Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add NoNewPrivileges setting for linux #290

Merged
merged 1 commit into from
Jan 20, 2016

Conversation

mrunalp
Copy link
Contributor

@mrunalp mrunalp commented Jan 4, 2016

This is a security setting that could be used to prevent processes in the
container from gaining additional privileges.

Signed-off-by: Mrunal Patel mrunalp@gmail.com

RootfsPropagation string `json:"rootfsPropagation,omitempty"`
// disableNewPrivileges controls whether additional privileges could be gained by processes in the container.
DisableNewPrivileges `json:"disableNewPrivileges,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing *bool? At some point I think we should land general specs for the:

Null and missing entries are valid JSON and mean “don't touch this”.

semantics . If we're not comfortable landing that generally, I think this PR needs docs about what runtimes should do if DisableNewPrivileges is null or unset in the JSON.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My suggested generic wording for null/missing is here.

@wking
Copy link
Contributor

wking commented Jan 4, 2016 via email

@mrunalp
Copy link
Contributor Author

mrunalp commented Jan 5, 2016

@crosbymichael @LK4D4 @vbatts @philips PTAL

@crosbymichael
Copy link
Member

Should this just be a default in a runtime?


Setting `disableNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

give the line item information on it here (that it's a bool and whether required)

@vbatts
Copy link
Member

vbatts commented Jan 5, 2016

almost seems like it could be a default, but still likely that folks would want to opt-in to

@mrunalp
Copy link
Contributor Author

mrunalp commented Jan 5, 2016

@crosbymichael @vbatts This tightens up the security but has some downsides if enabled by default. For e.g. ping won't work if your container doesn't already have the net_raw cap. So, I think opt-in might be better for this feature.

@rhatdan
Copy link
Contributor

rhatdan commented Jan 5, 2016

Somewhat equivalent to

docker run --cap-drop=all -u UID -g GID.

I am trying to find if there is any other differences.

So as @mrunalp says if you just ran
docker run -u UID fedora sh

Then tools like ping, chsh, traceroute etc could theoretically work.

@mheon
Copy link
Contributor

mheon commented Jan 5, 2016

@rhatdan It does have an affect on how layered Seccomp filters are treated, so that would be one thing that your example doesn't cover.

It would be nice to set this to be enabled by default, or at least note that passing a Seccomp configuration implies that it is enabled, given that it has a beneficial relationship with applications in a container that also use Seccomp.

@wking
Copy link
Contributor

wking commented Jan 5, 2016

On Tue, Jan 05, 2016 at 11:12:38AM -0800, Daniel J Walsh wrote:

Somewhat equivalent to

docker run --cap-drop=all -u UID -g GID.

I am trying to find if there is any other differences.

I don't think it's equivalent. The point of no_new_privs (as outlined
in the kernel docs 1) is to close the execve loopholes that are
generally allowed for priviledge escallation. E.g. after dropping
caps, you can still execute a setuid binary and increase your
privileges. If you want to experiment some, I implemented this option
in ccon last night 2.

Re, opt-in or opt-out, I think “least surprise” points to opt-in.
Otherwise I expect a lot of “why don't my setuid binaries work” bug
reports. And I also prefer opt-in as a general principle 3.


## Disable new privileges

Setting `disableNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason to not call it noNewPrivileges so it matches the kernel version?

@philips
Copy link
Contributor

philips commented Jan 6, 2016

Why not have a generic prctl field?

@rhatdan
Copy link
Contributor

rhatdan commented Jan 6, 2016

Any way we can get it in, I am all for.

I am torn on the OptIn versus OptOut, OptIn will probably be required. The problem with OptIn, is as I have often said, almost no one ever increases the security. Most executers of containers using -u UID probably expect that the process inside of the container can not become a different UID or get any privileges. But they would need to understand, to get their expected behaviour they would need to do

docker run --nonewpriv --cap-drop=all -u UID ...

Note: --cap-=drop=all might not be needed above.

Have --prctl=NO_NEW_PRIVS=1 might allow us to easily add additional prctl in the furture.

@philips
Copy link
Contributor

philips commented Jan 6, 2016

On Wed, Jan 6, 2016 at 7:37 PM Daniel J Walsh notifications@github.com
wrote:

Have --prctl=NO_NEW_PRIVS=1 might allow us to easily add additional prctl
in the furture

The more I think about it the more I really want to avoid adding new terms
to this spec for Linux. Calling a prctl with the name NO_NEW_PRIVS
disableNewPrivelges reduces discoverability and opens the door for
"expanding behavior".

