Qaphela. transl.: Sikwethulela ukunaka kwakho ukuhunyushwa kwe-athikili ngonjiniyela wezokuphepha wesicelo esiphezulu enkampanini yaseBrithani i-ASOS.com. Ngayo, uqala uchungechunge lwezincwadi ezinikezelwe ukuthuthukisa ezokuphepha e-Kubernetes ngokusebenzisa i-seccomp. Uma abafundi bethanda isingeniso, sizolandela umbhali futhi siqhubeke nezincwadi zakhe zesikhathi esizayo ngalesi sihloko.
Lesi sihloko singesokuqala ochungechungeni lokuthunyelwe kokuthi ungawakha kanjani amaphrofayili e-seccomp ngomoya we-SecDevOps, ngaphandle kokusebenzisa umlingo nobuthakathi. Engxenyeni XNUMX, ngizofaka izisekelo nemininingwane yangaphakathi yokusebenzisa i-seccomp ku-Kubernetes.
I-ecosystem ye-Kubernetes inikezela ngezindlela eziningi ezahlukahlukene zokuvikela nokuhlukanisa iziqukathi. I-athikili imayelana Nemodi Yekhompyutha Evikelekile, eyaziwa nangokuthi secomp. Ingqikithi yayo ukuhlunga izingcingo zesistimu ezitholakalayo ukuze zisetshenziswe ngeziqukathi.
Kungani ibalulekile? Isiqukathi siwuhlelo nje olusebenza emshinini othize. Futhi isebenzisa i-kernel njengezinye izinhlelo zokusebenza. Uma iziqukathi zingenza noma yiziphi izingcingo zesistimu, maduze nje uhlelo olungayilungele ikhompuyutha lungathatha ithuba lalokhu ukuze ludlule ukuhlukaniswa kwesiqukathi futhi luthinte ezinye izinhlelo zokusebenza: ukuvimba ulwazi, ukushintsha izilungiselelo zesistimu, njll.
amaphrofayili e-seccomp achaza ukuthi yiziphi izingcingo zesistimu okufanele zivunyelwe noma zivalwe. Isikhathi sokusebenza sesiqukathi sibenza basebenze uma siqala ukuze i-kernel ikwazi ukuqapha ukusebenza kwabo. Ukusebenzisa amaphrofayili anjalo kukuvumela ukuthi ukhawulele i-vector yokuhlasela futhi unciphise umonakalo uma noma yiluphi uhlelo olungaphakathi kwesiqukathi (okungukuthi, ukuncika kwakho, noma ukuncika kwakho) luqala ukwenza okuthile okungavunyelwe ukukwenza.
Ukufinyelela ezintweni eziyisisekelo
Iphrofayili ye-seccomp eyisisekelo ihlanganisa izinto ezintathu: defaultAction, architectures (noma archMap) futhi syscalls:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
defaultAction inquma isiphetho esimisiwe sanoma iyiphi ikholi yesistimu engashiwongo esigabeni syscalls. Ukwenza izinto zibe lula, ake sigxile kumanani amabili amakhulu azosetshenziswa:
-
SCMP_ACT_ERRNO- ivimbela ukwenziwa kocingo lwesistimu, -
SCMP_ACT_ALLOW- ivumela.
Esigabeni architectures izakhiwo eziqondiwe zibaliwe. Lokhu kubalulekile ngoba isihlungi ngokwaso, esisetshenziswa kuleveli ye-kernel, sincike kuzihlonzi zezingcingo zesistimu, futhi hhayi emagameni azo ashiwo kuphrofayela. Isikhathi sokusebenza sesiqukathi sizozifanisa nezihlonzi ngaphambi kokusetshenziswa. Umbono wukuthi izingcingo zesistimu zingaba nama-ID ahluke ngokuphelele kuye ngesakhiwo sesistimu. Isibonelo, ikholi yesistimu recvfrom (esetshenziselwa ukwamukela ulwazi kusokhethi) ine-ID = 64 kumasistimu e-x64 kanye ne-ID = 517 ku-x86. ungathola uhlu lwazo zonke izingcingo zesistimu zezakhiwo ze-x86-x64.
