xds: ensure single L7 deny intention with default deny policy does no…

…t result in allow action (CVE-2021-36213)
hashicorp · Jul 15, 2021 · 06e36f2 · 06e36f2
1 parent 5880766
commit 06e36f2
Show file tree

Hide file tree

Showing 35 changed files with 1,493 additions and 4 deletions.
diff --git a/.changelog/10619.txt b/.changelog/10619.txt
@@ -0,0 +1,3 @@
+```release-note:security
+xds: ensure single L7 deny intention with default deny policy does not result in allow action [CVE-2021-36213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36213)
+```
diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go
@@ -110,13 +110,34 @@ func removeIntentionPrecedence(rbacIxns []*rbacIntention, intentionDefaultAction
 	// between any two intentions.
 	rbacIxns = removeSourcePrecedence(rbacIxns, intentionDefaultAction)
 
+	numRetained := 0
 	for _, rbacIxn := range rbacIxns {
 		// Remove permission precedence. After this completes precedence
 		// doesn't matter between any two permissions on this intention.
 		rbacIxn.Permissions = removePermissionPrecedence(rbacIxn.Permissions, intentionDefaultAction)
+		if rbacIxn.Action == intentionActionLayer7 && len(rbacIxn.Permissions) == 0 {
+			// All of the permissions must have had the default action type and
+			// were removed. Mark this for removal below.
+			rbacIxn.Skip = true
+		} else {
+			numRetained++
+		}
 	}
 
-	return rbacIxns
+	if numRetained == len(rbacIxns) {
+		return rbacIxns
+	}
+
+	// We previously used the absence of permissions (above) as a signal to
+	// mark the entire intention for removal. Now do the deletions.
+	out := make([]*rbacIntention, 0, numRetained)
+	for _, rixn := range rbacIxns {
+		if !rixn.Skip {
+			out = append(out, rixn)
+		}
+	}
+
+	return out
 }
 
 func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction intentionAction) []*rbacPermission {
@@ -401,10 +422,14 @@ func makeRBACRules(intentions structs.Intentions, intentionDefaultAllow bool, is
 
 	var principalsL4 []*envoy_rbac_v3.Principal
 	for i, rbacIxn := range rbacIxns {
-		if len(rbacIxn.Permissions) > 0 {
+		if rbacIxn.Action == intentionActionLayer7 {
+			if len(rbacIxn.Permissions) == 0 {
+				panic("invalid state: L7 intention has no permissions")
+			}
 			if !isHTTP {
 				panic("invalid state: L7 permissions present for TCP service")
 			}
+
 			// For L7: we should generate one Policy per Principal and list all of the Permissions
 			policy := &envoy_rbac_v3.Policy{
 				Principals:  []*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal},