security entitlement support

Signed-off-by: Kunal Kushwaha <[email protected]>
moby · Aug 27, 2018 · 19a2961 · 19a2961
1 parent 5ea2f71
commit 19a2961
Show file tree

Hide file tree

Showing 15 changed files with 84 additions and 14 deletions.
diff --git a/api/services/control/control.proto b/api/services/control/control.proto
@@ -62,11 +62,7 @@ message SolveRequest {
 	string Frontend = 6;
 	map<string, string> FrontendAttrs = 7;
 	CacheOptions Cache = 8 [(gogoproto.nullable) = false];
-<<<<<<< af46188e9b3e8c78cfee8a223919498680276122
 	repeated string Entitlements = 9 [(gogoproto.customtype) = "github.com/moby/buildkit/util/entitlements.Entitlement" ];
-=======
-	repeated string Entitlements = 9 [(gogoproto.customtype) = "github.com/moby/buildkit/util/entitlements.Entitlement"];
->>>>>>> proto defination
 }
 
 message CacheOptions {

diff --git a/client/llb/exec.go b/client/llb/exec.go
@@ -18,6 +18,7 @@ type Meta struct {
 	ProxyEnv   *ProxyEnv
 	ExtraHosts []HostIP
 	Network    pb.NetMode
+	Security   pb.SecMode
 }
 
 func NewExecOp(root Output, meta Meta, readOnly bool, c Constraints) *ExecOp {
@@ -526,3 +527,8 @@ const (
 	NetModeHost    = pb.NetMode_HOST
 	NetModeNone    = pb.NetMode_NONE
 )
+
+const (
+	SecurityModeUnconfined = pb.SecMode_UNCONFINED
+	SecurityModeConfined   = pb.SecMode_CONFINED
+)
diff --git a/client/llb/meta.go b/client/llb/meta.go
@@ -21,6 +21,7 @@ var (
 	keyExtraHost = contextKeyT("llb.exec.extrahost")
 	keyPlatform  = contextKeyT("llb.platform")
 	keyNetwork   = contextKeyT("llb.network")
+	keySecurity  = contextKeyT("llb.security")
 )
 
 func addEnv(key, value string) StateOption {
@@ -152,7 +153,6 @@ func network(v pb.NetMode) StateOption {
 		return s.WithValue(keyNetwork, v)
 	}
 }
-
 func getNetwork(s State) pb.NetMode {
 	v := s.Value(keyNetwork)
 	if v != nil {
@@ -162,6 +162,20 @@ func getNetwork(s State) pb.NetMode {
 	return NetModeSandbox
 }
 
+func security(v pb.SecMode) StateOption {
+	return func(s State) State {
+		return s.WithValue(keySecurity, v)
+	}
+}
+func getSecurity(s State) pb.SecMode {
+	v := s.Value(keySecurity)
+	if v != nil {
+		n := v.(pb.SecMode)
+		return n
+	}
+	return SecurityModeConfined
+}
+
 type EnvList []KeyValue
 
 type KeyValue struct {

diff --git a/client/llb/state.go b/client/llb/state.go
@@ -189,6 +189,7 @@ func (s State) Run(ro ...RunOption) ExecState {
 		ProxyEnv:   ei.ProxyEnv,
 		ExtraHosts: getExtraHosts(ei.State),
 		Network:    getNetwork(ei.State),
+		Security:   getSecurity(ei.State),
 	}
 
 	exec := NewExecOp(s.Output(), meta, ei.ReadonlyRootFS, ei.Constraints)
@@ -257,6 +258,13 @@ func (s State) Network(n pb.NetMode) State {
 func (s State) GetNetwork() pb.NetMode {
 	return getNetwork(s)
 }
+func (s State) Security(n pb.SecMode) State {
+	return security(n)(s)
+}
+
+func (s State) GetSecurity() pb.SecMode {
+	return getSecurity(s)
+}
 
 func (s State) With(so ...StateOption) State {
 	for _, o := range so {

diff --git a/executor/containerdexecutor/executor.go b/executor/containerdexecutor/executor.go
@@ -105,9 +105,10 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c
 	if meta.ReadonlyRootFS {
 		opts = append(opts, containerdoci.WithRootFSReadonly())
 	}
-	if system.SeccompSupported() {
+	if system.SeccompSupported() && meta.SecMode == pb.SecMode_UNCONFINED {
 		opts = append(opts, seccomp.WithDefaultProfile())
 	}
+
 	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, meta.NetMode == pb.NetMode_HOST, opts...)
 	if err != nil {
 		return err

diff --git a/executor/executor.go b/executor/executor.go
@@ -18,6 +18,7 @@ type Meta struct {
 	ReadonlyRootFS bool
 	ExtraHosts     []HostIP
 	NetMode        pb.NetMode
+	SecMode        pb.SecMode
 }
 
 type Mount struct {

diff --git a/executor/oci/spec_unix.go b/executor/oci/spec_unix.go
@@ -14,6 +14,7 @@ import (
 	"github.com/mitchellh/hashstructure"
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/util/entitlements"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 )
@@ -40,11 +41,13 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 	if err != nil {
 		return nil, nil, err
 	}
-	s.Process.Args = meta.Args
-	s.Process.Env = meta.Env
-	s.Process.Cwd = meta.Cwd
 
-	s.Mounts = GetMounts(ctx,
+	ociProfile := entitlements.NewOCIProfile(s, meta.SecMode.String())
+	ociProfile.OCI.Process.Args = meta.Args
+	ociProfile.OCI.Process.Env = meta.Env
+	ociProfile.OCI.Process.Cwd = meta.Cwd
+
+	ociProfile.OCI.Mounts = GetMounts(ctx,
 		withROBind(resolvConf, "/etc/resolv.conf"),
 		withROBind(hostsFile, "/etc/hosts"),
 	)
@@ -81,7 +84,7 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 				releaseAll()
 				return nil, nil, err
 			}
-			s.Mounts = append(s.Mounts, specs.Mount{
+			ociProfile.OCI.Mounts = append(ociProfile.OCI.Mounts, specs.Mount{
 				Destination: m.Dest,
 				Type:        mount.Type,
 				Source:      mount.Source,
@@ -90,7 +93,7 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 		}
 	}
 
-	return s, releaseAll, nil
+	return ociProfile.OCI, releaseAll, nil
 }
 
 type mountRef struct {

diff --git a/executor/runcexecutor/executor.go b/executor/runcexecutor/executor.go
@@ -129,6 +129,10 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 		}
 	}()
 
+	if meta.SecMode == pb.SecMode_UNCONFINED {
+		logrus.Info("enabling security.unconfined")
+	}
+
 	resolvConf, err := oci.GetResolvConf(ctx, w.root)
 	if err != nil {
 		return err

diff --git a/frontend/dockerfile/builder/build.go b/frontend/dockerfile/builder/build.go
@@ -266,6 +266,7 @@ func Build(ctx context.Context, c client.Client) (*client.Result, error) {
 					PrefixPlatform:   exportMap,
 					ExtraHosts:       extraHosts,
 					ForceNetMode:     defaultNetMode,
+					ForceSecMode:     defaultSecMode,
 				})
 
 				if err != nil {
@@ -471,3 +472,17 @@ func parseNetMode(v string) (pb.NetMode, error) {
 		return 0, errors.Errorf("invalid netmode %s", v)
 	}
 }
+
+func parseSecMode(v string) (pb.SecMode, error) {
+	if v == "" {
+		return llb.SecurityModeConfined, nil
+	}
+	switch v {
+	case "confined":
+		return llb.SecurityModeConfined, nil
+	case "unconfined":
+		return llb.SecurityModeUnconfined, nil
+	default:
+		return 0, errors.Errorf("invalid secmode %s", v)
+	}
+}
diff --git a/frontend/dockerfile/dockerfile2llb/convert.go b/frontend/dockerfile/dockerfile2llb/convert.go
@@ -55,6 +55,7 @@ type ConvertOpt struct {
 	PrefixPlatform   bool
 	ExtraHosts       []llb.HostIP
 	ForceNetMode     pb.NetMode
+	ForceSecMode     pb.SecMode
 }
 
 func Dockerfile2LLB(ctx context.Context, dt []byte, opt ConvertOpt) (*llb.State, *Image, error) {

diff --git a/solver/llbsolver/bridge.go b/solver/llbsolver/bridge.go
@@ -79,7 +79,6 @@ func (b *llbBridge) Solve(ctx context.Context, req frontend.SolveRequest) (res *
 		if err != nil {
 			return nil, err
 		}
-
 		edge, err := Load(req.Definition, ValidateEntitlements(ent), WithCacheSources(cms), RuntimePlatforms(b.platforms), WithValidateCaps())
 		if err != nil {
 			return nil, err

diff --git a/solver/llbsolver/ops/exec.go b/solver/llbsolver/ops/exec.go
@@ -528,6 +528,7 @@ func (e *execOp) Exec(ctx context.Context, inputs []solver.Result) ([]solver.Res
 		ReadonlyRootFS: readonlyRootFS,
 		ExtraHosts:     extraHosts,
 		NetMode:        e.op.Network,
+		SecMode:        e.op.Security,
 	}
 
 	if e.op.Meta.ProxyEnv != nil {

diff --git a/solver/llbsolver/solver.go b/solver/llbsolver/solver.go
@@ -269,13 +269,17 @@ func notifyCompleted(ctx context.Context, v *client.Vertex, err error, cached bo
 	pw.Write(v.Digest.String(), *v)
 }
 
-var AllowNetworkHostUnstable = false // TODO: enable in constructor
+var AllowNetworkHostUnstable = false        // TODO: enable in constructor
+var AllowSecurityUnconfinedUnstable = false // TODO: enable in constructor
 
 func supportedEntitlements() []entitlements.Entitlement {
 	out := []entitlements.Entitlement{} // nil means no filter
 	if AllowNetworkHostUnstable {
 		out = append(out, entitlements.EntitlementNetworkHost)
 	}
+	if AllowSecurityUnconfinedUnstable {
+		out = append(out, entitlements.EntitlementSecurityUnconfined)
+	}
 	return out
 }
 

diff --git a/solver/llbsolver/vertex.go b/solver/llbsolver/vertex.go
@@ -114,6 +114,16 @@ func ValidateEntitlements(ent entitlements.Set) LoadOpt {
 					return errors.Errorf("%s is not allowed", entitlements.EntitlementNetworkNone)
 				}
 			}
+			if op.Exec.Security == pb.SecMode_CONFINED {
+				if !ent.Allowed(entitlements.EntitlementSecurityConfined) {
+					return errors.Errorf("%s is not allowed", entitlements.EntitlementSecurityConfined)
+				}
+			}
+			if op.Exec.Security == pb.SecMode_UNCONFINED {
+				if !ent.Allowed(entitlements.EntitlementSecurityUnconfined) {
+					return errors.Errorf("%s is not allowed", entitlements.EntitlementSecurityUnconfined)
+				}
+			}
 		}
 		return nil
 	}

diff --git a/solver/pb/caps.go b/solver/pb/caps.go
@@ -33,6 +33,7 @@ const (
 	CapExecMetaBase          apicaps.CapID = "exec.meta.base"
 	CapExecMetaProxy         apicaps.CapID = "exec.meta.proxyenv"
 	CapExecMetaNetwork       apicaps.CapID = "exec.meta.network"
+	CapExecMetaSecurity      apicaps.CapID = "exec.meta.security"
 	CapExecMountBind         apicaps.CapID = "exec.mount.bind"
 	CapExecMountCache        apicaps.CapID = "exec.mount.cache"
 	CapExecMountCacheSharing apicaps.CapID = "exec.mount.cache.sharing"
@@ -169,6 +170,12 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})
 
+	Caps.Init(apicaps.Cap{
+		ID:      CapExecMetaSecurity,
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapExecMountBind,
 		Enabled: true,