Esigabeni syscalls ibala zonke izingcingo zesistimu futhi icacise ukuthi kufanele wenzeni ngazo. Isibonelo, ungakha uhlu olugunyaziwe ngokusetha defaultAction on SCMP_ACT_ERRNO, kanye nezingcingo esigabeni syscalls yabela SCMP_ACT_ALLOW. Ngakho, uvumela kuphela izingcingo ezibalulwe esigabeni syscalls, futhi wenqabele zonke ezinye. Kuhlu oluvinjelwe kufanele uguqule amanani defaultAction kanye nezenzo eziphambene.
Manje kufanele sisho amagama ambalwa mayelana nama-nuances angabonakali kangako. Sicela uqaphele ukuthi izincomo ezingezansi zithatha ngokuthi usebenzisa ulayini wezicelo zebhizinisi ku-Kubernetes futhi ufuna zisebenze nenani elincane lamalungelo ongakhona.
1. AllowPrivilegeEscalation=amanga
В securityContext isiqukathi sinepharamitha AllowPrivilegeEscalation. Uma ifakwe ku false, iziqukathi zizoqala ngokuthi (on) kancane . Incazelo yale parameter isobala egameni: ivimbela isiqukathi ekuqaliseni izinqubo ezintsha ezinamalungelo amaningi kunawo ngokwawo.
Umthelela oseceleni wale nketho usethelwa ku true (okuzenzakalelayo) ukuthi isikhathi sokusebenza sesiqukathi sisebenzisa iphrofayela ye-seccomp ekuqaleni kwenqubo yokuqalisa. Ngakho, zonke izingcingo zesistimu ezidingekayo ukuze kuqhutshwe izinqubo zesikhathi sokusebenza (isb. ukusetha ama-ID omsebenzisi/weqembu, ukwehlisa amakhono athile) kufanele kuvulwe kuphrofayela.
Esitsheni esenza izinto ezingasho lutho echo hi, izimvume ezilandelayo zizodingeka:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"capget",
"capset",
"chdir",
"close",
"execve",
"exit_group",
"fstat",
"fstatfs",
"futex",
"getdents64",
"getppid",
"lstat",
"mprotect",
"nanosleep",
"newfstatat",
"openat",
"prctl",
"read",
"rt_sigaction",
"statfs",
"setgid",
"setgroups",
"setuid",
"stat",
"uname",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
...esikhundleni salokhu:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"close",
"execve",
"exit_group",
"futex",
"mprotect",
"nanosleep",
"stat",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
Kodwa futhi, kungani lokhu kuyinkinga? Ngokwami, ngingagwema ukugunyaza izingcingo zesistimu ezilandelayo (ngaphandle uma kunesidingo sangempela sazo): capset, set_tid_address, setgid, setgroups и setuid. Kodwa-ke, inselele yangempela ukuthi ngokuvumela izinqubo ongenakho nhlobo ukulawula, uhlanganisa amaphrofayili ekusetshenzisweni kwesikhathi sokusebenza kwesiqukathi. Ngamanye amazwi, ngolunye usuku ungathola ukuthi ngemva kokubuyekeza imvelo yesikhathi sokusebenza (kungaba nguwe noma, cishe, ngomhlinzeki wesevisi yefu), iziqukathi ziyeka ukusebenza ngokuzumayo.
Ithiphu # 1: Sebenzisa iziqukathi nge AllowPrivilegeEscaltion=false. Lokhu kuzonciphisa usayizi wamaphrofayili e-seccomp futhi kuwenze angazweli kakhulu ezinguqukweni zemvelo yesikhathi sokusebenza sesiqukathi.
