diff --git a/contributors/design-proposals/seccomp.md b/contributors/design-proposals/seccomp.md index 794e758cc22..6d477353419 100644 --- a/contributors/design-proposals/seccomp.md +++ b/contributors/design-proposals/seccomp.md @@ -1,3 +1,30 @@ +# Seccomp + +- [Abstract](#abstract) +- [Motivation](#motivation) +- [Constraints and Assumptions](#constraints-and-assumptions) +- [Use Cases](#use-cases) + * [Use Case: Administrator Access Control](#use-case--administrator-access-control) + * [Use Case: Seccomp profiles similar to container runtime defaults](#use-case--seccomp-profiles-similar-to-container-runtime-defaults) + * [Use Case: Applications that link to libseccomp](#use-case--applications-that-link-to-libseccomp) + * [Use Case: Custom profiles](#use-case--custom-profiles) +- [Community Work](#community-work) + * [Docker / OCI](#docker---oci) + * [rkt / appcontainers](#rkt---appcontainers) + * [HyperContainer](#hypercontainer) + * [lxd](#lxd) + * [Other platforms and seccomp-like capabilities](#other-platforms-and-seccomp-like-capabilities) +- [Proposed Design](#proposed-design) + * [Seccomp API Resource?](#seccomp-api-resource-) + * [Pod Security Policy annotation](#pod-security-policy-annotation) + * [Spec](#spec) + * [Default Profile](#default-profile) + + [Various Syscalls Not Allowed](#various-syscalls-not-allowed) + + [Default Behavior](#default-behavior) +- [Examples](#examples) + * [Unconfined profile](#unconfined-profile) + * [Custom profile](#custom-profile) + ## Abstract A proposal for adding **alpha** support for @@ -28,6 +55,7 @@ This design should: * be container-runtime agnostic * allow use of custom profiles * facilitate containerized applications that link directly to libseccomp +* enable a default seccomp profile for containers ## Use Cases @@ -40,14 +68,16 @@ This design should: unmediated by Kubernetes 4. As a user, I want to be able to use a custom seccomp profile and use it with my containers +5. As a user and administrator I want kubernetes to apply a sane default + seccomp profile to containers unless I otherwise specify. -### Use Case: Administrator access control +### Use Case: Administrator Access Control Controlling access to seccomp profiles is a cluster administrator concern. It should be possible for an administrator to control which users have access to which profiles. -The [pod security policy](https://github.com/kubernetes/kubernetes/pull/7893) +The [Pod Security Policy](https://github.com/kubernetes/kubernetes/pull/7893) API extension governs the ability of users to make requests that affect pod and container security contexts. The proposed design should deal with required changes to control access to new functionality. @@ -101,9 +131,7 @@ implement a sandbox for user-provided code, such as ## Community Work -### Container runtime support for seccomp - -#### Docker / opencontainers +### Docker / OCI Docker supports the open container initiative's API for seccomp, which is very close to the libseccomp API. It allows full @@ -112,14 +140,21 @@ specification of seccomp filters, with arguments, operators, and actions. Docker allows the specification of a single seccomp filter. There are community requests for: -Issues: - * [docker/22109](https://github.com/docker/docker/issues/22109): composable seccomp filters * [docker/21105](https://github.com/docker/docker/issues/22105): custom seccomp filters for builds -#### rkt / appcontainers +Implementation details: + +* [docker/17989](https://github.com/moby/moby/pull/17989): initial + implementation +* [docker/18780](https://github.com/moby/moby/pull/18780): default blacklist + profile +* [docker/18979](https://github.com/moby/moby/pull/18979): default whitelist + profile + +### rkt / appcontainers The `rkt` runtime delegates to