@mrunalp
Copy link
Contributor Author

mrunalp commented Jan 6, 2016

Downside of using prctl is that not all prctl options make sense for run times. For e.g. There is one for making the parent a reaper but it doesn't make sense for all runtime to support that.

Sent from my iPhone

On Jan 6, 2016, at 8:14 AM, Brandon Philips notifications@github.com wrote:

On Wed, Jan 6, 2016 at 7:37 PM Daniel J Walsh notifications@github.com
wrote:

Have --prctl=NO_NEW_PRIVS=1 might allow us to easily add additional prctl
in the furture

The more I think about it the more I really want to avoid adding new terms
to this spec for Linux. Calling a prctl with the name NO_NEW_PRIVS
disableNewPrivelges reduces discoverability and opens the door for
"expanding behavior".

Reply to this email directly or view it on GitHub.

@mrunalp
Copy link
Contributor Author

mrunalp commented Jan 6, 2016

We could however start with a whitelist of what options are supported.

Sent from my iPhone

On Jan 6, 2016, at 8:27 AM, Mrunal Patel mrunal@me.com wrote:

Downside of using prctl is that not all prctl options make sense for run times. For e.g. There is one for making the parent a reaper but it doesn't make sense for all runtime to support that.

Sent from my iPhone

On Jan 6, 2016, at 8:14 AM, Brandon Philips notifications@github.com wrote:

On Wed, Jan 6, 2016 at 7:37 PM Daniel J Walsh notifications@github.com
wrote:

Have --prctl=NO_NEW_PRIVS=1 might allow us to easily add additional prctl
in the furture

The more I think about it the more I really want to avoid adding new terms
to this spec for Linux. Calling a prctl with the name NO_NEW_PRIVS
disableNewPrivelges reduces discoverability and opens the door for
"expanding behavior".

Reply to this email directly or view it on GitHub.

@rhatdan
Copy link
Contributor

rhatdan commented Jan 7, 2016

We have the same problem with --sysctl in that some sysctls are namespaced and some are not. Our pull requests are blocked because a user could shoot himself in the head. We have recently proposed a whitelist approach for runc to allow us to get --sysctl in. But bottom line, is I believe we need sysctl in and I believe we need NO_NEW_PRIV support, however we can get it in.

One potential option from a docker point of view would be

docker run --security-opt privs:NO_NEW_PRIV:1

Which would allow us to add a new security feature without messy-ing up the CLI, too much.

@dqminh
Copy link
Contributor

dqminh commented Jan 7, 2016

@mrunalp @philips i think prctls + a required list of options works here rather than adding a new fields. Runtime can choose to support additional prctl options.

@rhatdan
Copy link
Contributor

rhatdan commented Jan 13, 2016

Any other comments on this? prctl probably makes sense for runc, then we can argue about docker CLI.

@wking
Copy link
Contributor

wking commented Jan 13, 2016

On Wed, Jan 13, 2016 at 06:55:15AM -0800, Daniel J Walsh wrote:

Any other comments on this? prctl probably makes sense for runc…

Yeah, I'm fine with a generic prctl setting.

@crosbymichael
Copy link
Member

Negative on the generic prctl setting. That is super horrible api and is the first step going down a dark path of

"syscall": [
    [0,2,3,4,1,0]
]

@wking
Copy link
Contributor

wking commented Jan 13, 2016

On Wed, Jan 13, 2016 at 10:22:10AM -0800, Michael Crosby wrote:

Negative on the generic prctl setting…

The problem with adding prctl wrappers (like disableNewPrivileges) one
at a time is that we end up in the same situation that we have now for
cgroups: a thin wrapper around the kernel that takes work to maintain
and adds no value 1. The difference vs. cgroups is that most (all?)
prctl invocations act on the calling thread/process, so it doesn't
decouple as nicely as cgroups (where you can use hooks outside of the
namespaced-process setup dance). Having a generic prctl setting is
the next closest thing we can do to “keep that out of the spec”, and
it allows higher-level tooling to add thin or thick wrappers as they
see fit 2.

And yeah, you could do all of that with a generic syscall wrapper,
but I think everyone agrees that that tips the balance too far (really
easy to write runtimes, but really hard to use them). While for a
generic prctl setting doesn't seem to be much of a usability cost (and
may be more usable 3) over per-prctl wrapper settings. If somebody
has a brilliant idea for a general abstraction that covers
no_new_privs without being a thin wrapper, then that would be a
usability win. But that's not what we have here.

