SlideShare a Scribd company logo

Fosdem_Using_SELinux_with_container_runtimes.pdf

N
nicerussianpainter

SELinux provides mandatory access control to containers and isolates privileged containers to prevent container breakouts and attacks between containers. Udica is a tool that generates customized SELinux security profiles for containers to allow necessary access while still providing isolation between the container and host and between containers. It does this by combining rules from template policy blocks based on the container configuration to produce a new targeted policy type.

Technology
1 of 70
Download to read offline
Because privileged containers are scary Using SELinux with container runtimes Lukas Vrabec Senior Software Engineer Security Technologies 1
● Lukas Vrabec ● SELinux Evangelist ● Member of Security Technologies team at Red Hat ● RHEL & Fedora Contributor (selinux-policy, xguest, udica, netlabel_tools) ● lukas.selinux@redhat.com ● https://lukas-vrabec.com ● https://github.com/wrabcak ● https://twitter.com/mynamewrabcak Who am I ?
Why?
New cluster: ● SELinux enforcing by default
New cluster: ● SELinux enforcing by default ● 189 pods
New cluster: ● SELinux enforcing by default ● 189 pods ○ 618 containers
New cluster: ● SELinux enforcing by default ● 189 pods ○ 618 containers ■ 134 privileged containers
New cluster: ● SELinux enforcing by default ● 189 pods ○ 618 containers ■ 134 privileged containers
Privileged containers are scary
What are privileged containers anyway? Why is SELinux important at all?
Quick SELinux introduction
TECHNOLOGYFOR PROCESS ISOLATION TO MITIGATE ATTACKS VIA PRIVILEGE ESCALATION
CONTAINER_T CONTAINER_FILE_T ARE LABELS
ASSIGNED TO PROCESSES
ASSIGNED TO PROCESSES ASSIGNED TO SYSTEM RESOURCES
ASSIGNED TO PROCESSES ASSIGNED TO SYSTEM RESOURCES BY SELINUX SECURITY POLICY
LABELS IN REALITY
STORED IN EXTENDED ATTRIBUTES OF FILE SYSTEMS - EXT2,EXT3, EXT4 ...
# getfattr -n security.selinux /etc/passwd getfattr: Removing leading '/' from absolute path names file: etc/passwd security.selinux="system_u:object_r:passwd_file_t:s0" # ls -Z /etc/passwd system_u:object_r:passwd_file_t:s0 /etc/passwd
$ ps -eZ | grep container_t system_u:system_r:container_t:s0:c435,c872 17864 pts/0 00:00:00 bash system_u:system_r:container_t:s0:c236,c541 17865 pts/0 00:00:00 bash system_u:system_r:container_t:s0:c123,c456 17866 pts/0 00:00:00 bash
SELINUX POLICY DESCRIBES AN INTERACTION BETWEEN PROCESSES AND SYSTEM RESOURCES
allow container_t container_file_t:file {getattr open read};
BY DEFAULT EVERYTHING IS DENIED AND YOU DEFINE POLICY RULES TO ALLOW CERTAIN REQUESTS.
Generic container SELinux policy
Protects the host system from container processes
Protects the host system from container processes Container processes can only read/execute /usr files
Protects the host system from container processes Container processes can only read/execute /usr files Container processes only write to container files.
Protects the host system from container processes Container processes can only read/execute /usr files Container processes only write to container files. process type - container_t file type -container_file_t
Every Container Runtime CVE container breakout was a file system breakout. CVE-2019-5736 Execution of malicious containers allows for container escape and access to host filesystem SELinux Blocked CVE-2015-3627 Insecure opening of file-descriptor 1 leading to privilege escalation SELinux Blocked CVE-2015-3630 Read/write proc paths allow host modification & information disclosure SELinux Blocked CVE-2015-3631 Volume mounts allow LSM profile escalation SELinux Blocked CVE-2016-9962 RunC Exec Vulnerability SELinux Blocked
SELinux has contained them ALL.
What about containers attacking each other?
Multi Category Security Based on MLS (Multi Level Security)
container_t:s0:c1,c2 container_file_t:s0:c1,c2 container_t:s0:c2,c3 container_file_t:s0 container_file_t:s0:c2,c3
container_t:s0:c1,c2 container_file_t:s0:c1,c2 container_t:s0:c2,c3 container_file_t:s0 container_file_t:s0:c2,c3
● container_t:s0:c1,c2 ○ container_file_t:s0:c1,c2 ○ container_file_t:s0 ● container_t:s0:c2,c3 ○ container_file_t:s0:c2,c3 ○ container_file_t:s0
● container_t:s0:c1,c2 ○ container_file_t:s0:c1,c2 ○ container_file_t:s0 ● container_t:s0:c2,c3 ○ container_file_t:s0:c2,c3 ○ container_file_t:s0 Relabeling in container engines: # podman run -d -v /var/lib/mydb:/var/lib/mariadb:Z rhel7-mariadb
● container_t:s0:c1,c2 ○ container_file_t:s0:c1,c2 ○ container_file_t:s0 ● container_t:s0:c2,c3 ○ container_file_t:s0:c2,c3 ○ container_file_t:s0 Relabeling in container engines: # podman run -d -v /var/lib/mydb:/var/lib/mariadb:Z rhel7-mariadb # podman run -ti -v /home/lvrabec/shared:/home/lvrabec/shared:z fedora /bin/sh # podman run -ti -v /home/lvrabec/shared:/home/lvrabec/shared:z fedora /bin/sh
Problems with SELinux Container Confinement
Default Container Type (container_t) too strict for certain use cases, e.g:
