summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSmruti Soumitra Khuntia <sk698p@att.com>2018-10-10 19:03:35 +0530
committerSmruti Soumitra Khuntia <sk698p@att.com>2018-10-16 11:17:25 +0000
commit1e43bdcbc6a1d7828d445f7093c2df4b82d9d00c (patch)
treeb4e5ef91d3761d2ba8f411b6e6b602c60a26068d
parent1e14112a74981278989a7a35fc5d773cc3b661b2 (diff)
Delivery of default seccomp Profile on each Host on site deployment
- A new schema for a Deckhand document that contains a Seccomp default profile. - A Seccomp profile that creates the default seccomp profile file at defined seccomp profile root. - A bootaction that puts the default seccomp profile in place. - Modified Kubelet config to support seccomp profile root dir's path. Similar changes in Airship-Treasuremap : https://review.openstack.org/#/c/602532/ Change-Id: Ia3a5f10abd88f7e20b3594ccde68d03535ef60cf
Notes
Notes (review): Code-Review+2: Bryan Strassner <bryan.strassner@gmail.com> Code-Review+2: Matt McEuen <matt.mceuen@att.com> Workflow+1: Matt McEuen <matt.mceuen@att.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 17 Oct 2018 18:24:12 +0000 Reviewed-on: https://review.openstack.org/609408 Project: openstack/airship-in-a-bottle Branch: refs/heads/master
-rw-r--r--deployment_files/global/v1.0demo/baremetal/bootactions/seccomp-profiles.yaml31
-rw-r--r--deployment_files/global/v1.0demo/profiles/security/seccomp_default.yaml787
-rw-r--r--deployment_files/global/v1.0demo/schemas/pegleg/SeccompProfile/v1.yaml19
-rw-r--r--deployment_files/global/v1.0demo/software/config/Kubelet.yaml8
4 files changed, 845 insertions, 0 deletions
diff --git a/deployment_files/global/v1.0demo/baremetal/bootactions/seccomp-profiles.yaml b/deployment_files/global/v1.0demo/baremetal/bootactions/seccomp-profiles.yaml
new file mode 100644
index 0000000..70bd781
--- /dev/null
+++ b/deployment_files/global/v1.0demo/baremetal/bootactions/seccomp-profiles.yaml
@@ -0,0 +1,31 @@
1---
2schema: 'drydock/BootAction/v1'
3metadata:
4 schema: 'metadata/Document/v1'
5 name: seccomp-profiles
6 storagePolicy: 'cleartext'
7 layeringDefinition:
8 abstract: false
9 layer: global
10 substitutions:
11 - src:
12 schema: pegleg/SeccompProfile/v1
13 name: seccomp-default
14 path: .savePath
15 dest:
16 path: .assets[0].path
17 - src:
18 schema: pegleg/SeccompProfile/v1
19 name: seccomp-default
20 path: .content
21 dest:
22 path: .assets[0].data
23
24data:
25 signaling: false
26 assets:
27 - type: file
28 permissions: '600'
29 data_pipeline:
30 - utf8_decode
31...
diff --git a/deployment_files/global/v1.0demo/profiles/security/seccomp_default.yaml b/deployment_files/global/v1.0demo/profiles/security/seccomp_default.yaml
new file mode 100644
index 0000000..2ff6a7f
--- /dev/null
+++ b/deployment_files/global/v1.0demo/profiles/security/seccomp_default.yaml
@@ -0,0 +1,787 @@
1---
2# The data content of this file is referred from the Moby project as
3# mentioned in the link below:
4# https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
5schema: 'pegleg/SeccompProfile/v1'
6metadata:
7 schema: 'metadata/Document/v1'
8 name: seccomp-default
9 storagePolicy: 'cleartext'
10 layeringDefinition:
11 abstract: false
12 layer: global
13data:
14 # Path for seccomp profile root directory.
15 seccompDirPath: /var/lib/kubelet/seccomp
16 # Path to save seccomp profile as file.
17 # This should be same as seccompDirPath with file name.