2. Ukusetha amaphrofayili e-seccomp ezingeni lesiqukathi
Iphrofayili ye-seccomp ingasethwa ezingeni le-pod:
annotations:
seccomp.security.alpha.kubernetes.io/pod: "localhost/profile.json"...noma ezingeni lesiqukathi:
annotations:
container.security.alpha.kubernetes.io/<container-name>: "localhost/profile.json"Sicela uqaphele ukuthi i-syntax engenhla izoshintsha uma i-Kubernetes seccomp (lo mcimbi ulindeleke ekukhishweni okulandelayo kwe-Kubernetes - 1.18 - approx. transl.).
Bambalwa abantu abazi ukuthi uKubernetes ubelokhu enakho okudale ukuthi kusetshenziswe amaphrofayili e-seccomp . Indawo yesikhathi sokusebenza inxephezela kancane lokhu kushiyeka, kodwa lesi siqukathi asipheli kuma-pods, njengoba sisetshenziselwa ukulungisa ingqalasizinda yabo.
Inkinga ukuthi lesi sitsha sihlala siqala ngaso AllowPrivilegeEscalation=true, okuholela ezinkingeni ezivezwe esigabeni 1, futhi lokhu akunakushintshwa.
Ngokusebenzisa amaphrofayili e-seccomp ezingeni lesiqukathi, ugwema lo mgibe futhi ungakha iphrofayela eklanyelwe esitsheni esithile. Lokhu kuzomele kwenziwe kuze kube yilapho abathuthukisi belungisa iphutha futhi inguqulo entsha (mhlawumbe 1.18?) itholakala kuwo wonke umuntu.
Ithiphu # 2: Setha amaphrofayili e-seccomp ezingeni lesiqukathi.
Ngomqondo ongokoqobo, lo mthetho uvame ukusebenza njengempendulo yendawo yonke embuzweni othi: “Kungani iphrofayili yami ye-seccomp isebenza docker runkodwa ayisebenzi ngemva kokuthunyelwa kuqoqo le-Kubernetes?
3. Sebenzisa isikhathi sokusebenza/okuzenzakalelayo kuphela njengendlela yokugcina
I-Kubernetes inezinketho ezimbili zamaphrofayili akhelwe ngaphakathi: runtime/default и docker/default. Zombili zisetshenziswa isikhathi sokusebenza sesiqukathi, hhayi i-Kubernetes. Ngakho-ke, zingahluka kuye ngendawo yesikhathi sokusebenza esetshenzisiwe kanye nenguqulo yayo.
Ngamanye amazwi, ngenxa yoshintsho lwesikhathi sokusebenza, isiqukathi singase sibe nokufinyelela kusethi ehlukile yamakholi wesistimu, esingase siyisebenzise noma singayisebenzisi. Izikhathi eziningi zokugijima ziyasetshenziswa . Uma ufisa ukusebenzisa le phrofayela, sicela uqinisekise ukuthi ikufanele.
I-Профиль docker/default yehlisiwe kusukela ku-Kubernetes 1.11, ngakho-ke gwema ukuyisebenzisa.
Ngokubona kwami, iphrofayili runtime/default ifaneleke ngokuphelele injongo eyadalelwa yona: ukuvikela abasebenzisi ezingozini ezihlobene nokukhipha umyalo docker run ezimotweni zabo. Kodwa-ke, uma kukhulunywa ngezicelo zebhizinisi ezisebenza kumaqoqo e-Kubernetes, ngingalokotha ngiphikise ngokuthi iphrofayela enjalo ivuleke kakhulu futhi abathuthukisi kufanele bagxile ekudaleni amaphrofayili wezinhlelo zabo zokusebenza (noma izinhlobo zezinhlelo zokusebenza).
Ithiphu # 3: Dala amaphrofayili e-seccomp ezinhlelo zokusebenza ezithile. Uma lokhu kungenzeki, dala amaphrofayili ezinhlobo zohlelo lokusebenza, isibonelo, dala iphrofayili ethuthukisiwe ehlanganisa wonke ama-API ewebhu ohlelo lokusebenza lwe-Golang. Sebenzisa kuphela isikhathi sokusebenza/okuzenzakalelayo njengendlela yokugcina.