Default Container Type (container_t) too strict for certain use cases, e.g: ● Fedora SilverBlue project needs containers to read/write home directory
Default Container Type (container_t) too strict for certain use cases, e.g: ● Fedora SilverBlue project needs containers to read/write home directory ● Fluentd project needs containers to be able to read logs in /var/log directory
Default Container Type (container_t) too loose for certain use cases, e.g:
Default Container Type (container_t) too loose for certain use cases, e.g: ● No SELinux Network Controls ○ All container processes can bind to any network port
Default Container Type (container_t) too loose for certain use cases, e.g: ● No SELinux Network Controls ○ All container processes can bind to any network port ● No SELinux control on Linux Capabilities ○ All container processes can use all linux capabilities
Current Situation
# podman run -d -v /var/log:/var/log:Z fluentd ● BAD: Tells podman to set labels on /var/log directory to be container specific. ● Other confined tools will no longer be able to write their logs
# podman run -d -v /var/log:/var/log:Z fluentd ● BAD: Tells podman to set labels on /var/log directory to be container specific. ● Other confined tools will no longer be able to write their logs # podman run -ti -v /home:/home --security-opt label:disabled fedora sh ● Turn off SELinux container separation for these use cases
● Solutions ○ Write completely new SELinux policy for custom container ■ Best solution ■ Too difficult for system administrators ● SELinux expertise required
● Solutions ○ Write completely new SELinux policy for custom container ■ Best solution ■ Too difficult for system administrators ● SELinux expertise required ○ Add additional rules for container_t type ■ Not ideal still difficult for system administrators ■ Rules apply to all containers, not just specific container.
Solution: Udica Project
Udica ~ Fishing rod
Udica is a tool for generating SELinux security profiles for containers.
● Example container ○ Mounting /home as read/write ○ Mounting /var/spool as read only ○ Exposing port tcp/21
● Example container ○ Mounting /home as read/write ○ Mounting /var/spool as read only ○ Exposing port tcp/21 ● Generic SELinux domain for container ○ Cannot read/write /home ○ Cannot read /var/spool ○ Exposes all ports
Let’s generate SELinux policy for example container! Live Demo! https://github.com/containers/Demos/tree/master/security/SELinuxUdica
Using udica to solve these issues # podman run -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash # podman inspect -l | udica my_container # semodule -i my_container.cil /usr/share/udica/templates/{base_container.cil,net_container.cil,home_contain er.cil} # podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash
Using udica to solve these issues # ps -efZ | grep my_container.process unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 root 8837 5865 0 14:29 pts/0 00:00:00 podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash system_u:system_r:my_container.process:s0:c116,c171 root 8920 8909 0 14:29 pts/0 00:00:00 bash
Udica under the hood
● Concept based on "block inheritance" SELinux CIL language
● Concept based on "block inheritance" SELinux CIL language ● Udica creates policy combining rules from specified CIL blocks(templates) ○ Inspecting container JSON file ■ Mounts ■ Ports ■ Capabilities
● Concept based on "block inheritance" SELinux CIL language ● Udica creates policy combining rules from specified CIL blocks(templates) ○ Inspecting container JSON file ■ Mounts ■ Ports ■ Capabilities ○ Combines with default container template file ■ /usr/share/udica/templates/base_container.cil
base home net Allows read/exec /usr & read /etc Allows network access Allows access homedirs Required for every container + Allowing bind on ftp_port_t (21) + Add only read/write perms
base home net my_container
my_container ● No block for /var/spool ● Udica will detect all labels what could be inside /var/spool and create allow rules in my_container policy. spool my_container
Using the new type with container runtimes
# podman run --security-opt label=type:my_container.process -v /home:/home:rw -v /var/spool:/var/spool:ro -p 21:21 -it fedora bash # docker run --security-opt label=type:my_container.process -v /home:/home:rw -v /var/spool:/var/spool:ro -p 21:21 -it fedora bash # buildah bud --security-opt label=type:my_container.process -f Dockerfile .
apiVersion: v1 kind: Pod metadata: name: udica-demo spec: containers: - name: udica image: gcr.io/google-samples/node-hello:1.0 securityContext: seLinuxOptions: type: "my_container.process"
QUESTIONS? Demo https://github.com/demos/SELinuxEscape Udica https://github.com/containers/udica Podman https://podman.io Generic SELinux policy https://github.com/containers/container-selinux Udica PoC https://github.com/fedora-selinux/container-selinux-customizatio n
linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you 70