18 savePath: /var/lib/kubelet/seccomp/seccomp_default
19 # Content of default seccomp profile file.
20 content: |
21 {
22 "defaultAction": "SCMP_ACT_ERRNO",
23 "archMap": [
24 {
25 "architecture": "SCMP_ARCH_X86_64",
26 "subArchitectures": [
27 "SCMP_ARCH_X86",
28 "SCMP_ARCH_X32"
29 ]
30 },
31 {
32 "architecture": "SCMP_ARCH_AARCH64",
33 "subArchitectures": [
34 "SCMP_ARCH_ARM"
35 ]
36 },
37 {
38 "architecture": "SCMP_ARCH_MIPS64",
39 "subArchitectures": [
40 "SCMP_ARCH_MIPS",
41 "SCMP_ARCH_MIPS64N32"
42 ]
43 },
44 {
45 "architecture": "SCMP_ARCH_MIPS64N32",
46 "subArchitectures": [
47 "SCMP_ARCH_MIPS",
48 "SCMP_ARCH_MIPS64"
49 ]
50 },
51 {
52 "architecture": "SCMP_ARCH_MIPSEL64",
53 "subArchitectures": [
54 "SCMP_ARCH_MIPSEL",
55 "SCMP_ARCH_MIPSEL64N32"
56 ]
57 },
58 {
59 "architecture": "SCMP_ARCH_MIPSEL64N32",
60 "subArchitectures": [
61 "SCMP_ARCH_MIPSEL",
62 "SCMP_ARCH_MIPSEL64"
63 ]
64 },
65 {
66 "architecture": "SCMP_ARCH_S390X",
67 "subArchitectures": [
68 "SCMP_ARCH_S390"
69 ]
70 }
71 ],
72 "syscalls": [
73 {
74 "names": [
75 "accept",
76 "accept4",
77 "access",
78 "adjtimex",
79 "alarm",
80 "bind",
81 "brk",
82 "capget",
83 "capset",
84 "chdir",
85 "chmod",
86 "chown",
87 "chown32",
88 "clock_getres",
89 "clock_gettime",
90 "clock_nanosleep",
91 "close",
92 "connect",
93 "copy_file_range",
94 "creat",
95 "dup",
96 "dup2",
97 "dup3",
98 "epoll_create",
99 "epoll_create1",
100 "epoll_ctl",
101 "epoll_ctl_old",
102 "epoll_pwait",
103 "epoll_wait",
104 "epoll_wait_old",
105 "eventfd",
106 "eventfd2",
107 "execve",
108 "execveat",
109 "exit",
110 "exit_group",
111 "faccessat",
112 "fadvise64",
113 "fadvise64_64",
114 "fallocate",
115 "fanotify_mark",
116 "fchdir",
117 "fchmod",
118 "fchmodat",
119 "fchown",
120 "fchown32",
121 "fchownat",
122 "fcntl",
123 "fcntl64",
124 "fdatasync",
125 "fgetxattr",
126 "flistxattr",
127 "flock",
128 "fork",
129 "fremovexattr",
130 "fsetxattr",
131 "fstat",
132 "fstat64",
133 "fstatat64",
134 "fstatfs",
135 "fstatfs64",
136 "fsync",
137 "ftruncate",
138 "ftruncate64",
139 "futex",
140 "futimesat",
141 "getcpu",
142 "getcwd",
143 "getdents",
144 "getdents64",
145 "getegid",
146 "getegid32",
147 "geteuid",
148 "geteuid32",
149 "getgid",
150 "getgid32",
151 "getgroups",
152 "getgroups32",
153 "getitimer",
154 "getpeername",
155 "getpgid",
156 "getpgrp",
157 "getpid",
158 "getppid",
159 "getpriority",
160 "getrandom",
161 "getresgid",
162 "getresgid32",
163 "getresuid",
164 "getresuid32",
165 "getrlimit",
166 "get_robust_list",
167 "getrusage",
168 "getsid",
169 "getsockname",
170 "getsockopt",
171 "get_thread_area",
172 "gettid",
173 "gettimeofday",
174 "getuid",
175 "getuid32",
176 "getxattr",
177 "inotify_add_watch",
178 "inotify_init",
179 "inotify_init1",
180 "inotify_rm_watch",
181 "io_cancel",
