Closed dougsland closed 4 months ago
cc @alexlarsson @Yarboa
FYI, agent-flood ci/cd is broken as expected due the Network=private change. We will address this soon. Related issue (agent-flood): #416
CI/CD will fail due: https://github.com/containers/qm/issues/416
Rebuild the CentOS Automotive with this patch added in the QM repo and the here is the test documented:
The code is included in the create-seccomp-rules
, lets see the last lines added:
[root@localhost ~]# tail -n 30 /usr/share/qm/create-seccomp-rules
...
<SNIP>
for syscall in "${SYSCALLS_TO_DENY[@]}"; do
# Remove syscall entry from the allow list
remove_seccomp_entry_from_allow "${syscall}" "${QM_PATH_SECCOMP}"
# Add syscall to the deny list
add_syscall_deny_list "${syscall}" "${QM_PATH_SECCOMP}"
done
Now lets prove the new version is still working:
[root@localhost ~]# rm -f /usr/share/qm/seccomp.json # removing the seccomp.json from the installation
[root@localhost ~]# /usr/share/qm/create-seccomp-rules # lets generate a new one
[root@localhost ~]# tail -n 30 /usr/share/qm/seccomp.json # lets see the last lines and check if include the denies lines (which include)
<SNIP>
{
"names": [
"sched_setscheduler"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"errnoRet": 1,
"errno": "EPERM"
},
{
"names": [
"sched_setattr"
],
"action": "SCMP_ACT_ERRNO",
"args": [],
"errnoRet": 1,
"errno": "EPERM"
}
]
}
Now copy the test file sched_setattr to the virtual machine and compile it with gcc -o test test.c
. Later copy it to /usr/lib/qm/rootfs/root
to use it inside QM partition.
Now let's go inside QM partition to test it:
podman exec -it qm bash
# cd /root
# ./test
bash-5.1# ./test
Current Scheduling Policy: SCHED_OTHER
Current Priority: 0
sched_setattr failed: Operation not permitted
Everything worked as expected.
This global array can be loaded externally into tools to check if programs can be added into QM image/yaml that are not allowed or won't work into the QM partition.
In this case: "sched_setscheduler" and "sched_setattr" which QM engineers are following the Risk Assessments rules.
Projects like CentOS Automotive Stream Distribution could be take advanced in the CI/CD pipeline.
Finally, added an example in tool, how could be used in a CI/CD scenario such integration.