package securitypolicy

import "github.com/Microsoft/hcsshim/pkg/securitypolicy"

Index ¶

• Variables
• func NewSecurityPolicyDigest(base64policy string) ([]byte, error)
• type AuthConfig
• type CommandArgs
• func (c CommandArgs) MarshalJSON() ([]byte, error)
• type Container
• func CreateContainerPolicy( command, layers []string, envRules []EnvRuleConfig, workingDir string, eMounts []string, mounts []MountConfig, allowElevated bool, ) (*Container, error)
• type ContainerConfig
• type ContainerConfigOpt
• func WithAllowElevated(elevated bool) ContainerConfigOpt
• func WithCommand(cmd []string) ContainerConfigOpt
• func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt
• func WithMountConstraints(mc []MountConfig) ContainerConfigOpt
• func WithWaitMountPoints(em []string) ContainerConfigOpt
• func WithWorkingDir(wd string) ContainerConfigOpt
• type Containers
• func (c Containers) MarshalJSON() ([]byte, error)
• type EncodedSecurityPolicy
• type EnvRuleConfig
• func NewEnvVarRules(envVars []string) []EnvRuleConfig
• type EnvRules
• func (e EnvRules) MarshalJSON() ([]byte, error)
• type EnvVarRule
• type Layers
• func (l Layers) MarshalJSON() ([]byte, error)
• type Mount
• type MountConfig
• type Mounts
• func (m Mounts) MarshalJSON() ([]byte, error)
• type Options
• func (o Options) MarshalJSON() ([]byte, error)
• type PolicyConfig
• type SecurityPolicy
• func NewOpenDoorPolicy() *SecurityPolicy
• func NewSecurityPolicy(allowAll bool, containers []*Container) *SecurityPolicy
• func (sp *SecurityPolicy) EncodeToString() (string, error)
• type SecurityPolicyState
• func NewSecurityPolicyState(base64Policy string) (*SecurityPolicyState, error)
• type StringArrayMap
• func (s StringArrayMap) MarshalJSON() ([]byte, error)
• type WaitMountPoints
• func (wm WaitMountPoints) MarshalJSON() ([]byte, error)

Variables ¶

var ErrInvalidAllowAllPolicy = errors.New("allow_all cannot be set to 'true' when Containers are non-empty")

Functions ¶

func NewSecurityPolicyDigest ¶

func NewSecurityPolicyDigest(base64policy string) ([]byte, error)

NewSecurityPolicyDigest decodes base64 encoded policy string, computes and returns sha256 digest

Types ¶

type AuthConfig ¶

type AuthConfig struct {
	Username string `json:"username" toml:"username"`
	Password string `json:"password" toml:"password"`
}

AuthConfig contains toml or JSON config for registry authentication.

type CommandArgs ¶

type CommandArgs StringArrayMap

func (CommandArgs) MarshalJSON ¶

func (c CommandArgs) MarshalJSON() ([]byte, error)

type Container ¶

type Container struct {
	Command         CommandArgs     `json:"command"`
	EnvRules        EnvRules        `json:"env_rules"`
	Layers          Layers          `json:"layers"`
	WorkingDir      string          `json:"working_dir"`
	WaitMountPoints WaitMountPoints `json:"wait_mount_points"`
	Mounts          Mounts          `json:"mounts"`
	AllowElevated   bool            `json:"allow_elevated"`
}

func CreateContainerPolicy ¶

func CreateContainerPolicy(
	command, layers []string,
	envRules []EnvRuleConfig,
	workingDir string,
	eMounts []string,
	mounts []MountConfig,
	allowElevated bool,
) (*Container, error)

CreateContainerPolicy creates a new Container policy instance from the provided constraints or an error if parameter validation fails.

type ContainerConfig ¶

type ContainerConfig struct {
	ImageName       string          `json:"image_name" toml:"image_name"`
	Command         []string        `json:"command" toml:"command"`
	Auth            AuthConfig      `json:"auth" toml:"auth"`
	EnvRules        []EnvRuleConfig `json:"env_rules" toml:"env_rule"`
	WorkingDir      string          `json:"working_dir" toml:"working_dir"`
	WaitMountPoints []string        `json:"wait_mount_points" toml:"wait_mount_points"`
	Mounts          []MountConfig   `json:"mounts" toml:"mount"`
	AllowElevated   bool            `json:"allow_elevated" toml:"allow_elevated"`
}

ContainerConfig contains toml or JSON config for container described in security policy.

type ContainerConfigOpt ¶

type ContainerConfigOpt func(*ContainerConfig) error

func WithAllowElevated ¶

func WithAllowElevated(elevated bool) ContainerConfigOpt

WithAllowElevated allows container to run in an elevated/privileged mode.

func WithCommand ¶

func WithCommand(cmd []string) ContainerConfigOpt

WithCommand sets ContainerConfig.Command in container policy config.

func WithEnvVarRules ¶

func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt

WithEnvVarRules adds environment variable constraints to container policy config.

func WithMountConstraints ¶

func WithMountConstraints(mc []MountConfig) ContainerConfigOpt

WithMountConstraints extends ContainerConfig.Mounts with provided mount constraints.

func WithWaitMountPoints ¶

func WithWaitMountPoints(em []string) ContainerConfigOpt

WithWaitMountPoints adds expected mounts to container policy config.

