package securitypolicy

import "github.com/Microsoft/hcsshim/pkg/securitypolicy"

Index

Variables 

var ErrInvalidOpenDoorPolicy = errors.New("allow_all cannot be set to 'true' when Containers are non-empty")

Functions

func MarshalFragment 

func MarshalFragment(
	namespace string,
	svn string,
	containers []*Container,
	externalProcesses []ExternalProcessConfig,
	fragments []FragmentConfig) (string, error)

func MarshalPolicy 

func MarshalPolicy(
	marshaller string,
	allowAll bool,
	containers []*Container,
	externalProcesses []ExternalProcessConfig,
	fragments []FragmentConfig,
	allowPropertiesAccess bool,
	allowDumpStacks bool,
	allowRuntimeLogging bool,
	allowEnvironmentVariableDropping bool,
	allowUnencryptedScratch bool,
) (string, error)

func NewSecurityPolicyDigest 

func NewSecurityPolicyDigest(base64policy string) ([]byte, error)

NewSecurityPolicyDigest decodes base64 encoded policy string, computes and returns sha256 digest

Types

type AuthConfig 

type AuthConfig struct {
	Username string `json:"username" toml:"username"`
	Password string `json:"password" toml:"password"`
}

AuthConfig contains toml or JSON config for registry authentication.

type CommandArgs 

type CommandArgs StringArrayMap

func (CommandArgs) MarshalJSON 

func (c CommandArgs) MarshalJSON() ([]byte, error)

type Container 

type Container struct {
	Command       CommandArgs         `json:"command"`
	EnvRules      EnvRules            `json:"env_rules"`
	Layers        Layers              `json:"layers"`
	WorkingDir    string              `json:"working_dir"`
	Mounts        Mounts              `json:"mounts"`
	AllowElevated bool                `json:"allow_elevated"`
	ExecProcesses []ExecProcessConfig `json:"-"`
	Signals       []syscall.Signal    `json:"-"`
}

func CreateContainerPolicy 

func CreateContainerPolicy(
	command, layers []string,
	envRules []EnvRuleConfig,
	workingDir string,
	mounts []MountConfig,
	allowElevated bool,
	execProcesses []ExecProcessConfig,
	signals []syscall.Signal,
) (*Container, error)

CreateContainerPolicy creates a new Container policy instance from the provided constraints or an error if parameter validation fails.

type ContainerConfig 

type ContainerConfig struct {
	ImageName     string              `json:"image_name" toml:"image_name"`
	Command       []string            `json:"command" toml:"command"`
	Auth          AuthConfig          `json:"auth" toml:"auth"`
	EnvRules      []EnvRuleConfig     `json:"env_rules" toml:"env_rule"`
	WorkingDir    string              `json:"working_dir" toml:"working_dir"`
	Mounts        []MountConfig       `json:"mounts" toml:"mount"`
	AllowElevated bool                `json:"allow_elevated" toml:"allow_elevated"`
	ExecProcesses []ExecProcessConfig `json:"exec_processes" toml:"exec_process"`
	Signals       []syscall.Signal    `json:"signals" toml:"signals"`
}

ContainerConfig contains toml or JSON config for container described in security policy.

type ContainerConfigOpt 

type ContainerConfigOpt func(*ContainerConfig) error

func WithAllowElevated 

func WithAllowElevated(elevated bool) ContainerConfigOpt

WithAllowElevated allows container to run in an elevated/privileged mode.

func WithCommand 

func WithCommand(cmd []string) ContainerConfigOpt

WithCommand sets ContainerConfig.Command in container policy config.

func WithEnvVarRules 

func WithEnvVarRules(envs []EnvRuleConfig) ContainerConfigOpt

WithEnvVarRules adds environment variable constraints to container policy config.

func WithMountConstraints 

func WithMountConstraints(mc []MountConfig) ContainerConfigOpt

WithMountConstraints extends ContainerConfig.Mounts with provided mount constraints.

func WithWorkingDir 

func WithWorkingDir(wd string) ContainerConfigOpt

WithWorkingDir sets working directory in container policy config.

type Containers 

type Containers struct {
	Length   int                  `json:"length"`
	Elements map[string]Container `json:"elements"`
}

func (Containers) MarshalJSON 

func (c Containers) MarshalJSON() ([]byte, error)

type EncodedSecurityPolicy 

type EncodedSecurityPolicy struct {
	SecurityPolicy string `json:"SecurityPolicy,omitempty"`
}

EncodedSecurityPolicy is a JSON representation of SecurityPolicy that has been base64 encoded for storage in an annotation embedded within another JSON configuration

type EnvRuleConfig 

type EnvRuleConfig struct {
	Strategy EnvVarRule `json:"strategy" toml:"strategy"`
	Rule     string     `json:"rule" toml:"rule"`
	Required bool       `json:"required" toml:"required"`
}

EnvRuleConfig contains toml or JSON config for environment variable security policy enforcement.

func NewEnvVarRules 

func NewEnvVarRules(envVars []string, required bool) []EnvRuleConfig

NewEnvVarRules creates slice of EnvRuleConfig's from environment variables strings slice.