182 "ioctl",
183 "io_destroy",
184 "io_getevents",
185 "ioprio_get",
186 "ioprio_set",
187 "io_setup",
188 "io_submit",
189 "ipc",
190 "kill",
191 "lchown",
192 "lchown32",
193 "lgetxattr",
194 "link",
195 "linkat",
196 "listen",
197 "listxattr",
198 "llistxattr",
199 "_llseek",
200 "lremovexattr",
201 "lseek",
202 "lsetxattr",
203 "lstat",
204 "lstat64",
205 "madvise",
206 "memfd_create",
207 "mincore",
208 "mkdir",
209 "mkdirat",
210 "mknod",
211 "mknodat",
212 "mlock",
213 "mlock2",
214 "mlockall",
215 "mmap",
216 "mmap2",
217 "mprotect",
218 "mq_getsetattr",
219 "mq_notify",
220 "mq_open",
221 "mq_timedreceive",
222 "mq_timedsend",
223 "mq_unlink",
224 "mremap",
225 "msgctl",
226 "msgget",
227 "msgrcv",
228 "msgsnd",
229 "msync",
230 "munlock",
231 "munlockall",
232 "munmap",
233 "nanosleep",
234 "newfstatat",
235 "_newselect",
236 "open",
237 "openat",
238 "pause",
239 "pipe",
240 "pipe2",
241 "poll",
242 "ppoll",
243 "prctl",
244 "pread64",
245 "preadv",
246 "preadv2",
247 "prlimit64",
248 "pselect6",
249 "pwrite64",
250 "pwritev",
251 "pwritev2",
252 "read",
253 "readahead",
254 "readlink",
255 "readlinkat",
256 "readv",
257 "recv",
258 "recvfrom",
259 "recvmmsg",
260 "recvmsg",
261 "remap_file_pages",
262 "removexattr",
263 "rename",
264 "renameat",
265 "renameat2",
266 "restart_syscall",
267 "rmdir",
268 "rt_sigaction",
269 "rt_sigpending",
270 "rt_sigprocmask",
271 "rt_sigqueueinfo",
272 "rt_sigreturn",
273 "rt_sigsuspend",
274 "rt_sigtimedwait",
275 "rt_tgsigqueueinfo",
276 "sched_getaffinity",
277 "sched_getattr",
278 "sched_getparam",
279 "sched_get_priority_max",
280 "sched_get_priority_min",
281 "sched_getscheduler",
282 "sched_rr_get_interval",
283 "sched_setaffinity",
284 "sched_setattr",
285 "sched_setparam",
286 "sched_setscheduler",
287 "sched_yield",
288 "seccomp",
289 "select",
290 "semctl",
291 "semget",
292 "semop",
293 "semtimedop",
294 "send",
295 "sendfile",
296 "sendfile64",
297 "sendmmsg",
298 "sendmsg",
299 "sendto",
300 "setfsgid",
301 "setfsgid32",
302 "setfsuid",
303 "setfsuid32",
304 "setgid",
305 "setgid32",
306 "setgroups",
307 "setgroups32",
308 "setitimer",
309 "setpgid",
310 "setpriority",
311 "setregid",
312 "setregid32",
313 "setresgid",
314 "setresgid32",
315 "setresuid",
316 "setresuid32",
317 "setreuid",
318 "setreuid32",
319 "setrlimit",
320 "set_robust_list",
321 "setsid",
322 "setsockopt",
323 "set_thread_area",
324 "set_tid_address",
325 "setuid",
326 "setuid32",
327 "setxattr",
328 "shmat",
329 "shmctl",
330 "shmdt",
331 "shmget",
332 "shutdown",
333 "sigaltstack",
334 "signalfd",
335 "signalfd4",
336 "sigreturn",
337 "socket",
338 "socketcall",
339 "socketpair",
340 "splice",
341 "stat",
342 "stat64",
343 "statfs",
344 "statfs64",
345 "statx",
346 "symlink",
347 "symlinkat",