systemd for seccomp support; there is an open issue to add support once `appc` supports it. The `appc` project has an open @@ -133,16 +168,11 @@ Issues: * [appc/529](https://github.com/appc/spec/issues/529) * [rkt/1614](https://github.com/coreos/rkt/issues/1614) -#### HyperContainer +### HyperContainer [HyperContainer](https://hypercontainer.io) does not support seccomp. -### Other platforms and seccomp-like capabilities - -FreeBSD has a seccomp/capability-like facility called -[Capsicum](https://www.freebsd.org/cgi/man.cgi?query=capsicum&sektion=4). - -#### lxd +### lxd [`lxd`](http://www.ubuntu.com/cloud/lxd) constrains containers using a default profile. @@ -150,6 +180,12 @@ Issues: * [lxd/1084](https://github.com/lxc/lxd/issues/1084): add knobs for seccomp +### Other platforms and seccomp-like capabilities + +FreeBSD has a seccomp/capability-like facility called +[Capsicum](https://www.freebsd.org/cgi/man.cgi?query=capsicum&sektion=4). + + ## Proposed Design ### Seccomp API Resource? @@ -168,8 +204,6 @@ Instead of implementing a new API resource, we propose that pods be able to reference seccomp profiles by name. Since this is an alpha feature, we will use annotations instead of extending the API with new fields. -### API changes? - In the alpha version of this feature we will use annotations to store the names of seccomp profiles. The keys will be: @@ -214,6 +248,192 @@ profiles using the key `seccomp.security.alpha.kubernetes.io/allowedProfileNames`. The value of this key should be a comma delimited list. +### Spec + +We will start from the OCI specification. This API resource will be added to +`settings.k8s.io` as an `alpha` resource. + +``` +// Seccomp represents syscall restrictions +type Seccomp struct { + unversioned.TypeMeta + ObjectMeta + + // +optional + Spec SeccompSpec +} + +// SeccompSpec represents the spec for syscall restrictions +type SeccompSpec struct { + DefaultAction Action `json:"defaultAction"` + Architectures []Arch `json:"architectures,omitempty"` + Syscalls []Syscall `json:"syscalls,omitempty"` +} + +// Arch used for additional architectures +type Arch string + +// Additional architectures permitted to be used for system calls +// By default only the native architecture of the kernel is permitted +const ( + ArchX86 Arch = "SCMP_ARCH_X86" + ArchX86_64 Arch = "SCMP_ARCH_X86_64" + ArchX32 Arch = "SCMP_ARCH_X32" + ArchARM Arch = "SCMP_ARCH_ARM" + ArchAARCH64 Arch = "SCMP_ARCH_AARCH64" + ArchMIPS Arch = "SCMP_ARCH_MIPS" + ArchMIPS64 Arch = "SCMP_ARCH_MIPS64" + ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32" + ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL" + ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64" + ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32" + ArchPPC Arch = "SCMP_ARCH_PPC" + ArchPPC64 Arch = "SCMP_ARCH_PPC64" + ArchPPC64LE Arch = "SCMP_ARCH_PPC64LE" + ArchS390 Arch = "SCMP_ARCH_S390" + ArchS390X Arch = "SCMP_ARCH_S390X" + ArchPARISC Arch = "SCMP_ARCH_PARISC" + ArchPARISC64 Arch = "SCMP_ARCH_PARISC64" +) + +// SeccompAction taken upon Seccomp rule match +type SeccompAction string + +// Define actions for Seccomp rules +const ( + ActKill SeccompAction = "SCMP_ACT_KILL" + ActTrap SeccompAction = "SCMP_ACT_TRAP" + ActErrno SeccompAction = "SCMP_ACT_ERRNO" + ActTrace SeccompAction = "SCMP_ACT_TRACE" + ActAllow SeccompAction = "SCMP_ACT_ALLOW" +) + +// SeccompOperator used to match syscall arguments in Seccomp +type SeccompOperator string + +// Define operators for syscall arguments in Seccomp +const ( + OpNotEqual SeccompOperator = "SCMP_CMP_NE" + OpLessThan SeccompOperator = "SCMP_CMP_LT" + OpLessEqual SeccompOperator = "SCMP_CMP_LE" + OpEqualTo SeccompOperator = "SCMP_CMP_EQ" + OpGreaterEqual SeccompOperator = "SCMP_CMP_GE" + OpGreaterThan