Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM

From: MickaÃl SalaÃn
Date: Mon Aug 15 2016 - 07:06:52 EST

Next message: Morten Rasmussen: "Re: [CFP] Power Management and Energy Awareness microconference at LPC 2016"
Previous message: Kalle Valo: "Re: [PATCH v2] RANDOM: ATH9K RNG delivers zero bits of entropy"
In reply to: Sargun Dhillon: "Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM"
Next in thread: Sargun Dhillon: "Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15/08/2016 05:09, Sargun Dhillon wrote:
> On Mon, Aug 15, 2016 at 12:57:44AM +0200, MickaÃl SalaÃn wrote:
>> Our approaches have some common points (i.e. use eBPF in an LSM, stacked
>> filters like seccomp) but I'm focused on a kind of unprivileged LSM (i.e. no
>> CAP_SYS_ADMIN), to make standalone sandboxes, which brings more constraints
>> (e.g. no use of unsafe functions like bpf_probe_read(), take care of privacy,
>> SUID exec, stable ABIâ). However, I don't want to handle resource limits,
>> which should be the job of cgroups.
>>
> Kind of. Sometimes describing these resource limits is difficult. For example, I
> have a customer who is trying to restrict containers from burning up all the
> ephemeral ports on the machine. In this, they have an incredibly elaborate chain
> of wiring to prevent a given container from connecting to the same (proto,
> destip, destport) more than 1000 times.
>
> I'm unsure of how you'd model that in a cgroup.

This looks like a Netfilter rule. Have you tried applying this limitation with the connlimit module?

>
>> For now, I'm focusing on file-system access control which is one of the more
>> complex system to properly filter. I also plan to support basic network access
>> control.
>>
>> What you are trying to accomplish seems more related to a Netfilter extension
>> (something like ipset but with eBPF maybe?).
>>
> I don't only want to do network access control, I also want to write to the
> value once it's copied into kernel space. There are lot of benefits of doing
> this at the syscall level, but the two primary ones are performance, and
> capability.
>
> One of the biggest complaints with our current approach to filtering & load
> balancing (iptables) is that it hides information. When people connect through
> the load balancer, they want to find out who they connected to, and without some
> high application-level mechanism, this isn't possible. On the other hand, if we
> just rewrite the destination address in the connect hook, we can pretty easily
> allow them to do getpeername.

What exactly is not doable with Netfilter (e.g. REDIRECT or TPROXY)?

>
> I'm curious about your filesystem access limiter. Do you have a way to make it so
> that a given container can only write, say, 100mb of data to disk?

It's a filesystem access control. It doesn't deal with quota and is not focused on container but process hierarchies (which is more generic).

What is not doable with a quota mount option? It may be more appropriate to enhance the VFS (or overlayfs) to apply this kind of limitation, if needed.

Attachment: signature.asc
Description: OpenPGP digital signature

Next message: Morten Rasmussen: "Re: [CFP] Power Management and Energy Awareness microconference at LPC 2016"
Previous message: Kalle Valo: "Re: [PATCH v2] RANDOM: ATH9K RNG delivers zero bits of entropy"
In reply to: Sargun Dhillon: "Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM"
Next in thread: Sargun Dhillon: "Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]