Zindikirani. transl.: Tikukudziwitsani zomasulira nkhani yolembedwa ndi injiniya wamkulu wachitetezo pakampani yaku Britain ASOS.com. Ndi izo, akuyamba mndandanda wa zofalitsa zoperekedwa pofuna kukonza chitetezo ku Kubernetes pogwiritsa ntchito seccomp. Ngati owerenga amakonda mawu oyamba, tidzatsatira wolembayo ndikupitiliza ndi zida zake zamtsogolo pamutuwu.
Nkhaniyi ndi yoyamba pamndandanda wazomwe mungapangire mbiri ya seccomp mu mzimu wa SecDevOps, osagwiritsa ntchito zamatsenga ndi ufiti. Mu Gawo XNUMX, ndifotokoza zoyambira ndi zamkati zakugwiritsa ntchito seccomp ku Kubernetes.
Ecosystem ya Kubernetes imapereka njira zingapo zotetezera ndikupatula zotengera. Nkhaniyi ikukhudza Secure Computing Mode, yomwe imadziwikanso kuti gawo. Cholinga chake ndikusefa mafoni omwe akupezeka kuti aphedwe ndi zotengera.
Chifukwa chiyani kuli kofunikira? Chidebe ndi njira yomwe ikuyenda pamakina enaake. Ndipo imagwiritsa ntchito kernel monga ntchito zina. Ngati zotengera zitha kuyimba foni pamakina aliwonse, posachedwa pulogalamu yaumbanda ingatengerepo mwayi kuti idutse kudzipatula kwa chidebe ndikukhudza mapulogalamu ena: lowetsani zambiri, sinthani zosintha zamakina, ndi zina zambiri.
mbiri ya seccomp imatanthawuza kuti ndi mafoni ati omwe ayenera kuloledwa kapena kuyimitsidwa. Nthawi yothamanga ya chidebe imawayambitsa ikayamba kuti kernel iwonetsere kuphedwa kwawo. Kugwiritsa ntchito mbiri zotere kumakupatsani mwayi wochepetsera zowononga ndikuchepetsa kuwonongeka ngati pulogalamu iliyonse mkati mwa chidebe (ndiko kuti, kudalira kwanu, kapena kudalira kwanu) iyamba kuchita zomwe siziloledwa kuchita.
Kumvetsetsa Zoyambira
Mbiri yoyambira ya seccomp ili ndi zinthu zitatu: defaultAction, architectures (kapena archMap) ndi syscalls:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
defaultAction zimatsimikizira tsogolo losakhazikika la kuyimba kwadongosolo kulikonse komwe sikunatchulidwe mgawoli syscalls. Kuti zinthu zikhale zosavuta, tiyeni tiyang'ane pa mfundo zazikulu ziwiri zomwe zidzagwiritsidwe ntchito:
-
SCMP_ACT_ERRNO- imalepheretsa kuyimba foni, -
SCMP_ACT_ALLOW- amalola.
gawo architectures Zomangamanga zomwe mukufuna zalembedwa. Izi ndizofunikira chifukwa fyuluta yokhayo, yogwiritsidwa ntchito pamlingo wa kernel, imadalira zozindikiritsa zoyimba foni, osati pa mayina awo omwe atchulidwa mumbiri. Nthawi yogwiritsira ntchito chidebe idzawafananiza ndi zozindikiritsa musanagwiritse ntchito. Chowonadi ndi chakuti mafoni amachitidwe amatha kukhala ndi ma ID osiyanasiyana kutengera kapangidwe kake. Mwachitsanzo, kuyimba foni recvfrom (omwe amagwiritsidwa ntchito polandila zambiri kuchokera pa socket) ali ndi ID = 64 pa x64 machitidwe ndi ID = 517 pa x86. mutha kupeza mndandanda wamayitanidwe onse amachitidwe a x86-x64.
Mu gawo syscalls imatchula mafoni onse amtundu uliwonse ndikufotokozera zoyenera kuchita nawo. Mwachitsanzo, mutha kupanga whitelist pokhazikitsa defaultAction pa SCMP_ACT_ERRNO, ndi kuyimba mu gawo syscalls perekani SCMP_ACT_ALLOW. Chifukwa chake, mumangolola mafoni omwe afotokozedwa mgawoli syscalls, ndi kuletsa ena onse. Kwa mndandanda wakuda muyenera kusintha zikhalidwe defaultAction ndi zochita zosiyana.
Tsopano tiyenera kunena mawu ochepa okhudza ma nuances omwe sali owonekera. Chonde dziwani kuti malingaliro omwe ali pansipa akuganiza kuti mukutumiza mzere wamabizinesi ku Kubernetes ndipo mukufuna kuti ayende ndi mwayi wocheperako.
1. AllowPrivilegeEscalation=zabodza
В securityContext chidebe chili ndi parameter AllowPrivilegeEscalation. Ngati imayikidwa mu false, zotengera zidzayamba ndi (on) pang'ono . Tanthauzo la parameter iyi ndi lodziwikiratu kuchokera ku dzina: limalepheretsa chidebecho kuyambitsa njira zatsopano ndi mwayi wochulukirapo kuposa womwe uli nawo.
Zotsatira za chisankho ichi zikukhazikitsidwa true (zosasintha) ndikuti nthawi yogwiritsira ntchito chidebe imagwiritsa ntchito mbiri ya seccomp koyambirira koyambira. Chifukwa chake, mafoni onse amachitidwe ofunikira kuti agwiritse ntchito nthawi yoyendetsera mkati (monga kukhazikitsa ma ID a gulu, kusiya kuthekera kwina) kuyenera kuyatsidwa mumbiri.
Ku chidebe chomwe chimachita zinthu zazing'ono echo hi, zilolezo zotsatirazi zidzafunika:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"capget",
"capset",
"chdir",
"close",
"execve",
"exit_group",
"fstat",
"fstatfs",
"futex",
"getdents64",
"getppid",
"lstat",
"mprotect",
"nanosleep",
"newfstatat",
"openat",
"prctl",
"read",
"rt_sigaction",
"statfs",
"setgid",
"setgroups",
"setuid",
"stat",
"uname",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
...m'malo mwa izi:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"close",
"execve",
"exit_group",
"futex",
"mprotect",
"nanosleep",
"stat",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
Koma kachiwiri, chifukwa chiyani ili ndi vuto? Inemwini, ndingapewe kuyitanitsa ma foni otsatirawa (pokhapokha pakufunika): capset, set_tid_address, setgid, setgroups и setuid. Komabe, vuto lenileni ndiloti polola njira zomwe simungathe kuzilamulira, mumangiriza mbiri ndikukhazikitsa nthawi yoyendetsera chidebe. Mwa kuyankhula kwina, tsiku lina mudzapeza kuti mutatha kukonzanso malo ogwiritsira ntchito chidebe (mwina ndi inu kapena, mwinamwake, ndi wothandizira mtambo), zotengerazo zimasiya kugwira ntchito.
Mfundo # 1: Thamangani zotengera ndi AllowPrivilegeEscaltion=false. Izi zichepetsa kukula kwa mbiri za seccomp ndikupangitsa kuti asamavutike kwambiri ndi kusintha kwa nthawi yoyendetsera chidebe.
2. Kukhazikitsa mbiri za seccomp pamlingo wa chidebe
Mbiri ya seccomp ikhoza kukhazikitsidwa pamlingo wa pod:
annotations:
seccomp.security.alpha.kubernetes.io/pod: "localhost/profile.json"...kapena pamlingo wa chidebe:
annotations:
container.security.alpha.kubernetes.io/<container-name>: "localhost/profile.json"Chonde dziwani kuti mawu omwe ali pamwambapa asintha Kubernetes seccomp (chochitika ichi chikuyembekezeka kutulutsidwa kotsatira kwa Kubernetes - 1.18 - pafupifupi transl.).
Ndi anthu ochepa omwe amadziwa kuti Kubernetes wakhala nawo zomwe zidapangitsa kuti mbiri ya seccomp igwiritsidwe ntchito . Malo ogwiritsira ntchito nthawi yothamanga amabwezera pang'ono kuperewera kumeneku, koma chidebechi sichizimiririka pamapoko, chifukwa chimagwiritsidwa ntchito kukonza zomangamanga zawo.
Vuto ndiloti chidebe ichi nthawi zonse chimayamba AllowPrivilegeEscalation=true, zomwe zimatsogolera ku mavuto otchulidwa m’ndime 1, ndipo zimenezi sizingasinthidwe.
Pogwiritsa ntchito mbiri za seccomp pamlingo wa chidebe, mumapewa msamphawu ndipo mutha kupanga mbiri yomwe imapangidwa ndi chidebe china. Izi ziyenera kuchitika mpaka opanga akonze cholakwikacho ndipo mtundu watsopano (mwina 1.18?) upezeka kwa aliyense.
Mfundo # 2: Khazikitsani mbiri za seccomp pamlingo wa chidebe.
M'lingaliro lenileni, lamuloli nthawi zambiri limagwira ntchito ngati yankho lachilengedwe ku funso: "Chifukwa chiyani mbiri yanga ya seccomp imagwira ntchito ndi docker runkoma sichigwira ntchito pambuyo potumiza ku gulu la Kubernetes?
3. Gwiritsani ntchito nthawi yothamanga/yosasinthika ngati njira yomaliza
Kubernetes ali ndi njira ziwiri zopangira mbiri: runtime/default и docker/default. Zonsezi zimayendetsedwa ndi nthawi yoyendetsera chidebe, osati Kubernetes. Chifukwa chake, zitha kusiyanasiyana kutengera malo omwe akugwiritsidwa ntchito komanso mtundu wake.
Mwa kuyankhula kwina, chifukwa cha kusintha kwa nthawi yothamanga, chidebecho chikhoza kukhala ndi mwayi wopita kumayendedwe osiyanasiyana, omwe angagwiritse ntchito kapena osagwiritsa ntchito. Nthawi zambiri amagwiritsa ntchito . Ngati mukufuna kugwiritsa ntchito mbiriyi, chonde onetsetsani kuti ndiyoyenera.
Профиль docker/default yachotsedwa ntchito kuyambira Kubernetes 1.11, choncho pewani kugwiritsa ntchito.
Malingaliro anga, mbiri runtime/default oyenerera bwino cholinga chomwe adapangidwira: kuteteza ogwiritsa ntchito ku zoopsa zomwe zimagwirizanitsidwa ndi kulamula docker run pa magalimoto awo. Komabe, zikafika pazantchito zamabizinesi zomwe zikuyenda pamagulu a Kubernetes, ndingayerekeze kunena kuti mbiri yotereyi ndi yotseguka kwambiri ndipo opanga akuyenera kuyang'ana kwambiri kupanga mbiri ya mapulogalamu awo (kapena mitundu ya mapulogalamu).
Mfundo # 3: Pangani mbiri za seccomp zamapulogalamu apadera. Ngati izi sizingatheke, pangani mbiri yamitundu yamapulogalamu, mwachitsanzo, pangani mbiri yapamwamba yomwe ili ndi ma API onse apa intaneti a pulogalamu ya Golang. Gwiritsani ntchito nthawi yothamanga/yosasinthika ngati njira yomaliza.
M'zolemba zamtsogolo, ndifotokoza momwe mungapangire mbiri ya SecDevOps-inspired seccomp, kuwasintha, ndikuyesa pamapaipi. Mwanjira ina, simudzakhala ndi chowiringula kuti musakweze ma profailo okhudzana ndi pulogalamuyo.
4. Kusatsekeredwa SI njira.
Kuchokera zidapezeka kuti mwachisawawa . Izi zikutanthauza kuti ngati mulibe kukhazikitsa PodSecurityPolicy, zomwe zipangitsa kuti zikhale mgulu, ma pod onse omwe mbiri ya seccomp sinafotokozedwe idzagwira ntchito seccomp=unconfined.
Kugwira ntchito motere kumatanthauza kuti gawo lonse la insulation limatayika lomwe limateteza masango. Njirayi sivomerezedwa ndi akatswiri achitetezo.
Mfundo # 4: Palibe chidebe chomwe chili mgululi chomwe chiyenera kulowamo seccomp=unconfined, makamaka m'malo opangira.
5. "Audit mode"
Mfundo iyi si ya Kubernetes yokha, koma ikugwerabe m'gulu la "zinthu zomwe muyenera kuzidziwa musanayambe".
Zomwe zimachitika, kupanga mbiri za seccomp nthawi zonse kumakhala kovuta ndipo kumadalira kwambiri kuyesa ndi zolakwika. Chowonadi ndi chakuti ogwiritsa ntchito sakhala ndi mwayi wowayesa m'malo opanga popanda kuyika pachiwopsezo "kusiya" pulogalamuyo.
Pambuyo pa kutulutsidwa kwa Linux kernel 4.14, zinakhala zotheka kuyendetsa magawo a mbiri mumayendedwe owerengera, kujambula zambiri zama foni onse mu syslog, koma osawaletsa. Mutha kuyambitsa izi pogwiritsa ntchito parameter SCMT_ACT_LOG:
SCMP_ACT_LOG: seccomp sichidzakhudza ulusi womwe umayimba foni ngati sukugwirizana ndi lamulo lililonse mu fyuluta, koma zambiri zokhudza kuyimba foni zidzalowetsedwa.
Nayi njira yodziwika bwino yogwiritsira ntchito izi:
- Lolani kuyimba mafoni komwe kukufunika.
- Letsani mafoni kuchokera pamakina omwe mukudziwa kuti sangakhale othandiza.
- Lembani zambiri zama foni ena onse mu chipika.
Chitsanzo chosavuta chikuwoneka motere:
{
"defaultAction": "SCMP_ACT_LOG",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
"add_key",
"keyctl",
"ptrace"
],
"action": "SCMP_ACT_ERRNO"
}
]
}()
Koma kumbukirani kuti muyenera kuletsa mafoni onse omwe mukudziwa kuti sadzagwiritsidwa ntchito ndipo zomwe zingawononge gululo. Maziko abwino olembera mndandanda ndi wovomerezeka . Imalongosola mwatsatanetsatane mafoni amtundu wanji omwe amatsekedwa mu mbiri yokhazikika komanso chifukwa chake.
Komabe, pali kupha kumodzi. Ngakhale SCMT_ACT_LOG mothandizidwa ndi Linux kernel kuyambira kumapeto kwa 2017, idalowa mu Kubernetes ecosystem posachedwa. Chifukwa chake, kuti mugwiritse ntchito njirayi mudzafunika Linux kernel 4.14 ndi mtundu wa runC wocheperako .
Mfundo # 5: Mbiri yowunikira pakuyesa kupanga ikhoza kupangidwa pophatikiza mindandanda yakuda ndi yoyera, ndipo zopatula zonse zitha kulowetsedwa.
6. Gwiritsani ntchito ma whitelists
Kulemba zovomerezeka kumafuna khama lowonjezera chifukwa muyenera kuzindikira kuyimba kulikonse komwe pulogalamuyo ingafune, koma njira iyi imathandizira kwambiri chitetezo:
Ndikofunikira kwambiri kugwiritsa ntchito njira yoyera ngati ndiyosavuta komanso yodalirika. Mndandanda wakuda uyenera kusinthidwa nthawi iliyonse kuyimba kowopsa (kapena mbendera yowopsa / kusankha ngati kuli pamndandanda wakuda) kuwonjezeredwa. Kuphatikiza apo, nthawi zambiri zimakhala zotheka kusintha mawonekedwe a parameter popanda kusintha tanthauzo lake ndikulambalala zoletsa za mndandanda wakuda.
Pamapulogalamu a Go, ndidapanga chida chapadera chomwe chimatsagana ndi pulogalamuyi ndikusonkhanitsa mafoni onse omwe amapangidwa panthawi yoimba. Mwachitsanzo, pa ntchito zotsatirazi:
package main
import "fmt"
func main() {
fmt.Println("test")
}
... tiyeni tiyambe gosystract kotero:
go install https://github.com/pjbgf/gosystract
gosystract --template='{{- range . }}{{printf ""%s",n" .Name}}{{- end}}' application-path... ndipo timapeza zotsatirazi:
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp",
"arch_prctl",Pakadali pano, ichi ndi chitsanzo chabe - zambiri za zida zitsatira.
Mfundo # 6: Lolani mafoni okhawo omwe mumawafuna ndikuletsa ena onse.
7. Yalani maziko oyenera (kapena konzekerani khalidwe losayembekezereka)
Kernel idzakakamiza mbiriyo ngakhale mutalemba chiyani. Ngakhale siziri zomwe mukufuna. Mwachitsanzo, ngati inu kuletsa kupeza mafoni ngati exit kapena exit_group, chidebecho sichidzatha kutseka bwino komanso ngakhale lamulo losavuta ngati echo hi o kwa nthawi yosadziwika. Zotsatira zake, mupeza kugwiritsa ntchito kwakukulu kwa CPU pagulu:
Zikatero, chida chingathandize strace - Iwonetsa chomwe chingakhale vuto:
sudo strace -c -p 9331
Onetsetsani kuti mbiriyo ili ndi mafoni onse omwe pulogalamuyo imafunikira panthawi yothamanga.
Mfundo # 7: Samalani mwatsatanetsatane ndikuwonetsetsa kuti mafoni onse ofunikira alembedwa.
Izi zikumaliza gawo loyamba lazolemba zogwiritsa ntchito seccomp ku Kubernetes mu mzimu wa SecDevOps. M'magawo otsatirawa tikambirana chifukwa chake izi ndizofunikira komanso momwe mungapangire ndondomekoyi.
PS kuchokera kwa womasulira
Werenganinso pa blog yathu:
- «";
- «";
- «";
- «".
Source: www.habr.com