Skip to content

Add security section #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
crosbymichael merged 2 commits into from
Aug 7, 2015
Merged

Add security section #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
af36d74
Add Apparmor, Selinux and Seccomp sections
mrunalp Jul 30, 2015
63d3d27
Add Apparmor, Selinux and Seccomp
mrunalp Jul 30, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 35 additions & 3 deletions config-linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ the container. For more information, see the [kernel cgroups documentation](http
## Linux capabilities

Capabilities is an array that specifies Linux capabilities that can be provided to the process
inside the container. Valid values are the string after `CAP_` for capabilities defined
inside the container. Valid values are the string after `CAP_` for capabilities defined
in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)

```json
Expand Down Expand Up @@ -208,7 +208,39 @@ rootfsPropagation sets the rootfs's mount propagation. Its value is either slave
"rootfsPropagation": "slave",
```

## Security
## Selinux process label

**TODO:** security profiles
Selinux process label specifies the label with which the processes in a container are run.
Copy link
Copy Markdown
Contributor

@wking wking Jul 30, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this would read easier as:

The SELinux label under which a container's processes are run.

For more information about SELinux, see [Selinux documentation](http://selinuxproject.org/page/Main_Page)
Copy link
Copy Markdown
Contributor

@wking wking Jul 30, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A more specific link would be nice. It might be obvious to SELinux users (I'm not one), but the main page didn't say anything about process labels.

```json
"selinuxProcessLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675"
```

## Apparmor profile

Apparmor profile specifies the name of the apparmor profile that will be used for the container.
For more information about Apparmor, see [Apparmor documentation](https://wiki.ubuntu.com/AppArmor)

```json
"apparmorProfile": "acme_secure_profile"
```

## Seccomp

Seccomp provides application sandboxing mechanism in the Linux kernel.
Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows
matching on values passed as arguments to syscalls.
For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.

Copy link
Copy Markdown
Contributor

@lizf-os lizf-os Aug 6, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two seccomp.h that are visible to users. One is exported by linux kernel and the other is defined by libseccomp. I think we should mention libseccomp?

```json
"seccomp": {
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"name": "getcwd",
"action": "SCMP_ACT_ERRNO"
}
]
}
```
33 changes: 33 additions & 0 deletions spec_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,12 @@ type Linux struct {
Capabilities []string `json:"capabilities"`
// Devices are a list of device nodes that are created and enabled for the container
Devices []Device `json:"devices"`
// ApparmorProfile specified the apparmor profile for the container.
ApparmorProfile string `json:"apparmorProfile"`
// SelinuxProcessLabel specifies the selinux context that the container process is run as.
SelinuxProcessLabel string `json:"selinuxProcessLabel"`
// Seccomp specifies the seccomp security settings for the container.
Seccomp Seccomp `json:"seccomp"`
// RootfsPropagation is the rootfs mount propagation mode for the container
RootfsPropagation string `json:"rootfsPropagation"`
}
Expand Down Expand Up @@ -178,3 +184,30 @@ type Device struct {
// Gid of the device.
GID uint32 `json:"gid"`
}

// Seccomp represents syscall restrictions
type Seccomp struct {
DefaultAction Action `json:"defaultAction"`
Syscalls []*Syscall `json:"syscalls"`
}

// Action taken upon Seccomp rule match
type Action string

// Operator used to match syscall arguments in Seccomp
type Operator string

// Arg used for matching specific syscall arguments in Seccomp
type Arg struct {
Index uint `json:"index"`
Value uint64 `json:"value"`
ValueTwo uint64 `json:"valueTwo"`
Op Operator `json:"op"`
}

// Syscall is used to match a syscall in Seccomp
type Syscall struct {
Name string `json:"name"`
Action Action `json:"action"`
Args []*Arg `json:"args"`
}