search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
488 stars 47 forks source link

New feature: Cross Container Communication #39

Closed wrabcak closed 5 years ago

wrabcak commented 5 years ago

This feature allows specify container communication using stream sockets.

Communication is specified via new parameter "--stream-connect". Feature example:

Create containerA:
# udica -j containerA.json containerA

Create containerB which could stream connect to containerA:
# udica -j containerB.json --stream-connect containerA containerB

Now, containerB contains following additional rules and communicate with containerA via stream socket: allow containerB.process containerA.process:unix_stream_socket connectto; allow containerB.process containerA.socket ( sock_file ( getattr write open append )))

This feature also add new object to base container template for creating socket file under every container namespace. e.g: my_container.socket, network_container.socket.

wrabcak commented 5 years ago

@rhatdan PTAL

rhatdan commented 5 years ago

I think you need to connect to domains together to see if you have covered all of the AVCs.

wrabcak commented 5 years ago

Tested with simple server-client demo in two containers, only issue is when server creating socket file on system, but this should be handled by podman. Issue dependent on https://github.com/opencontainers/selinux/pull/57 .

rhatdan commented 5 years ago

LGTM

wrabcak commented 5 years ago

Because of opencontainers/selinux#57 merged into master, merging also this feature.