348 "sync",
349 "sync_file_range",
350 "syncfs",
351 "sysinfo",
352 "syslog",
353 "tee",
354 "tgkill",
355 "time",
356 "timer_create",
357 "timer_delete",
358 "timerfd_create",
359 "timerfd_gettime",
360 "timerfd_settime",
361 "timer_getoverrun",
362 "timer_gettime",
363 "timer_settime",
364 "times",
365 "tkill",
366 "truncate",
367 "truncate64",
368 "ugetrlimit",
369 "umask",
370 "uname",
371 "unlink",
372 "unlinkat",
373 "utime",
374 "utimensat",
375 "utimes",
376 "vfork",
377 "vmsplice",
378 "wait4",
379 "waitid",
380 "waitpid",
381 "write",
382 "writev"
383 ],
384 "action": "SCMP_ACT_ALLOW",
385 "args": [],
386 "comment": "",
387 "includes": {},
388 "excludes": {}
389 },
390 {
391 "names": [
392 "personality"
393 ],
394 "action": "SCMP_ACT_ALLOW",
395 "args": [
396 {
397 "index": 0,
398 "value": 0,
399 "valueTwo": 0,
400 "op": "SCMP_CMP_EQ"
401 }
402 ],
403 "comment": "",
404 "includes": {},
405 "excludes": {}
406 },
407 {
408 "names": [
409 "personality"
410 ],
411 "action": "SCMP_ACT_ALLOW",
412 "args": [
413 {
414 "index": 0,
415 "value": 8,
416 "valueTwo": 0,
417 "op": "SCMP_CMP_EQ"
418 }
419 ],
420 "comment": "",
421 "includes": {},
422 "excludes": {}
423 },
424 {
425 "names": [
426 "personality"
427 ],
428 "action": "SCMP_ACT_ALLOW",
429 "args": [
430 {
431 "index": 0,
432 "value": 131072,
433 "valueTwo": 0,
434 "op": "SCMP_CMP_EQ"
435 }
436 ],
437 "comment": "",
438 "includes": {},
439 "excludes": {}
440 },
441 {
442 "names": [
443 "personality"
444 ],
445 "action": "SCMP_ACT_ALLOW",
446 "args": [
447 {
448 "index": 0,
449 "value": 131080,
450 "valueTwo": 0,
451 "op": "SCMP_CMP_EQ"
452 }
453 ],
454 "comment": "",
455 "includes": {},
456 "excludes": {}
457 },
458 {
459 "names": [
460 "personality"
461 ],
462 "action": "SCMP_ACT_ALLOW",
463 "args": [
464 {
465 "index": 0,
466 "value": 4294967295,
467 "valueTwo": 0,
468 "op": "SCMP_CMP_EQ"
469 }
470 ],
471 "comment": "",
472 "includes": {},
473 "excludes": {}
474 },
475 {
476 "names": [
477 "sync_file_range2"
478 ],
479 "action": "SCMP_ACT_ALLOW",
480 "args": [],
481 "comment": "",
482 "includes": {
483 "arches": [
484 "ppc64le"
485 ]
486 },
487 "excludes": {}
488 },
489 {
490 "names": [
491 "arm_fadvise64_64",
492 "arm_sync_file_range",
493 "sync_file_range2",
494 "breakpoint",
495 "cacheflush",
496 "set_tls"
497 ],
498 "action": "SCMP_ACT_ALLOW",
499 "args": [],
500 "comment": "",
501 "includes": {
502 "arches": [
503 "arm",
504 "arm64"
505 ]
506 },
507 "excludes": {}
508 },
509 {
510 "names": [
511 "arch_prctl"
512 ],
513 "action": "SCMP_ACT_ALLOW",
514 "args": [],
515 "comment": "",
516 "includes": {
517 "arches": [
518 "amd64",
519 "x32"
520 ]
521 },
522 "excludes": {}
523 },
524 {
525 "names": [
526 "modify_ldt"
527 ],
528 "action": "SCMP_ACT_ALLOW",
529 "args": [],
