search

containers / qm

QM is a containerized environment for running Functional Safety qm (Quality Management) software
https://github.com/containers/qm
GNU General Public License v2.0
20 stars 21 forks source link

seccomp: use SYSCALLS_TO_DENY array #419

Closed dougsland closed 4 months ago

dougsland commented 4 months ago

This global array can be loaded externally into tools to check if programs can be added into QM image/yaml that are not allowed or won't work into the QM partition.

In this case: "sched_setscheduler" and "sched_setattr" which QM engineers are following the Risk Assessments rules.

Projects like CentOS Automotive Stream Distribution could be take advanced in the CI/CD pipeline.

Finally, added an example in tool, how could be used in a CI/CD scenario such integration.

dougsland commented 4 months ago

cc @alexlarsson @Yarboa

FYI, agent-flood ci/cd is broken as expected due the Network=private change. We will address this soon. Related issue (agent-flood): #416

dougsland commented 4 months ago

CI/CD will fail due: https://github.com/containers/qm/issues/416

dougsland commented 4 months ago

Rebuild the CentOS Automotive with this patch added in the QM repo and the here is the test documented:

The code is included in the create-seccomp-rules, lets see the last lines added: [root@localhost ~]# tail -n 30 /usr/share/qm/create-seccomp-rules

...
<SNIP>
for syscall in "${SYSCALLS_TO_DENY[@]}"; do
    # Remove syscall entry from the allow list
    remove_seccomp_entry_from_allow "${syscall}" "${QM_PATH_SECCOMP}"

    # Add syscall to the deny list
    add_syscall_deny_list "${syscall}" "${QM_PATH_SECCOMP}"
done

Now lets prove the new version is still working:

[root@localhost ~]# rm -f /usr/share/qm/seccomp.json # removing the seccomp.json from the installation
[root@localhost ~]# /usr/share/qm/create-seccomp-rules # lets generate a new one
[root@localhost ~]# tail -n 30 /usr/share/qm/seccomp.json # lets see the last lines and check if include the denies lines (which include)
<SNIP>
        {
            "names": [
                "sched_setscheduler"
            ],
            "action": "SCMP_ACT_ERRNO",
            "args": [],
            "errnoRet": 1,
            "errno": "EPERM"
        },
        {
            "names": [
                "sched_setattr"
            ],
            "action": "SCMP_ACT_ERRNO",
            "args": [],
            "errnoRet": 1,
            "errno": "EPERM"
        }
    ]
}

Now copy the test file sched_setattr to the virtual machine and compile it with gcc -o test test.c. Later copy it to /usr/lib/qm/rootfs/root to use it inside QM partition.

Now let's go inside QM partition to test it:

podman exec -it qm bash
# cd /root
# ./test
bash-5.1# ./test
Current Scheduling Policy: SCHED_OTHER
Current Priority: 0
sched_setattr failed: Operation not permitted

Everything worked as expected.