SeccompOperator = "SCMP_CMP_GT" + OpMaskedEqual SeccompOperator = "SCMP_CMP_MASKED_EQ" +) + +// SeccompArg used for matching specific syscall arguments in Seccomp +type SeccompArg struct { + Index uint `json:"index"` + Value uint64 `json:"value"` + ValueTwo uint64 `json:"valueTwo"` + Op SeccompOperator `json:"op"` +} + +// Syscall is used to match a syscall in Seccomp +type Syscall struct { + Names []string `json:"names"` + Action SeccompAction `json:"action"` + Args []SeccompArg `json:"args,omitempty"` +} +``` + +### Default Profile + +We will create our own default seccomp profile that uses the above spec +for containers and use the set of syscalls from the docker default profile +as the initial base. Having our own will allow us to control and +restrict different syscalls in the future. + +#### Various Syscalls Not Allowed + +Below includes a table of some of the syscalls we will not allow in our +whitelist and why. It does not include all the syscalls but merely some +important ones. Most of this was taken from the +[original pull request](https://github.com/moby/moby/pull/19059) to Docker +for the default profile. + +| Syscall | Description | +|---------------------|---------------------------------------------------------------------------------------------------------------------------------------| +| `acct` | Accounting syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_PACCT`. | +| `add_key` | Prevent containers from using the kernel keyring, which is not namespaced. | +| `adjtimex` | Similar to `clock_settime` and `settimeofday`, time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | +| `bpf` | Deny loading potentially persistent bpf programs into kernel, already gated by `CAP_SYS_ADMIN`. | +| `clock_adjtime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | +| `clock_settime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | +| `clone` | Deny cloning new namespaces. Also gated by `CAP_SYS_ADMIN` for CLONE_* flags, except `CLONE_USERNS`. | +| `create_module` | Deny manipulation and functions on kernel modules. Obsolete. Also gated by `CAP_SYS_MODULE`. | +| `delete_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. | +| `finit_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. | +| `get_kernel_syms` | Deny retrieval of exported kernel and module symbols. Obsolete. | +| `get_mempolicy` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. | +| `init_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. | +| `ioperm` | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`. | +| `iopl` | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`. | +| `kcmp` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | +| `kexec_file_load` | Sister syscall of `kexec_load` that does the same thing, slightly different arguments. Also gated by `CAP_SYS_BOOT`. | +| `kexec_load` | Deny loading a new kernel for later execution. Also gated by `CAP_SYS_BOOT`. | +| `keyctl` | Prevent containers from using the kernel keyring, which is not namespaced. | +| `lookup_dcookie` | Tracing/profiling syscall, which could leak a lot of information on the host. Also gated by `CAP_SYS_ADMIN`. | +| `mbind` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. | +| `mount` | Deny mounting, already gated by `CAP_SYS_ADMIN`. | +| `move_pages` | Syscall that modifies kernel memory and NUMA settings. | +| `name_to_handle_at` | Sister syscall to `open_by_handle_at`. Already gated by `CAP_SYS_NICE`. | +| `nfsservctl` | Deny interaction with the kernel nfs daemon. Obsolete since Linux 3.1. | +| `open_by_handle_at` | Cause of an old container breakout. Also gated by `CAP_DAC_READ_SEARCH`. | +| `perf_event_open` | Tracing/profiling syscall, which could leak a lot of information on the host. | +| `personality` | Prevent container