 Subject: removal of cgroups from the OCI Linux spec
 Date: Wed, 28 Oct 2015 17:01:59 +0000
 Message-ID: <CAD2oYtO1RMCcUp52w-xXemzDTs+J6t4hS5Mm4mX+uBnVONGDfA@mail.gmail.com>

@mrunalp
Copy link
Contributor Author

mrunalp commented Jan 13, 2016

I agree with @crosbymichael on this. NO_NEW_PRIVS is specific and closes a lot of holes around priviliege escalation and I think it makes sense to have switch for it. Do we have an example for any other prctl settings that make sense to be exposed as a counter argument?

@mrunalp mrunalp added this to the v0.3.0 milestone Jan 13, 2016
@rhatdan
Copy link
Contributor

rhatdan commented Jan 13, 2016

Some of the other prctl are interesting but they seem to be handled via capability handling and seccomp.

I still think we could handle NO_NEW_PRIVS via SecurityOptions.

@wking
Copy link
Contributor

wking commented Jan 13, 2016

On Wed, Jan 13, 2016 at 11:35:54AM -0800, Mrunal Patel wrote:

I agree with @crosbymichael on this. NO_NEW_PRIVS is specific and
closes a lot of holes around priviliege escalation and I think it
makes sense to have switch for it. Do we have an example for any
other prctl settings that make sense to be exposed as a counter
argument?

I'm currently hard-coding PR_SET_PDEATHSIG to SIGKILL in ccon, but
that could potentially be user configurable. And grepping for PR_SET_
in util-linux turns up setpriv(1) with PR_SET_NO_NEW_PRIVS,
PR_SET_KEEPCAPS, and PR_SET_SECUREBITS.

RootfsPropagation string `json:"rootfsPropagation,omitempty"`
// disableNewPrivileges controls whether additional privileges could be gained by processes in the container.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if golint will ever be run, but I think it will want the comment to match the name (capital "D" for DisableNewPrivileges)

RootfsPropagation string `json:"rootfsPropagation,omitempty"`
// disableNewPrivileges controls whether additional privileges could be gained by processes in the container.
DisableNewPrivileges *bool `json:"disableNewPrivileges,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the system default false? If yes, then can we drop the * here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Removed the pointer.

@mrunalp mrunalp changed the title Add DisableNewPrivileges setting for linux Add NoNewPrivileges setting for linux Jan 20, 2016
@mrunalp
Copy link
Contributor Author

mrunalp commented Jan 20, 2016

Renamed to NoNewPrivileges. PTAL.

This is a security setting that could be used to prevent processes in the
container from gaining additional privileges.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
@vbatts
Copy link
Member

vbatts commented Jan 20, 2016

LGTM


## No new privileges

Setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the default be true ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope

On Wed, Jan 20, 2016 at 5:11 PM Vish Kannan notifications@github.com
wrote:

In runtime-config-linux.md
#290 (comment):

@@ -503,3 +503,14 @@ Its value is either slave, private, or shared.

     "rootfsPropagation": "slave",

+## No new privileges
+
+Setting noNewPrivileges to true prevents the processes in the container from gaining additional privileges.

Should the default be true ?


Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/290/files#r50328023.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not?

On Wed, Jan 20, 2016 at 2:14 PM, Vincent Batts notifications@github.com
wrote:

In runtime-config-linux.md
#290 (comment):

@@ -503,3 +503,14 @@ Its value is either slave, private, or shared.

     "rootfsPropagation": "slave",

+## No new privileges
+
+Setting noNewPrivileges to true prevents the processes in the container from gaining additional privileges.

nope
… <#1443586824_>
On Wed, Jan 20, 2016 at 5:11 PM Vish Kannan notifications@github.com
wrote: In runtime-config-linux.md <#290 (comment)
https://github.com/opencontainers/specs/pull/290#discussion_r50328023>:

@@ -503,3 +503,14 @@ Its value is either slave, private, or shared. >
json > "rootfsPropagation": "slave", > > + > +## No new privileges >


Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/290/files#r50328465.

Copy link
Contributor

@wking wking Jan 20, 2016 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Acknowledged.

@vishh
Copy link
Contributor

vishh commented Jan 20, 2016

LGTM

vbatts added a commit that referenced this pull request Jan 20, 2016
Add NoNewPrivileges setting for linux
@vbatts vbatts merged commit acc1c63 into opencontainers:master Jan 20, 2016
@philips
Copy link
Contributor

philips commented Jan 21, 2016

Thank you, LGTM

On Wed, Jan 20, 2016 at 11:30 AM Mrunal Patel notifications@github.com
wrote:

Renamed to NoNewPrivileges. PTAL.


Reply to this email directly or view it on GitHub
#290 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants