security entitlement support

[kunalkushwaha]

This is just a rough draft for review of approach.
[edit] rebased with #560

What this PR includes:

• entitlement package based on libentitlement project.
• usage of entitlement package for setting security settings.
• rest of flow of passing information of entitlements based on PR solver: net host with basic entitlements support #560

[kunalkushwaha]

//cc @AkihiroSuda @tonistiigi

[tonistiigi]

I don't see a reason for copying code from libentitlement. It will be impossible to maintain it like this. It is unclear to me if there are any changes in that code. We should either use it directly(at least a fork if there are changes) or implement the unconfined mode manually without the help of these packages.

fyi @justincormack

[tonistiigi]

Add RunOption version as well.

[tonistiigi]

lets not add this yet. Can be a follow-up.

[tonistiigi]

Leave this to false or add the constructor initialization in this PR.

[tonistiigi]

Where is this validated? I think it is missing the condition in ValidateEntitlements()

[tonistiigi]

This seems to be always called (and why the double call) atm.

[kunalkushwaha]

other simple alternative could be, build unconfined secomp profile as on lines defaultProfile() defined in containerd and remove whole libentitlement code.

But at some point if more entitlements are required a sub library to define all entitlements will be easy to manage.

[kunalkushwaha]

The entitlements package from libentitlement is removed and replaced by a simple function based on defaultSecompProfile of containerd.
fb002f5#diff-20b4a13522a5dac1bba70cce7b8e4e44R14

This function is required to reviewed, if its fit for security.unconfined profile.

[tonistiigi]

This should add all caps, disable seccomp/apparmor completely (no seccompsupported check), remove maskpaths and readonly overrides and change sys mounts to rw.

[tonistiigi]

For the unconfied, we can just skip it and not set seccomp at all. For security.admin (future) we would use this profile.

[tonistiigi]

@kunalkushwaha Could you implement this as well so we can have an integration test or would you prefer that to be a follow-up? Something like buildkitd --allow-insecure-entitlement=foo.

[kunalkushwaha]

I am working on this, shall update the PR on Monday.

Facing issue while buildctl build --allow=security.unconfined is passed and security.confined is also set by default.

[kunalkushwaha]

Have updated the code with test case and buildkitd flags to enable unsecured entitlements like network.host and security.unconfined.

There is missing something for both network.host & security.unconfined, even from client or from code llb.Security(llb.Security(llb.SecurityModeUnconfined)) is enabled, the Executor always receive default values i.e. security.confined & network.host.

Also, why dispatchRun() is never invoked.
Please help on this.

[tonistiigi]

@kunalkushwaha The issue seems to be that you are not calling WithDefaultAdminProfile anywhere (should be WithUnconfinedSecurityProfile)

[tonistiigi]

Don't use these variables anymore. Instead, add them to a config array and pass to the solver constructor.

[tonistiigi]

@kunalkushwaha

[tonistiigi]

Add this to config and override with the flag.

[tonistiigi]

@kunalkushwaha

[tonistiigi]

SecurityMode

[tonistiigi]

This is still a limited list. For unconfined use all caps(different from security.admin).

[tonistiigi]

ping @kunalkushwaha

And no seccomp for unconfined.

[tonistiigi]

@kunalkushwaha Ping. Did my answer clear things up or did I miss anything?

[kunalkushwaha]

@tonistiigi Sorry for delay.
Yes its clear, was working on some other stuff so just got delayed. Will update the PR soon.

PS: I will be on leave for 2 weeks from tomorrow.

[AkihiroSuda]

@kunalkushwaha What's current status?

[kunalkushwaha]

@AkihiroSuda Sorry have not been able to resume work on this.. Shall start from Monday.

[kunalkushwaha]

Hi,
Sorry for delay in resuming the work.

I need some help in understanding how the entitlements can passed from client (buildctl build) workers of buildkitd

Current approach in this PR.

1. The entitlement information in passed with --allow flag e.g buildctl build --allow security.unconfined
2. store entitlements information in SolveOpt
3. This is further passed ControleClient SoleveRequest in function client.solve()
4. similar to step 3, the entitlements is passed to solver with frontend.SolveRequest
5. Problem arises here, when llbbridge.Solve() passes only frontendOpt of SolveRequest

• When control comes to frontend/builder/build.Build() via GatewayForwarder.Solve the options passed from client can be retrieved through BuildOpts() i.e. Opts and LLBCaps and rest of information is lost.

so currently defaultSecurityMode have only default security.confined & network.none entitlements.

I want to use the LLBCaps as it will be defined for both network and security entitlements.

The point where I am stuck is , where to set these LLBCaps, i.e. CapExecMetaSecurity, So this can be access in builder/build.Buid() function?

@tonistiigi @AkihiroSuda

[tonistiigi]

@kunalkushwaha Why do you need to pass them with frontend.Solve() at all. They are only validated on vertex load and the bridge that is doing the loading already has all of this information initialized to the job in

buildkit/solver/llbsolver/solver.go

Line 103 in 5b7f759

j.SetValue(keyEntitlements, set)

[kunalkushwaha]

@tonistiigi I want to retrieve the value of entitlements in executor.Exec() functions. I am not getting what should be ideal way of retrieving.

If possible, please give me a overview of control flow how it goes once control comes to buildkitd for any build command.

[tonistiigi]

The value you need in exec is not entitlements that is passed with the build and enabled from daemon. What you need there is only the SecMode that is defined in the Meta and available to you. The validation that this secmode value is allowed to be used with current entitlement settings has already happened before that.

There are 2 sets of values here. One is entitlements that define the allowed actions a current build can perform. The other is the actual action that will be done for specific vertexes. The entitlements only affects the validation of the actual actions. Eg. if you just pass entitlements but don't change your vertexes, nothing would change in your build.

[tonistiigi]

@kunalkushwaha Haven't reviewed yet but the CI seems to be failing on vendor check.

[tonistiigi]

We should check that caps are properly restricted in securityConfined mode.

[kunalkushwaha]

Updated the testcase for SecurityConfined check and fixed CI issue.

[kunalkushwaha]

@tonistiigi PTAL. Have fixed the testcase with check for Confined & Unconfined both. Also CI issue is resolved.

[AkihiroSuda]

remove seccomp profile as well?

[kunalkushwaha]

yes, it was discussed here #570 (comment).
I am updating function comments too.

[AkihiroSuda]

sorry needs rebase

[kunalkushwaha]

Its rebased and CI error gone.

[tiborvass]

@justincormack Would you be okay calling unconfined insecure instead? I know all security profiles call it unconfined, but the user intent feels clearer with insecure.

[justincormack]

Yes I think that makes sense, although confined vs insecure is kind of weird, and I don't think we should call it secure vs insecure...

[tiborvass]

@justincormack sandbox/sandboxed ? I'm not too bothered by having both confined and insecure, because those who will see confined will probably have read about its technical meaning, whereas insecure should mean something strong to those who won't read much about it.

[tiborvass]

@justincormack told me offline he prefers confined and insecure.

@kunalkushwaha would you mind updating UNCONFINED to INSECURE everywhere in this PR? We can keep the word CONFINED.

[tonistiigi]

btw, I like sandbox/insecure pairing

[justincormack]

ok with sandbox/insecure too.

[kunalkushwaha]

@tiborvass ^^

[tiborvass]

Perfect let’s roll with sandbox/insecure then. Do you mind updating @kunalkushwaha

[kunalkushwaha]

I will update with sandbox/insecure.

[tonistiigi]

Looks good. Small comments

[tonistiigi]

Please add a case where you don't pass the entitlement and get an error on securityUnconfined mode and where you try to pass entitlement on securityConfined and get an error as well.

[tonistiigi]

like network.host & security.unconfined -> (eg. network.host, security.unconfined)

[tonistiigi]

This is being reset by the oci.GetMounts call. Probably move it to that function instead for a fix.

[tonistiigi]

Now that I think of it, I think it was a mistake to add "default entitlements"

buildkit/util/entitlements/entitlements.go

Line 21 in 2453e6f

var defaults = map[Entitlement]struct{}{

. I think you should just remove EntitlementSecurityConfined cause defining that doesn't make sense in any case. You still need Security(SecurityModeConfined) though, just allowing the entitlement is pointless because it is allowed always anyway. All the functionality remains, just remove the constant. Same goes for network-none but if you want I can clean that up myself after this PR is merged.

edit: I guess I took it from https://github.com/moby/libentitlement but doesn't really fit the design. These should more be like the configuration templates for the executor, not capabilities user needs to give access to.

[kunalkushwaha]

Updated the PR with changes including.

• Confined/Unconfined changed to Sandbox/Insecure security entitlement support #570 (comment)
• removed constants for SecurityConfined & NetworkNone and there is no default entitlement now. security entitlement support #570 (comment)
• testcase added for error checks for entitlements as suggested in security entitlement support #570 (comment)
• moved logic for sysfs mount in r/w mode in GenerateSpec() security entitlement support #570 (comment)

[tonistiigi]

Thanks @kunalkushwaha , LGTM

PTAL @AkihiroSuda