Recommended

Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
IngridRivera36
 
0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
Adana Klima Servisi Bakım Montaj Taşıma Temizlik Tamir Arıza Teknik Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
jackpot201
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....
Sadia Textile
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 

Recommended

Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
IngridRivera36
 
0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
Adana Klima Servisi Bakım Montaj Taşıma Temizlik Tamir Arıza Teknik Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
jackpot201
 
Understanding SELinux For the Win
Understanding SELinux For the WinUnderstanding SELinux For the Win
Understanding SELinux For the Win
bmbouter
 
We shall play a game....
We shall play a game....We shall play a game....
We shall play a game....
Sadia Textile
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdanOpenShift & SELinux with Dan Walsh @rhatdan
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!
All Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
Akihiro Suda
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
LibbySchulze
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
Bob Killen
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
William Stewart
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
James Morris
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Docker orchestration voxxed days berlin 2016
Docker orchestration voxxed days berlin 2016Docker orchestration voxxed days berlin 2016
Docker orchestration voxxed days berlin 2016
Grzegorz Duda
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Security Session
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
LinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challengesLinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challenges
Xavier Vello
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 

More Related Content

Similar to Fosdem_Using_SELinux_with_container_runtimes.pdf

Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!
All Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
Akihiro Suda
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
LibbySchulze
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
Bob Killen
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
William Stewart
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
James Morris
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Docker orchestration voxxed days berlin 2016
Docker orchestration voxxed days berlin 2016Docker orchestration voxxed days berlin 2016
Docker orchestration voxxed days berlin 2016
Grzegorz Duda
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Security Session
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
LinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challengesLinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challenges
Xavier Vello
 

Similar to Fosdem_Using_SELinux_with_container_runtimes.pdf (20)

Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!Intro to Kernel Debugging - Just make the crashing stop!
Intro to Kernel Debugging - Just make the crashing stop!
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Rootless Containers & Unresolved issues
Rootless Containers & Unresolved issuesRootless Containers & Unresolved issues
Rootless Containers & Unresolved issues
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
The Container Security Checklist
The Container Security Checklist The Container Security Checklist
The Container Security Checklist
 
Pluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and DockerPluggable Infrastructure with CI/CD and Docker
Pluggable Infrastructure with CI/CD and Docker
 
Kubernetes laravel and kubernetes
Kubernetes laravel and kubernetesKubernetes laravel and kubernetes
Kubernetes laravel and kubernetes
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinux
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Docker orchestration voxxed days berlin 2016
Docker orchestration voxxed days berlin 2016Docker orchestration voxxed days berlin 2016
Docker orchestration voxxed days berlin 2016
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
LinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challengesLinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challenges
 

Recently uploaded

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 

Recently uploaded (20)