530 "comment": "",
531 "includes": {
532 "arches": [
533 "amd64",
534 "x32",
535 "x86"
536 ]
537 },
538 "excludes": {}
539 },
540 {
541 "names": [
542 "s390_pci_mmio_read",
543 "s390_pci_mmio_write",
544 "s390_runtime_instr"
545 ],
546 "action": "SCMP_ACT_ALLOW",
547 "args": [],
548 "comment": "",
549 "includes": {
550 "arches": [
551 "s390",
552 "s390x"
553 ]
554 },
555 "excludes": {}
556 },
557 {
558 "names": [
559 "open_by_handle_at"
560 ],
561 "action": "SCMP_ACT_ALLOW",
562 "args": [],
563 "comment": "",
564 "includes": {
565 "caps": [
566 "CAP_DAC_READ_SEARCH"
567 ]
568 },
569 "excludes": {}
570 },
571 {
572 "names": [
573 "bpf",
574 "clone",
575 "fanotify_init",
576 "lookup_dcookie",
577 "mount",
578 "name_to_handle_at",
579 "perf_event_open",
580 "quotactl",
581 "setdomainname",
582 "sethostname",
583 "setns",
584 "umount",
585 "umount2",
586 "unshare"
587 ],
588 "action": "SCMP_ACT_ALLOW",
589 "args": [],
590 "comment": "",
591 "includes": {
592 "caps": [
593 "CAP_SYS_ADMIN"
594 ]
595 },
596 "excludes": {}
597 },
598 {
599 "names": [
600 "clone"
601 ],
602 "action": "SCMP_ACT_ALLOW",
603 "args": [
604 {
605 "index": 0,
606 "value": 2080505856,
607 "valueTwo": 0,
608 "op": "SCMP_CMP_MASKED_EQ"
609 }
610 ],
611 "comment": "",
612 "includes": {},
613 "excludes": {
614 "caps": [
615 "CAP_SYS_ADMIN"
616 ],
617 "arches": [
618 "s390",
619 "s390x"
620 ]
621 }
622 },
623 {
624 "names": [
625 "clone"
626 ],
627 "action": "SCMP_ACT_ALLOW",
628 "args": [
629 {
630 "index": 1,
631 "value": 2080505856,
632 "valueTwo": 0,
633 "op": "SCMP_CMP_MASKED_EQ"
634 }
635 ],
636 "comment": "s390 parameter ordering for clone is different",
637 "includes": {
638 "arches": [
639 "s390",
640 "s390x"
641 ]
642 },
643 "excludes": {
644 "caps": [
645 "CAP_SYS_ADMIN"
646 ]
647 }
648 },
649 {
650 "names": [
651 "reboot"
652 ],
653 "action": "SCMP_ACT_ALLOW",
654 "args": [],
655 "comment": "",
656 "includes": {
657 "caps": [
658 "CAP_SYS_BOOT"
659 ]
660 },
661 "excludes": {}
662 },
663 {
664 "names": [
665 "chroot"
666 ],
667 "action": "SCMP_ACT_ALLOW",
668 "args": [],
669 "comment": "",
670 "includes": {
671 "caps": [
672 "CAP_SYS_CHROOT"
673 ]
674 },
675 "excludes": {}
676 },
677 {
678 "names": [
679 "delete_module",
680 "init_module",
681 "finit_module",
682 "query_module"
683 ],
684 "action": "SCMP_ACT_ALLOW",
685 "args": [],
686 "comment": "",
687 "includes": {
688 "caps": [
689 "CAP_SYS_MODULE"
690 ]
691 },
692 "excludes": {}
693 },
694 {
695 "names": [
696 "acct"
697 ],
698 "action": "SCMP_ACT_ALLOW",
699 "args": [],
700 "comment": "",
701 "includes": {
702 "caps": [
703 "CAP_SYS_PACCT"
704 ]
705 },
706 "excludes": {}
707 },
708 {
709 "names": [
710 "kcmp",
711 "process_vm_readv",
712 "process_vm_writev",
713 "ptrace"
714 ],