type EnvRules 

type EnvRules struct {
	Length   int                      `json:"length"`
	Elements map[string]EnvRuleConfig `json:"elements"`
}

func (EnvRules) MarshalJSON 

func (e EnvRules) MarshalJSON() ([]byte, error)

type EnvVarRule 

type EnvVarRule string
const (
	EnvVarRuleString EnvVarRule = "string"
	EnvVarRuleRegex  EnvVarRule = "re2"
)

type ExecProcessConfig 

type ExecProcessConfig struct {
	Command []string         `json:"command" toml:"command"`
	Signals []syscall.Signal `json:"signals" toml:"signals"`
}

ExecProcessConfig contains toml or JSON config for exec process security policy constraint description

type ExternalProcessConfig 

type ExternalProcessConfig struct {
	Command    []string `json:"command" toml:"command"`
	WorkingDir string   `json:"working_dir" toml:"working_dir"`
}

ExternalProcessConfig contains toml or JSON config for running external processes in the UVM.

type FragmentConfig 

type FragmentConfig struct {
	Issuer     string   `json:"issuer" toml:"issuer"`
	Feed       string   `json:"feed" toml:"feed"`
	MinimumSVN string   `json:"minimum_svn" toml:"minimum_svn"`
	Includes   []string `json:"includes" toml:"include"`
}

FragmentConfig contains toml or JSON config for including elements from fragments.

type Layers 

type Layers StringArrayMap

func (Layers) MarshalJSON 

func (l Layers) MarshalJSON() ([]byte, error)

type Mount 

type Mount struct {
	Source      string  `json:"source"`
	Destination string  `json:"destination"`
	Type        string  `json:"type"`
	Options     Options `json:"options"`
}

type MountConfig 

type MountConfig struct {
	HostPath      string `json:"host_path" toml:"host_path"`
	ContainerPath string `json:"container_path" toml:"container_path"`
	Readonly      bool   `json:"readonly" toml:"readonly"`
}

MountConfig contains toml or JSON config for mount security policy constraint description.

type Mounts 

type Mounts struct {
	Length   int              `json:"length"`
	Elements map[string]Mount `json:"elements"`
}

func (Mounts) MarshalJSON 

func (m Mounts) MarshalJSON() ([]byte, error)

type Options 

type Options StringArrayMap

func (Options) MarshalJSON 

func (o Options) MarshalJSON() ([]byte, error)

type PolicyConfig 

type PolicyConfig struct {
	AllowAll                         bool                    `json:"allow_all" toml:"allow_all"`
	Containers                       []ContainerConfig       `json:"containers" toml:"container"`
	ExternalProcesses                []ExternalProcessConfig `json:"external_processes" toml:"external_process"`
	Fragments                        []FragmentConfig        `json:"fragments" toml:"fragment"`
	AllowPropertiesAccess            bool                    `json:"allow_properties_access" toml:"allow_properties_access"`
	AllowDumpStacks                  bool                    `json:"allow_dump_stacks" toml:"allow_dump_stacks"`
	AllowRuntimeLogging              bool                    `json:"allow_runtime_logging" toml:"allow_runtime_logging"`
	AllowEnvironmentVariableDropping bool                    `json:"allow_environment_variable_dropping" toml:"allow_environment_variable_dropping"`
	// AllowUnencryptedScratch is a global policy configuration that allows
	// all containers within a pod to be run without scratch encryption.
	AllowUnencryptedScratch bool `json:"allow_unencrypted_scratch" toml:"allow_unencrypted_scratch"`
}

PolicyConfig contains toml or JSON config for security policy.

type SecurityPolicy 

type SecurityPolicy struct {
	// Flag that when set to true allows for all checks to pass. Currently, used
	// to run with security policy enforcement "running dark"; checks can be in
	// place but the default policy that is created on startup has AllowAll set
	// to true, thus making policy enforcement effectively "off" from a logical
	// standpoint. Policy enforcement isn't actually off as the policy is "allow
	// everything".
	AllowAll bool `json:"allow_all"`
	// One or more containers that are allowed to run
	Containers Containers `json:"containers"`
}

func NewOpenDoorPolicy 

func NewOpenDoorPolicy() *SecurityPolicy

NewOpenDoorPolicy creates a new SecurityPolicy with AllowAll set to `true`

func NewSecurityPolicy 

func NewSecurityPolicy(allowAll bool, containers []*Container) *SecurityPolicy

NewSecurityPolicy creates a new SecurityPolicy from the provided values.

func (*SecurityPolicy) EncodeToString 

func (sp *SecurityPolicy) EncodeToString() (string, error)

EncodeToString returns base64 encoded string representation of SecurityPolicy.

type StringArrayMap 

type StringArrayMap struct {
	Length   int               `json:"length"`
	Elements map[string]string `json:"elements"`
}

StringArrayMap wraps an array of strings as a string map.

func (StringArrayMap) MarshalJSON 

func (s StringArrayMap) MarshalJSON() ([]byte, error)

Source Files

opts.go securitypolicy.go securitypolicy_internal.go securitypolicy_marshal.go

Version
v0.10.0-rc.2
Published
Dec 6, 2022
Platform
js/wasm
Imports
11 packages
Last checked
3 hours ago

Tools for package owners.