Re: [RFC 0/4] RFC: Add Checmate, BPF-driven minor LSM

["Mickaël Salaün" <mic@digikod.net>]

[-- Attachment #1.1: Type: text/plain, Size: 2667 bytes --]


On 15/08/2016 05:09, Sargun Dhillon wrote:
> On Mon, Aug 15, 2016 at 12:57:44AM +0200, Mickaël Salaün wrote:
>> Our approaches have some common points (i.e. use eBPF in an LSM, stacked 
>> filters like seccomp) but I'm focused on a kind of unprivileged LSM (i.e. no 
>> CAP_SYS_ADMIN), to make standalone sandboxes, which brings more constraints 
>> (e.g. no use of unsafe functions like bpf_probe_read(), take care of privacy, 
>> SUID exec, stable ABI…). However, I don't want to handle resource limits, 
>> which should be the job of cgroups.
>>
> Kind of. Sometimes describing these resource limits is difficult. For example, I 
> have a customer who is trying to restrict containers from burning up all the 
> ephemeral ports on the machine. In this, they have an incredibly elaborate chain 
> of wiring to prevent a given container from connecting to the same (proto, 
> destip, destport) more than 1000 times.
> 
> I'm unsure of how you'd model that in a cgroup. 

This looks like a Netfilter rule. Have you tried applying this limitation with the connlimit module?


> 
>> For now, I'm focusing on file-system access control which is one of the more 
>> complex system to properly filter. I also plan to support basic network access 
>> control.
>>
>> What you are trying to accomplish seems more related to a Netfilter extension 
>> (something like ipset but with eBPF maybe?).
>>
> I don't only want to do network access control, I also want to write to the 
> value once it's copied into kernel space. There are lot of benefits of doing 
> this at the syscall level, but the two primary ones are performance, and 
> capability. 
> 
> One of the biggest complaints with our current approach to filtering & load 
> balancing (iptables) is that it hides information. When people connect through 
> the load balancer, they want to find out who they connected to, and without some 
> high application-level mechanism, this isn't possible. On the other hand, if we 
> just rewrite the destination address in the connect hook, we can pretty easily
> allow them to do getpeername.

What exactly is not doable with Netfilter (e.g. REDIRECT or TPROXY)?


> 
> I'm curious about your filesystem access limiter. Do you have a way to make it so
> that a given container can only write, say, 100mb of data to disk? 

It's a filesystem access control. It doesn't deal with quota and is not focused on container but process hierarchies (which is more generic).

What is not doable with a quota mount option? It may be more appropriate to enhance the VFS (or overlayfs) to apply this kind of limitation, if needed.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]