func WithWorkingDir ¶

func WithWorkingDir(wd string) ContainerConfigOpt

WithWorkingDir sets working directory in container policy config.

type Containers ¶

type Containers struct {
	Length   int                  `json:"length"`
	Elements map[string]Container `json:"elements"`
}

func (Containers) MarshalJSON ¶

func (c Containers) MarshalJSON() ([]byte, error)

type EncodedSecurityPolicy ¶

type EncodedSecurityPolicy struct {
	SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}

EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration

type EnvRuleConfig ¶

type EnvRuleConfig struct {
	Strategy EnvVarRule `json:"strategy" toml:"strategy"`
	Rule     string     `json:"rule" toml:"rule"`
}

EnvRuleConfig contains toml or JSON config for environment variable security policy enforcement.

func NewEnvVarRules ¶

func NewEnvVarRules(envVars []string) []EnvRuleConfig

NewEnvVarRules creates slice of EnvRuleConfig's from environment variables strings slice.

type EnvRules ¶

type EnvRules struct {
	Length   int                      `json:"length"`
	Elements map[string]EnvRuleConfig `json:"elements"`
}

func (EnvRules) MarshalJSON ¶

func (e EnvRules) MarshalJSON() ([]byte, error)

type EnvVarRule ¶

type EnvVarRule string

const (
	EnvVarRuleString EnvVarRule = "string"
	EnvVarRuleRegex  EnvVarRule = "re2"
)

type Layers ¶

type Layers StringArrayMap

func (Layers) MarshalJSON ¶

func (l Layers) MarshalJSON() ([]byte, error)

type Mount ¶

type Mount struct {
	Source      string  `json:"source"`
	Destination string  `json:"destination"`
	Type        string  `json:"type"`
	Options     Options `json:"options"`
}

type MountConfig ¶

type MountConfig struct {
	HostPath      string `json:"host_path" toml:"host_path"`
	ContainerPath string `json:"container_path" toml:"container_path"`
	Readonly      bool   `json:"readonly" toml:"readonly"`
}

MountConfig contains toml or JSON config for mount security policy constraint description.

type Mounts ¶

type Mounts struct {
	Length   int              `json:"length"`
	Elements map[string]Mount `json:"elements"`
}

func (Mounts) MarshalJSON ¶

func (m Mounts) MarshalJSON() ([]byte, error)

type Options ¶

type Options StringArrayMap

func (Options) MarshalJSON ¶

func (o Options) MarshalJSON() ([]byte, error)

type PolicyConfig ¶

type PolicyConfig struct {
	AllowAll   bool              `json:"allow_all" toml:"allow_all"`
	Containers []ContainerConfig `json:"containers" toml:"container"`
}

PolicyConfig contains toml or JSON config for security policy.

type SecurityPolicy ¶

type SecurityPolicy struct {
	// Flag that when set to true allows for all checks to pass. Currently, used
	// to run with security policy enforcement "running dark"; checks can be in
	// place but the default policy that is created on startup has AllowAll set
	// to true, thus making policy enforcement effectively "off" from a logical
	// standpoint. Policy enforcement isn't actually off as the policy is "allow
	// everything".
	AllowAll bool `json:"allow_all"`
	// One or more containers that are allowed to run
	Containers Containers `json:"containers"`
}

func NewOpenDoorPolicy ¶

func NewOpenDoorPolicy() *SecurityPolicy

NewOpenDoorPolicy creates a new SecurityPolicy with AllowAll set to `true`

func NewSecurityPolicy ¶

func NewSecurityPolicy(allowAll bool, containers []*Container) *SecurityPolicy

NewSecurityPolicy creates a new SecurityPolicy from the provided values.

func (*SecurityPolicy) EncodeToString ¶

func (sp *SecurityPolicy) EncodeToString() (string, error)

EncodeToString returns base64 encoded string representation of SecurityPolicy.

type SecurityPolicyState ¶

type SecurityPolicyState struct {
	EncodedSecurityPolicy EncodedSecurityPolicy `json:"EncodedSecurityPolicy,omitempty"`
	SecurityPolicy        `json:"SecurityPolicy,omitempty"`
}

SecurityPolicyState is a structure that holds user supplied policy to enforce we keep both the encoded representation and the unmarshalled representation because different components need to have access to either of these

func NewSecurityPolicyState ¶

func NewSecurityPolicyState(base64Policy string) (*SecurityPolicyState, error)

NewSecurityPolicyState constructs SecurityPolicyState from base64Policy string. It first decodes base64 policy and returns the security policy struct and encoded security policy for given policy. The security policy is transmitted as json in an annotation, so we first have to remove the base64 encoding that allows the JSON based policy to be passed as a string. From there, we decode the JSON and set up our security policy struct

type StringArrayMap ¶

type StringArrayMap struct {
	Length   int               `json:"length"`
	Elements map[string]string `json:"elements"`
}

StringArrayMap wraps an array of strings as a string map.

func (StringArrayMap) MarshalJSON ¶

func (s StringArrayMap) MarshalJSON() ([]byte, error)

type WaitMountPoints ¶

type WaitMountPoints StringArrayMap

func (WaitMountPoints) MarshalJSON ¶

func (wm WaitMountPoints) MarshalJSON() ([]byte, error)

Source Files ¶

opts.go securitypolicy.go