from enabling BSD emulation. Not inherently dangerous, but poorly tested, potential for a lot of kernel vulns. | +| `pivot_root` | Deny `pivot_root`, should be privileged operation. | +| `process_vm_readv` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | +| `process_vm_writev` | Restrict process inspection capabilities, already blocked by dropping `CAP_PTRACE`. | +| `ptrace` | Tracing/profiling syscall, which could leak a lot of information on the host. Already blocked by dropping `CAP_PTRACE`. | +| `query_module` | Deny manipulation and functions on kernel modules. Obsolete. | +| `quotactl` | Quota syscall which could let containers disable their own resource limits or process accounting. Also gated by `CAP_SYS_ADMIN`. | +| `reboot` | Don't let containers reboot the host. Also gated by `CAP_SYS_BOOT`. | +| `request_key` | Prevent containers from using the kernel keyring, which is not namespaced. | +| `set_mempolicy` | Syscall that modifies kernel memory and NUMA settings. Already gated by `CAP_SYS_NICE`. | +| `setns` | Deny associating a thread with a namespace. Also gated by `CAP_SYS_ADMIN`. | +| `settimeofday` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. +| `socket`, `socketcall` | Used to send or receive packets and for other socket operations. All `socket` and `socketcall` calls are blocked except communication domains `AF_UNIX`, `AF_INET`, `AF_INET6`, `AF_NETLINK`, and `AF_PACKET`. | +| `stime` | Time/date is not namespaced. Also gated by `CAP_SYS_TIME`. | +| `swapon` | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`. | +| `swapoff` | Deny start/stop swapping to file/device. Also gated by `CAP_SYS_ADMIN`. | +| `sysfs` | Obsolete syscall. | +| `_sysctl` | Obsolete, replaced by /proc/sys. | +| `umount` | Should be a privileged operation. Also gated by `CAP_SYS_ADMIN`. | +| `umount2` | Should be a privileged operation. Also gated by `CAP_SYS_ADMIN`. | +| `unshare` | Deny cloning new namespaces for processes. Also gated by `CAP_SYS_ADMIN`, with the exception of `unshare --user`. | +| `uselib` | Older syscall related to shared libraries, unused for a long time. | +| `userfaultfd` | Userspace page fault handling, largely needed for process migration. | +| `ustat` | Obsolete syscall. | +| `vm86` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | +| `vm86old` | In kernel x86 real mode virtual machine. Also gated by `CAP_SYS_ADMIN`. | + +#### Default Behavior + +For `privileged` containers, no default seccomp profile will be used unless +explicitly requested by the user via annotations. + +If `capAdd` is used on a Container, the default profile will be adjusted to +interact accordingly with the capability added. These are documented below in +a table by the cap being added: + +| Capability | Syscalls Allowed | +|----------------------|--------------------------------------------------------------| +| `CAP_CHOWN` | chown, chown32, fchown, fchown32, fchownat, lchown, lchown32 | +| `CAP_DAC_READ_SEARCH`| open_by_handle_at | +| `CAP_IPC_LOCK` | mlock, mlock2, mlockall | +| `CAP_SYS_ADMIN` | name_to_handle_at, bpf, clone, fanotify_init, lookup_dcookie, mount, perf_event_open, setdomainname, sethostname, setns, umount, umount2, unshare | +| `CAP_SYS_BOOT` | reboot | +| `CAP_SYS_CHROOT` | chroot | +| `CAP_SYS_MODULE` | delete_module, init_module, finit_module, query_module | +| `CAP_SYS_PACCT` | acct | +| `CAP_SYS_PTRACE` | kcmp, process_vm_readv, process_vm_writev, ptrace | +| `CAP_SYS_RAWIO` | iopl, ioperm | +| `CAP_SYS_TIME` | settimeofday, stime, adjtimex, clock_settime | +| `CAP_SYS_TTY_CONFIG` | vhangup | + + ## Examples ### Unconfined profile @@ -260,7 +480,3 @@ spec: - name: test-volume emptyDir: {} ``` - - -[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/design/seccomp.md?pixel)]() -