Add NoNewPrivileges setting for linux #290
Conversation
| RootfsPropagation string `json:"rootfsPropagation,omitempty"` | ||
| // disableNewPrivileges controls whether additional privileges could be gained by processes in the container. | ||
| DisableNewPrivileges `json:"disableNewPrivileges,omitempty"` |
There was a problem hiding this comment.
Missing *bool? At some point I think we should land general specs for the:
Null and missing entries are valid JSON and mean “don't touch this”.
semantics . If we're not comfortable landing that generally, I think this PR needs docs about what runtimes should do if DisableNewPrivileges is null or unset in the JSON.
There was a problem hiding this comment.
My suggested generic wording for null/missing is here.
|
+1 to including this in the runtime, because setting it in the
container process before invoking the user-configured code is both
easier and safer (for runtime callers) than expecting bundle authors
to handle this themselves.
|
|
Should this just be a default in a runtime? |
|
|
||
| Setting `disableNewPrivileges` to true prevents the processes in the container from gaining additional privileges. | ||
| [The kernel doc](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) has more information on how this is achieved using a prctl system call. | ||
|
|
There was a problem hiding this comment.
give the line item information on it here (that it's a bool and whether required)
|
almost seems like it could be a default, but still likely that folks would want to opt-in to |
|
@crosbymichael @vbatts This tightens up the security but has some downsides if enabled by default. For e.g. ping won't work if your container doesn't already have the net_raw cap. So, I think opt-in might be better for this feature. |
|
Somewhat equivalent to docker run --cap-drop=all -u UID -g GID. I am trying to find if there is any other differences. So as @mrunalp says if you just ran Then tools like ping, chsh, traceroute etc could theoretically work. |
|
@rhatdan It does have an affect on how layered Seccomp filters are treated, so that would be one thing that your example doesn't cover. It would be nice to set this to be enabled by default, or at least note that passing a Seccomp configuration implies that it is enabled, given that it has a beneficial relationship with applications in a container that also use Seccomp. |
|
On Tue, Jan 05, 2016 at 11:12:38AM -0800, Daniel J Walsh wrote:
I don't think it's equivalent. The point of no_new_privs (as outlined Re, opt-in or opt-out, I think “least surprise” points to opt-in. |
|
|
||
| ## Disable new privileges | ||
|
|
||
| Setting `disableNewPrivileges` to true prevents the processes in the container from gaining additional privileges. |
There was a problem hiding this comment.
is there a reason to not call it noNewPrivileges so it matches the kernel version?
|
Why not have a generic prctl field? |
|
Any way we can get it in, I am all for. I am torn on the OptIn versus OptOut, OptIn will probably be required. The problem with OptIn, is as I have often said, almost no one ever increases the security. Most executers of containers using -u UID probably expect that the process inside of the container can not become a different UID or get any privileges. But they would need to understand, to get their expected behaviour they would need to do docker run --nonewpriv --cap-drop=all -u UID ... Note: --cap-=drop=all might not be needed above. Have --prctl=NO_NEW_PRIVS=1 might allow us to easily add additional prctl in the furture. |
|
On Wed, Jan 6, 2016 at 7:37 PM Daniel J Walsh notifications@github.com
|
|
Downside of using prctl is that not all prctl options make sense for run times. For e.g. There is one for making the parent a reaper but it doesn't make sense for all runtime to support that. Sent from my iPhone
|
|
We could however start with a whitelist of what options are supported. Sent from my iPhone
|
|
We have the same problem with --sysctl in that some sysctls are namespaced and some are not. Our pull requests are blocked because a user could shoot himself in the head. We have recently proposed a whitelist approach for runc to allow us to get --sysctl in. But bottom line, is I believe we need sysctl in and I believe we need NO_NEW_PRIV support, however we can get it in. One potential option from a docker point of view would be docker run --security-opt privs:NO_NEW_PRIV:1 Which would allow us to add a new security feature without messy-ing up the CLI, too much. |
|
Any other comments on this? prctl probably makes sense for runc, then we can argue about docker CLI. |
|
On Wed, Jan 13, 2016 at 06:55:15AM -0800, Daniel J Walsh wrote:
Yeah, I'm fine with a generic prctl setting. |
|
Negative on the generic prctl setting. That is super horrible api and is the first step going down a dark path of "syscall": [
[0,2,3,4,1,0]
] |
|
On Wed, Jan 13, 2016 at 10:22:10AM -0800, Michael Crosby wrote:
The problem with adding prctl wrappers (like disableNewPrivileges) one And yeah, you could do all of that with a generic syscall wrapper, |
|
I agree with @crosbymichael on this. NO_NEW_PRIVS is specific and closes a lot of holes around priviliege escalation and I think it makes sense to have switch for it. Do we have an example for any other prctl settings that make sense to be exposed as a counter argument? |
|
Some of the other prctl are interesting but they seem to be handled via capability handling and seccomp. I still think we could handle NO_NEW_PRIVS via SecurityOptions. |
|
On Wed, Jan 13, 2016 at 11:35:54AM -0800, Mrunal Patel wrote:
I'm currently hard-coding PR_SET_PDEATHSIG to SIGKILL in ccon, but |
| RootfsPropagation string `json:"rootfsPropagation,omitempty"` | ||
| // disableNewPrivileges controls whether additional privileges could be gained by processes in the container. |
There was a problem hiding this comment.
