Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use SELinux to restrict datastore modifications #917

Merged
merged 2 commits into from
Apr 23, 2020
Merged

use SELinux to restrict datastore modifications #917

merged 2 commits into from
Apr 23, 2020

Conversation

bcressey
Copy link
Contributor

Issue number:
#764

Description of changes:
Adds filesystem labels to the four components that we expect to modify the datastore. Extends the policy with rules to allow the transition to api_t and mutations for private_t objects.

Changes updog to store its cached repo metadata outside the reserved filesystem.

Testing done:
Tested aws-dev in a local VM and aws-k8s-1.15 in an EC2 instance. No SELinux denials observed.

Components had the expected label:

# find /usr/bin -context 'system_u:object_r:api_exec_t:s0'
/usr/bin/apiserver
/usr/bin/storewolf
/usr/bin/migrator
/usr/bin/early-boot-config

apiserver ran with the expected label:

$ cat /proc/$(pgrep apiserver)/attr/current
system_u:system_r:api_t:s0

updog worked and created the files in the expected path:

# updog check-update -a
aws-k8s-1.15 0.3.2
aws-k8s-1.15 0.3.1
aws-k8s-1.15 0.3.0

# ls -latrZ /var/cache/bottlerocket-metadata/
total 24
drwxr-xr-x. 3 root root system_u:object_r:local_t:s0 4096 Apr 22 21:01 ..
drwxr-xr-x. 2 root root system_u:object_r:local_t:s0 4096 Apr 22 21:01 .
-rw-r--r--. 1 root root system_u:object_r:local_t:s0 1279 Apr 22 21:02 timestamp.json
-rw-r--r--. 1 root root system_u:object_r:local_t:s0 1471 Apr 22 21:02 snapshot.json
-rw-r--r--. 1 root root system_u:object_r:local_t:s0 3497 Apr 22 21:02 targets.json
-rw-r--r--. 1 root root system_u:object_r:local_t:s0   32 Apr 22 21:02 latest_known_time.json

Policy blocked access from a different label:

# echo -n 'system_u:system_r:system_t:s0' > /proc/self/attr/current
# touch /var/lib/bottlerocket/stuff
[ 1090.055119] audit: type=1400 audit(1587590229.927:7): avc:  denied  { write } for  pid=13065 comm="touch" path="/var/lib/bottlerocket/stuff" dev=
"nvme0n1p10" ino=19 scontext=system_u:system_r:system_t:s0 tcontext=system_u:object_r:private_t:s0 tclass=file permissive=1

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey added 2 commits April 22, 2020 19:29
@bcressey
selinux-policy: add labels and rules for API subjects
da8b04b 
We expect most API interactions to be mediated by the API socket.

A few processes need to directly manipulate the datastore:
* apiserver, for regular interactions
* early-boot-config, to write its marker file
* migrator, when running migrations
* storewolf, during initial creation

Otherwise, only subjects with the break-glass `super_t` label are
allowed to modify these files and directories.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey
updog: move repo metadata cache to general storage
f513115 
We want to restrict the private filesystem to API processes only, and
updog does not have any current need to directly modify the datastore.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey bcressey requested review from tjkirch and jamieand April 22, 2020 21:21
tjkirch
tjkirch reviewed Apr 22, 2020
View reviewed changes
Copy link
Contributor

@tjkirch tjkirch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you be willing to do an upgrade (just to the same version) to make sure the full updog cycle is OK?

sources/updater/updog/src/main.rs Show resolved Hide resolved
packages/selinux-policy/fs.cil Show resolved Hide resolved
packages/selinux-policy/fs.cil Show resolved Hide resolved
@bcressey
Copy link
Contributor Author

Would you be willing to do an upgrade (just to the same version) to make sure the full updog cycle is OK?

I tested a downgrade from this build to v0.3.2, and confirmed the updog worked on both sides.

jamieand
jamieand approved these changes Apr 23, 2020
View reviewed changes
Copy link
Contributor

@jamieand jamieand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bcressey bcressey merged commit d274f69 into bottlerocket-os:develop Apr 23, 2020
@bcressey bcressey deleted the api-label branch April 23, 2020 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamieand jamieand jamieand approved these changes

@tjkirch tjkirch tjkirch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcressey @tjkirch @jamieand