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 

Fosdem_Using_SELinux_with_container_runtimes.pdf

  • 1. Because privileged containers are scary Using SELinux with container runtimes Lukas Vrabec Senior Software Engineer Security Technologies 1
  • 2. ● Lukas Vrabec ● SELinux Evangelist ● Member of Security Technologies team at Red Hat ● RHEL & Fedora Contributor (selinux-policy, xguest, udica, netlabel_tools) ● lukas.selinux@redhat.com ● https://lukas-vrabec.com ● https://github.com/wrabcak ● https://twitter.com/mynamewrabcak Who am I ?
  • 4. New cluster: ● SELinux enforcing by default
  • 5. New cluster: ● SELinux enforcing by default ● 189 pods
  • 6. New cluster: ● SELinux enforcing by default ● 189 pods ○ 618 containers
  • 7. New cluster: ● SELinux enforcing by default ● 189 pods ○ 618 containers ■ 134 privileged containers
  • 8. New cluster: ● SELinux enforcing by default ● 189 pods ○ 618 containers ■ 134 privileged containers
  • 10. What are privileged containers anyway? Why is SELinux important at all?
  • 12. TECHNOLOGYFOR PROCESS ISOLATION TO MITIGATE ATTACKS VIA PRIVILEGE ESCALATION
  • 15. ASSIGNED TO PROCESSES ASSIGNED TO SYSTEM RESOURCES
  • 16. ASSIGNED TO PROCESSES ASSIGNED TO SYSTEM RESOURCES BY SELINUX SECURITY POLICY
  • 18. STORED IN EXTENDED ATTRIBUTES OF FILE SYSTEMS - EXT2,EXT3, EXT4 ...
  • 19. # getfattr -n security.selinux /etc/passwd getfattr: Removing leading '/' from absolute path names file: etc/passwd security.selinux="system_u:object_r:passwd_file_t:s0" # ls -Z /etc/passwd system_u:object_r:passwd_file_t:s0 /etc/passwd
  • 20. $ ps -eZ | grep container_t system_u:system_r:container_t:s0:c435,c872 17864 pts/0 00:00:00 bash system_u:system_r:container_t:s0:c236,c541 17865 pts/0 00:00:00 bash system_u:system_r:container_t:s0:c123,c456 17866 pts/0 00:00:00 bash
  • 21. SELINUX POLICY DESCRIBES AN INTERACTION BETWEEN PROCESSES AND SYSTEM RESOURCES
  • 23. BY DEFAULT EVERYTHING IS DENIED AND YOU DEFINE POLICY RULES TO ALLOW CERTAIN REQUESTS.
  • 25. Protects the host system from container processes
  • 26. Protects the host system from container processes Container processes can only read/execute /usr files
  • 27. Protects the host system from container processes Container processes can only read/execute /usr files Container processes only write to container files.
  • 28. Protects the host system from container processes Container processes can only read/execute /usr files Container processes only write to container files. process type - container_t file type -container_file_t
  • 29. Every Container Runtime CVE container breakout was a file system breakout. CVE-2019-5736 Execution of malicious containers allows for container escape and access to host filesystem SELinux Blocked CVE-2015-3627 Insecure opening of file-descriptor 1 leading to privilege escalation SELinux Blocked CVE-2015-3630 Read/write proc paths allow host modification & information disclosure SELinux Blocked CVE-2015-3631 Volume mounts allow LSM profile escalation SELinux Blocked CVE-2016-9962 RunC Exec Vulnerability SELinux Blocked
  • 31. What about containers attacking each other?
  • 32. Multi Category Security Based on MLS (Multi Level Security)
  • 35. ● container_t:s0:c1,c2 ○ container_file_t:s0:c1,c2 ○ container_file_t:s0 ● container_t:s0:c2,c3 ○ container_file_t:s0:c2,c3 ○ container_file_t:s0
  • 36. ● container_t:s0:c1,c2 ○ container_file_t:s0:c1,c2 ○ container_file_t:s0 ● container_t:s0:c2,c3 ○ container_file_t:s0:c2,c3 ○ container_file_t:s0 Relabeling in container engines: # podman run -d -v /var/lib/mydb:/var/lib/mariadb:Z rhel7-mariadb
  • 37. ● container_t:s0:c1,c2 ○ container_file_t:s0:c1,c2 ○ container_file_t:s0 ● container_t:s0:c2,c3 ○ container_file_t:s0:c2,c3 ○ container_file_t:s0 Relabeling in container engines: # podman run -d -v /var/lib/mydb:/var/lib/mariadb:Z rhel7-mariadb # podman run -ti -v /home/lvrabec/shared:/home/lvrabec/shared:z fedora /bin/sh # podman run -ti -v /home/lvrabec/shared:/home/lvrabec/shared:z fedora /bin/sh
  • 38. Problems with SELinux Container Confinement
  • 39. Default Container Type (container_t) too strict for certain use cases, e.g:
  • 40. Default Container Type (container_t) too strict for certain use cases, e.g: ● Fedora SilverBlue project needs containers to read/write home directory
  • 41. Default Container Type (container_t) too strict for certain use cases, e.g: ● Fedora SilverBlue project needs containers to read/write home directory ● Fluentd project needs containers to be able to read logs in /var/log directory
  • 42. Default Container Type (container_t) too loose for certain use cases, e.g:
