Make SCC with less capabilities more restrictive. #14825
Conversation
|
Would appreciate comments about the logic change (namely the * 10000 change) before looking at test updates. |
|
Cc @simo5 @openshift/security |
pkg/security/scc/byrestrictions.go
Outdated
| return false | ||
| } | ||
|
|
||
| // capabilitiesPointValue returns a score based on the capabilities allowed, |
There was a problem hiding this comment.
Could you add more comments about why we need this and what was the logic behind the statements?
pkg/security/scc/byrestrictions.go
Outdated
| // capabilitiesPointValue returns a score based on the capabilities allowed, | ||
| // added, or removed by the SCC. | ||
| func capabilitiesPointValue(scc *kapi.SecurityContextConstraints) int { | ||
| points := 500 |
There was a problem hiding this comment.
Why we're using 500 as initial value and not 0?
There was a problem hiding this comment.
To be able to substract and not get below zero easily.
pkg/security/scc/byrestrictions.go
Outdated
| func capabilitiesPointValue(scc *kapi.SecurityContextConstraints) int { | ||
| points := 500 | ||
| points += 30 * len(scc.DefaultAddCapabilities) | ||
| if hasCap(kapi.CapabilityAll, scc.AllowedCapabilities) { |
There was a problem hiding this comment.
Add also checking for all (ALL).
pkg/security/scc/byrestrictions.go
Outdated
| } | ||
| points -= 50 * len(scc.RequiredDropCapabilities) | ||
| if (points > 1000) { | ||
| return 1000 |
There was a problem hiding this comment.
Why we're reducing value to 1000?
There was a problem hiding this comment.
The goal was not to interfere with the other logic ... but that caps us at 10000, not 1000, will fix.
pkg/security/scc/byrestrictions.go
Outdated
| return 1000 | ||
| } else if (points < 0) { | ||
| return 0 | ||
| } else { |
There was a problem hiding this comment.
Neat: we don't need last else block.
pkg/security/scc/byrestrictions.go
Outdated
| } else { | ||
| points += 10 * len(scc.AllowedCapabilities) | ||
| } | ||
| points -= 50 * len(scc.RequiredDropCapabilities) |
There was a problem hiding this comment.
Should we add a check for all/ALL value here?
|
Fixed the volumes logic, added tests, rebased on master -> aa30746. |
|
Addressed comments by @php-coder -> 03b8ccf. |
|
@liggitt fyi |
|
please hold for #14701 |
| scc := newSCC(false, kapi.SELinuxStrategyMustRunAs, kapi.RunAsUserStrategyMustRunAs) | ||
| scc.Volumes = []kapi.FSType{kapi.FSTypeHostPath} | ||
| actualPoints := pointValue(scc) | ||
| if actualPoints != 12 { //1 (SELinux) + 1 (User) + 10 (host path volume) | ||
| t.Errorf("volume score was not added to the scc point value correctly!") | ||
| if actualPoints != 125000 { //10000 (SELinux) + 10000 (User) + 100000 (host path volume) + 5000 capabilities |
There was a problem hiding this comment.
Having these magic numbers and comments with explanation what they means, make me thinking about extracting the constants. Maybe it's too much here. WDYT?
There was a problem hiding this comment.
I don't consider myself expert on Golang/OpenShift best practices to do that refactoring. If you do that for the original pkg/security/scc/byrestrictions.go, I'd certainly make my patch align with that approach.
There was a problem hiding this comment.
Ok, I've submitted #15116
|
Fixed the |
|
I'll turn it back over to @php-coder . Thanks for waiting on the structural change. |
|
I do not know enough about the SCC stuff to really comment here. All the magic numbers are really concerning :/ @pweil- @php-coder I will have to defer to your expertise. |
|
@php-coder, could we continue / finish the review? |
adelton
changed the title
openshift-merge-robot
removed
the
needs-rebase
|
Brought up-to-date with the |
|
/lgtm |
|
/assign @smarterclayton |
|
@pweil- could you please review and potentially approve instead of @smarterclayton? |
|
@eparis, could you please review and potentially approve instead of @smarterclayton? |
| capsPoints += capAddOnePoints * points(len(scc.DefaultAddCapabilities)) | ||
| if hasCap(string(securityapi.AllowAllCapabilities), scc.AllowedCapabilities) { | ||
| capsPoints += capAllowAllPoints | ||
| } else if hasCap("ALL", scc.AllowedCapabilities) { |
There was a problem hiding this comment.
is there going to be a sorting issue if all is used since we don't normalize to a case?
There was a problem hiding this comment.
We do normalize, hasCap calls ToUpper.
There was a problem hiding this comment.
ah, we do it in the search there but not the validation. Ok, disregard. Thanks
Should that test go to |
|
I'm fine with it in the |
They should be in |
My point is that we're testing not how |
|
Please see #15923 for the current order test. |
Awesome, thanks. Let's get that one merged then we can merge this one since we've proven it works as expected |
Automatic merge from submit-queue (batch tested with PRs 15923, 16172) Check the order of bootstrapped SCCs. Related to #14530 and #14825. Cc @simo5 @openshift/sig-security
|
Now, when #15923 was merged we can merge this one. @smarterclayton PTAL |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adelton, enj, php-coder The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
openshift-merge-robot
added
the
approved
|
I believe this has been discussed to death on IRC and BJ already. @php-coder @adelton I will let you guys handle the test updates. |
|
Automatic merge from submit-queue (batch tested with PRs 14825, 15756, 16178, 16188, 16189) |
Fixes #14530