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. kind/bug Categorizes issue or PR as related to a bug. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dgl @kannon92 @openshift-merge-robot @haircommander