-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add NoNewPrivileges setting for linux #290
Conversation
RootfsPropagation string `json:"rootfsPropagation,omitempty"` | ||
// disableNewPrivileges controls whether additional privileges could be gained by processes in the container. | ||
DisableNewPrivileges `json:"disableNewPrivileges,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing *bool
? At some point I think we should land general specs for the:
Null and missing entries are valid JSON and mean “don't touch this”.
semantics . If we're not comfortable landing that generally, I think this PR needs docs about what runtimes should do if DisableNewPrivileges
is null or unset in the JSON.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My suggested generic wording for null/missing is here.
+1 to including this in the runtime, because setting it in the
container process before invoking the user-configured code is both
easier and safer (for runtime callers) than expecting bundle authors
to handle this themselves.
|
Should this just be a default in a runtime? |
|
||
Setting `disableNewPrivileges` to true prevents the processes in the container from gaining additional privileges. | ||
[The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
give the line item information on it here (that it's a bool and whether required)
almost seems like it could be a default, but still likely that folks would want to opt-in to |
@crosbymichael @vbatts This tightens up the security but has some downsides if enabled by default. For e.g. ping won't work if your container doesn't already have the net_raw cap. So, I think opt-in might be better for this feature. |
Somewhat equivalent to docker run --cap-drop=all -u UID -g GID. I am trying to find if there is any other differences. So as @mrunalp says if you just ran Then tools like ping, chsh, traceroute etc could theoretically work. |
@rhatdan It does have an affect on how layered Seccomp filters are treated, so that would be one thing that your example doesn't cover. It would be nice to set this to be enabled by default, or at least note that passing a Seccomp configuration implies that it is enabled, given that it has a beneficial relationship with applications in a container that also use Seccomp. |
On Tue, Jan 05, 2016 at 11:12:38AM -0800, Daniel J Walsh wrote:
I don't think it's equivalent. The point of no_new_privs (as outlined Re, opt-in or opt-out, I think “least surprise” points to opt-in. |
|
||
## Disable new privileges | ||
|
||
Setting `disableNewPrivileges` to true prevents the processes in the container from gaining additional privileges. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a reason to not call it noNewPrivileges so it matches the kernel version?
Why not have a generic prctl field? |
Any way we can get it in, I am all for. I am torn on the OptIn versus OptOut, OptIn will probably be required. The problem with OptIn, is as I have often said, almost no one ever increases the security. Most executers of containers using -u UID probably expect that the process inside of the container can not become a different UID or get any privileges. But they would need to understand, to get their expected behaviour they would need to do docker run --nonewpriv --cap-drop=all -u UID ... Note: --cap-=drop=all might not be needed above. Have --prctl=NO_NEW_PRIVS=1 might allow us to easily add additional prctl in the furture. |
On Wed, Jan 6, 2016 at 7:37 PM Daniel J Walsh notifications@github.com
|
Downside of using prctl is that not all prctl options make sense for run times. For e.g. There is one for making the parent a reaper but it doesn't make sense for all runtime to support that. Sent from my iPhone
|
We could however start with a whitelist of what options are supported. Sent from my iPhone
|
We have the same problem with --sysctl in that some sysctls are namespaced and some are not. Our pull requests are blocked because a user could shoot himself in the head. We have recently proposed a whitelist approach for runc to allow us to get --sysctl in. But bottom line, is I believe we need sysctl in and I believe we need NO_NEW_PRIV support, however we can get it in. One potential option from a docker point of view would be docker run --security-opt privs:NO_NEW_PRIV:1 Which would allow us to add a new security feature without messy-ing up the CLI, too much. |
Any other comments on this? prctl probably makes sense for runc, then we can argue about docker CLI. |
On Wed, Jan 13, 2016 at 06:55:15AM -0800, Daniel J Walsh wrote:
Yeah, I'm fine with a generic prctl setting. |
Negative on the generic prctl setting. That is super horrible api and is the first step going down a dark path of "syscall": [
[0,2,3,4,1,0]
] |
On Wed, Jan 13, 2016 at 10:22:10AM -0800, Michael Crosby wrote:
The problem with adding prctl wrappers (like disableNewPrivileges) one And yeah, you could do all of that with a generic syscall wrapper,
|
I agree with @crosbymichael on this. NO_NEW_PRIVS is specific and closes a lot of holes around priviliege escalation and I think it makes sense to have switch for it. Do we have an example for any other prctl settings that make sense to be exposed as a counter argument? |
Some of the other prctl are interesting but they seem to be handled via capability handling and seccomp. I still think we could handle NO_NEW_PRIVS via SecurityOptions. |
On Wed, Jan 13, 2016 at 11:35:54AM -0800, Mrunal Patel wrote:
I'm currently hard-coding PR_SET_PDEATHSIG to SIGKILL in ccon, but |
RootfsPropagation string `json:"rootfsPropagation,omitempty"` | ||
// disableNewPrivileges controls whether additional privileges could be gained by processes in the container. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure if golint
will ever be run, but I think it will want the comment to match the name (capital "D" for DisableNewPrivileges)
RootfsPropagation string `json:"rootfsPropagation,omitempty"` | ||
// disableNewPrivileges controls whether additional privileges could be gained by processes in the container. | ||
DisableNewPrivileges *bool `json:"disableNewPrivileges,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the system default false
? If yes, then can we drop the *
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Removed the pointer.
Renamed to NoNewPrivileges. PTAL. |
This is a security setting that could be used to prevent processes in the container from gaining additional privileges. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
LGTM |
|
||
## No new privileges | ||
|
||
Setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the default be true
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nope
On Wed, Jan 20, 2016 at 5:11 PM Vish Kannan notifications@github.com
wrote:
In runtime-config-linux.md
#290 (comment):@@ -503,3 +503,14 @@ Its value is either slave, private, or shared.
"rootfsPropagation": "slave",
+## No new privileges
+
+SettingnoNewPrivileges
to true prevents the processes in the container from gaining additional privileges.Should the default be true ?
—
Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/290/files#r50328023.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not?
On Wed, Jan 20, 2016 at 2:14 PM, Vincent Batts notifications@github.com
wrote:
In runtime-config-linux.md
#290 (comment):@@ -503,3 +503,14 @@ Its value is either slave, private, or shared.
"rootfsPropagation": "slave",
+## No new privileges
+
+SettingnoNewPrivileges
to true prevents the processes in the container from gaining additional privileges.nope
… <#1443586824_>
On Wed, Jan 20, 2016 at 5:11 PM Vish Kannan notifications@github.com
wrote: In runtime-config-linux.md <#290 (comment)
https://github.com/opencontainers/specs/pull/290#discussion_r50328023>:@@ -503,3 +503,14 @@ Its value is either slave, private, or shared. >
json > "rootfsPropagation": "slave", >
> + > +## No new privileges >
+Setting
noNewPrivileges
to true prevents the processes in the
container from gaining additional privileges. Should the default be true ?
— Reply to this email directly or view it on GitHub <
https://github.com/opencontainers/specs/pull/290/files#r50328023>.—
Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/290/files#r50328465.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Acknowledged.
LGTM |
Add NoNewPrivileges setting for linux
Thank you, LGTM On Wed, Jan 20, 2016 at 11:30 AM Mrunal Patel notifications@github.com
|
Brought to my attention in [1]. [1]: opencontainers/runtime-spec#290
This is a security setting that could be used to prevent processes in the
container from gaining additional privileges.
Signed-off-by: Mrunal Patel mrunalp@gmail.com