not sure if golint will ever be run, but I think it will want the comment to match the name (capital "D" for DisableNewPrivileges)
| RootfsPropagation string `json:"rootfsPropagation,omitempty"` | ||
| // disableNewPrivileges controls whether additional privileges could be gained by processes in the container. | ||
| DisableNewPrivileges *bool `json:"disableNewPrivileges,omitempty"` |
There was a problem hiding this comment.
If the system default false? If yes, then can we drop the * here?
There was a problem hiding this comment.
Yes. Removed the pointer.
mrunalp
changed the title
|
Renamed to NoNewPrivileges. PTAL. |
This is a security setting that could be used to prevent processes in the container from gaining additional privileges. Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
|
LGTM |
|
|
||
| ## No new privileges | ||
|
|
||
| Setting `noNewPrivileges` to true prevents the processes in the container from gaining additional privileges. |
There was a problem hiding this comment.
Should the default be true ?
There was a problem hiding this comment.
nope
On Wed, Jan 20, 2016 at 5:11 PM Vish Kannan notifications@github.com
wrote:
In runtime-config-linux.md
#290 (comment):@@ -503,3 +503,14 @@ Its value is either slave, private, or shared.
"rootfsPropagation": "slave",
+## No new privileges
+
+SettingnoNewPrivilegesto true prevents the processes in the container from gaining additional privileges.Should the default be true ?
—
Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/290/files#r50328023.
There was a problem hiding this comment.
Why not?
On Wed, Jan 20, 2016 at 2:14 PM, Vincent Batts notifications@github.com
wrote:
In runtime-config-linux.md
#290 (comment):@@ -503,3 +503,14 @@ Its value is either slave, private, or shared.
"rootfsPropagation": "slave",
+## No new privileges
+
+SettingnoNewPrivilegesto true prevents the processes in the container from gaining additional privileges.nope
… <#1443586824_>
On Wed, Jan 20, 2016 at 5:11 PM Vish Kannan notifications@github.com
wrote: In runtime-config-linux.md <#290 (comment)
https://github.com/opencontainers/specs/pull/290#discussion_r50328023>:@@ -503,3 +503,14 @@ Its value is either slave, private, or shared. >
json > "rootfsPropagation": "slave", >> + > +## No new privileges >
+Setting
noNewPrivilegesto true prevents the processes in the
container from gaining additional privileges. Should the default be true ?
— Reply to this email directly or view it on GitHub <
https://github.com/opencontainers/specs/pull/290/files#r50328023>.—
Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/290/files#r50328465.
There was a problem hiding this comment.
|
LGTM |
Add NoNewPrivileges setting for linux
|
Thank you, LGTM On Wed, Jan 20, 2016 at 11:30 AM Mrunal Patel notifications@github.com
|
Brought to my attention in [1]. [1]: opencontainers/runtime-spec#290
This is a security setting that could be used to prevent processes in the
container from gaining additional privileges.
Signed-off-by: Mrunal Patel mrunalp@gmail.com