  • 43. Default Container Type (container_t) too loose for certain use cases, e.g: ● No SELinux Network Controls ○ All container processes can bind to any network port
  • 44. Default Container Type (container_t) too loose for certain use cases, e.g: ● No SELinux Network Controls ○ All container processes can bind to any network port ● No SELinux control on Linux Capabilities ○ All container processes can use all linux capabilities
  • 46. # podman run -d -v /var/log:/var/log:Z fluentd ● BAD: Tells podman to set labels on /var/log directory to be container specific. ● Other confined tools will no longer be able to write their logs
  • 47. # podman run -d -v /var/log:/var/log:Z fluentd ● BAD: Tells podman to set labels on /var/log directory to be container specific. ● Other confined tools will no longer be able to write their logs # podman run -ti -v /home:/home --security-opt label:disabled fedora sh ● Turn off SELinux container separation for these use cases
  • 48.
  • 49. ● Solutions ○ Write completely new SELinux policy for custom container ■ Best solution ■ Too difficult for system administrators ● SELinux expertise required
  • 50. ● Solutions ○ Write completely new SELinux policy for custom container ■ Best solution ■ Too difficult for system administrators ● SELinux expertise required ○ Add additional rules for container_t type ■ Not ideal still difficult for system administrators ■ Rules apply to all containers, not just specific container.
  • 53. Udica is a tool for generating SELinux security profiles for containers.
  • 54. ● Example container ○ Mounting /home as read/write ○ Mounting /var/spool as read only ○ Exposing port tcp/21
  • 55. ● Example container ○ Mounting /home as read/write ○ Mounting /var/spool as read only ○ Exposing port tcp/21 ● Generic SELinux domain for container ○ Cannot read/write /home ○ Cannot read /var/spool ○ Exposes all ports
  • 56. Let’s generate SELinux policy for example container! Live Demo! https://github.com/containers/Demos/tree/master/security/SELinuxUdica
  • 57. Using udica to solve these issues # podman run -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash # podman inspect -l | udica my_container # semodule -i my_container.cil /usr/share/udica/templates/{base_container.cil,net_container.cil,home_contain er.cil} # podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash
  • 58. Using udica to solve these issues # ps -efZ | grep my_container.process unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 root 8837 5865 0 14:29 pts/0 00:00:00 podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash system_u:system_r:my_container.process:s0:c116,c171 root 8920 8909 0 14:29 pts/0 00:00:00 bash
  • 60. ● Concept based on "block inheritance" SELinux CIL language
  • 61. ● Concept based on "block inheritance" SELinux CIL language ● Udica creates policy combining rules from specified CIL blocks(templates) ○ Inspecting container JSON file ■ Mounts ■ Ports ■ Capabilities
  • 62. ● Concept based on "block inheritance" SELinux CIL language ● Udica creates policy combining rules from specified CIL blocks(templates) ○ Inspecting container JSON file ■ Mounts ■ Ports ■ Capabilities ○ Combines with default container template file ■ /usr/share/udica/templates/base_container.cil
  • 63. base home net Allows read/exec /usr & read /etc Allows network access Allows access homedirs Required for every container + Allowing bind on ftp_port_t (21) + Add only read/write perms
  • 65. my_container ● No block for /var/spool ● Udica will detect all labels what could be inside /var/spool and create allow rules in my_container policy. spool my_container
  • 66. Using the new type with container runtimes
  • 67. # podman run --security-opt label=type:my_container.process -v /home:/home:rw -v /var/spool:/var/spool:ro -p 21:21 -it fedora bash # docker run --security-opt label=type:my_container.process -v /home:/home:rw -v /var/spool:/var/spool:ro -p 21:21 -it fedora bash # buildah bud --security-opt label=type:my_container.process -f Dockerfile .
  • 68. apiVersion: v1 kind: Pod metadata: name: udica-demo spec: containers: - name: udica image: gcr.io/google-samples/node-hello:1.0 securityContext: seLinuxOptions: type: "my_container.process"
  • 69. QUESTIONS? Demo https://github.com/demos/SELinuxEscape Udica https://github.com/containers/udica Podman https://podman.io Generic SELinux policy https://github.com/containers/container-selinux Udica PoC https://github.com/fedora-selinux/container-selinux-customizatio n
  • 70. linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you 70