Comments (3)
saschagrunert
commented on May 28, 2024
1
I agree this is a though topic. Maybe we could start with documentation around that topic and explain to the user:
- Which syscalls are going to be expected by nearly every workload, because they're required by the OCI runtime (like runc)
- Which syscalls are additionally required, for example to run
kubectl exec -it …
We could scope the documentation on an x86_64 environment and describe that this will differ on different architectures.
Adding the minimal example as well as an e2e test around it seems like a good idea, too. We can show to the user how to use that minimal profile as a starting base for profile development. And that brings me to the next question: Would it be possible to stack/combine two profiles now that we have a CRD? We could define a new field baseProfile for a CRD and afterwards just merge them together and write it on disk, right?
from security-profiles-operator.
cmurphy
commented on May 28, 2024
Would it be possible to stack/combine two profiles now that we have a CRD? We could define a new field baseProfile for a CRD and afterwards just merge them together and write it on disk, right?
I think that could work...so it would look something like this:
---
kind: SeccompProfile
metadata:
name: base
spec:
defaultAction: SCMP_ACT_ERRNO
syscalls:
- action: SCMP_ACT_ALLOW
names:
- capget
- ...
---
kind: SeccompProfile
metadata:
name: hello-world
spec:
baseProfile: base
targetWorkload: hello
syscalls:
- action: SCMP_ACT_ALLOW
names:
- arch_prctl
- ...
- action: SCMP_ACT_LOG
names:
- pause
- ...
/var/lib/kubelet/seccomp/operator/default/hello/hello-world.json:
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"action": "SCMP_ACT_ALLOW",
"names": ["capget", "arch_prctl", ...]
},
{
"action": "SCMP_ACT_LOG",
"names": ["pause", ...]
}
]
}
Still, what should happen if there are syscalls with different actions in the base versus user-defined profile? e.g.
base:
syscalls:
- action: SCMP_ACT_ALLOW
names:
- capget
user-defined:
syscalls:
- action: SCMP_ACT_ERRNO
names:
- capget
merged:
...
"syscalls": [
{
"action": "SCMP_ACT_ALLOW",
"names": ["capget",...]
},
{
"action": "SCMP_ACT_ERRNO",
"names": ["capget", ...]
}
That would be an invalid profile, I think? But I guess no different than if the user had created just a single invalid profile...
from security-profiles-operator.
saschagrunert
commented on May 28, 2024
Would it be possible to stack/combine two profiles now that we have a CRD? We could define a new field baseProfile for a CRD and afterwards just merge them together and write it on disk, right?
I think that could work...so it would look something like this:
--- kind: SeccompProfile metadata: name: base spec: defaultAction: SCMP_ACT_ERRNO syscalls: - action: SCMP_ACT_ALLOW names: - capget - ... --- kind: SeccompProfile metadata: name: hello-world spec: baseProfile: base
What about baseProfileName to have a more strict reference?
…
merged:... "syscalls": [ { "action": "SCMP_ACT_ALLOW", "names": ["capget",...] }, { "action": "SCMP_ACT_ERRNO", "names": ["capget", ...] }That would be an invalid profile, I think? But I guess no different than if the user had created just a single invalid profile...
Yes, in the first iteration we could leave out those validation steps from my point of view. But it would be a good addition to check for syntactically, but logically wrong profiles later on. 👍
Thinking about some other pitfalls here but I do not see anything right now…
from security-profiles-operator.
Related Issues (20)
- Create an "Enforce on all Pods" option for Seccomp Profile Bindings
- File Descriptor memory leak on selinux socket comms
- How to log only unique syscalls in audit log file - Security-Profiles-Operator HOT 8
- Vagrant based tests are failing HOT 12
- Autogenerated clientset to access SPO seccompprofile CRs HOT 4
- Support for --http2-disable flag in metrics pod HOT 6
- Running e2e tests on OpenShift hang HOT 1
- AKS spod STATE : UPDATING HOT 12
- Release v0.8.1
- getting owner profile: the node status owner is of an unknown kind HOT 3
- Manage SELinux booleans HOT 10
- tolerations not honoured HOT 4
- AKS eBPF recording HOT 15
- Can not re-install SPO HOT 1
- ignore istio init container while eBPF profiling HOT 8
- AppArmor does not work HOT 15
- Release v0.8.2 HOT 1
- [Question] Disable webhook deployment HOT 4
- Seeing Policy Violations HOT 6
- Security Profiles Operator should support dynamic infrastructures HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-profiles-operator.