715 "action": "SCMP_ACT_ALLOW",
716 "args": [],
717 "comment": "",
718 "includes": {
719 "caps": [
720 "CAP_SYS_PTRACE"
721 ]
722 },
723 "excludes": {}
724 },
725 {
726 "names": [
727 "iopl",
728 "ioperm"
729 ],
730 "action": "SCMP_ACT_ALLOW",
731 "args": [],
732 "comment": "",
733 "includes": {
734 "caps": [
735 "CAP_SYS_RAWIO"
736 ]
737 },
738 "excludes": {}
739 },
740 {
741 "names": [
742 "settimeofday",
743 "stime",
744 "clock_settime"
745 ],
746 "action": "SCMP_ACT_ALLOW",
747 "args": [],
748 "comment": "",
749 "includes": {
750 "caps": [
751 "CAP_SYS_TIME"
752 ]
753 },
754 "excludes": {}
755 },
756 {
757 "names": [
758 "vhangup"
759 ],
760 "action": "SCMP_ACT_ALLOW",
761 "args": [],
762 "comment": "",
763 "includes": {
764 "caps": [
765 "CAP_SYS_TTY_CONFIG"
766 ]
767 },
768 "excludes": {}
769 },
770 {
771 "names": [
772 "get_mempolicy",
773 "mbind",
774 "set_mempolicy"
775 ],
776 "action": "SCMP_ACT_ALLOW",
777 "args": [],
778 "comment": "",
779 "includes": {
780 "caps": [
781 "CAP_SYS_NICE"
782 ]
783 },
784 "excludes": {}
785 }
786 ]
787 } \ No newline at end of file
diff --git a/deployment_files/global/v1.0demo/schemas/pegleg/SeccompProfile/v1.yaml b/deployment_files/global/v1.0demo/schemas/pegleg/SeccompProfile/v1.yaml
new file mode 100644
index 0000000..a2bd8c9
--- /dev/null
+++ b/deployment_files/global/v1.0demo/schemas/pegleg/SeccompProfile/v1.yaml
@@ -0,0 +1,19 @@
1---
2schema: 'deckhand/DataSchema/v1'
3metadata:
4 schema: metadata/Control/v1
5 name: pegleg/SeccompProfile/v1
6 labels:
7 application: pegleg
8data:
9 $schema: 'http://json-schema.org/schema#'
10 type: 'object'
11 additionalProperties: false
12 properties:
13 seccompDirPath:
14 type: 'string'
15 savePath:
16 type: 'string'
17 content:
18 type: 'string'
19 required: ['seccompDirPath', 'savePath', 'content']
diff --git a/deployment_files/global/v1.0demo/software/config/Kubelet.yaml b/deployment_files/global/v1.0demo/software/config/Kubelet.yaml
index 89aac09..67612eb 100644
--- a/deployment_files/global/v1.0demo/software/config/Kubelet.yaml
+++ b/deployment_files/global/v1.0demo/software/config/Kubelet.yaml
@@ -14,6 +14,13 @@ metadata:
14 path: .images.kubernetes.pause 14 path: .images.kubernetes.pause
15 dest: 15 dest:
16 path: .images.pause 16 path: .images.pause
17 - src:
18 schema: pegleg/SeccompProfile/v1
19 name: seccomp-default
20 path: .seccompDirPath
21 dest:
22 path: .arguments[7]
23 pattern: SECCOMP_PROFILE_ROOT
17data: 24data:
18 arguments: 25 arguments:
19 - --cni-bin-dir=/opt/cni/bin 26 - --cni-bin-dir=/opt/cni/bin
@@ -23,3 +30,4 @@ data:
23 - --node-status-update-frequency=5s 30 - --node-status-update-frequency=5s
24 - --serialize-image-pulls=false 31 - --serialize-image-pulls=false
25 - --v=5 32 - --v=5
33 - --seccomp-profile-root=SECCOMP_PROFILE_ROOT