Kokuthunyelwe okuzayo, ngizofaka indlela yokuwakha amaphrofayili e-seccomp aphefumulelwe yi-SecDevOps, ngiwashintshe ngokuzenzakalela, futhi ngiwahlole ngamapayipi. Ngamanye amazwi, ngeke ube nezaba zokungathuthukeli kumaphrofayela aqondene nohlelo lokusebenza.
4. Ukungavaliwe AKUKHO inketho.
Из kwavela ukuthi ngokuzenzakalelayo . Lokhu kusho ukuthi uma ungasethi PodSecurityPolicy, okuzoyenza ibe yiqoqo, wonke ama-pods lapho iphrofayela ye-seccomp engachazwanga azosebenza kuwo. seccomp=unconfined.
Ukusebenza kule modi kusho ukuthi kulahleka ungqimba lonke lwe-insulation oluvikela iqoqo. Le ndlela ayinconywa ochwepheshe bezokuphepha.
Ithiphu # 4: Asikho isiqukathi ku-cluster okufanele singene seccomp=unconfined, ikakhulukazi ezindaweni zokukhiqiza.
5. "Imodi yokuhlola"
Leli phuzu alihlukile ku-Kubernetes, kodwa lisawela esigabeni “sokufanele uzazi ngaphambi kokuthi uqale”.
Njengoba kwenzeka, ukudala amaphrofayili e-seccomp bekulokhu kuyinselele futhi kuncike kakhulu ekuzameni nasephutheni. Iqiniso liwukuthi abasebenzisi bamane bangabi nalo ithuba lokuzivivinya ezindaweni zokukhiqiza ngaphandle kokubeka engcupheni “ukwehlisa” uhlelo lokusebenza.
Ngemva kokukhululwa kwe-Linux kernel 4.14, kube nokwenzeka ukusebenzisa izingxenye zephrofayela kumodi yokuhlola, ukurekhoda ulwazi mayelana nawo wonke amakholi wesistimu ku-syslog, kodwa ngaphandle kokuwavimba. Ungakwazi ukusebenzisa le modi usebenzisa ipharamitha SCMT_ACT_LOG:
SCMP_ACT_LOG: i-seccomp ngeke ithinte intambo eyenza ikholi yesistimu uma ingahambisani nanoma yimuphi umthetho kusihlungi, kodwa ulwazi mayelana nekholi yesistimu luzongena.
Nali isu elijwayelekile lokusebenzisa lesi sici:
- Vumela amakholi wesistimu adingekayo.
- Vimba izingcingo ezivela ohlelweni owaziyo ukuthi ngeke lube usizo.
- Rekhoda ulwazi mayelana nazo zonke ezinye izingcingo kulogi.
Isibonelo esenziwe lula sibukeka kanje:
{
"defaultAction": "SCMP_ACT_LOG",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
"add_key",
"keyctl",
"ptrace"
],
"action": "SCMP_ACT_ERRNO"
}
]
}()
Kodwa khumbula ukuthi udinga ukuvimba zonke izingcingo owaziyo ukuthi ngeke zisetshenziswe futhi ezingase zilimaze iqoqo. Isisekelo esihle sokwenza uhlu yisikhulu . Ichaza ngokuningiliziwe ukuthi yiziphi izingcingo zesistimu ezivinjelwe kuphrofayela ezenzakalelayo nokuthi kungani.
Nokho, kukhona catch. Nakuba SCMT_ACT_LOG isekelwa i-Linux kernel kusukela ekupheleni kuka-2017, ingene ku-Kubernetes ecosystem muva nje. Ngakho-ke, ukusebenzisa le ndlela uzodinga i-Linux kernel 4.14 kanye nenguqulo ye-runC engekho ngaphansi .
Ithiphu # 5: Iphrofayela yemodi yokuhlola yokuhlolwa ekukhiqizeni ingadalwa ngokuhlanganisa uhlu olumnyama nolumhlophe, futhi konke okuhlukile kungafakwa.
6. Sebenzisa uhlu olumhlophe
Ukufakwa ohlwini olugunyaziwe kudinga umzamo owengeziwe ngoba kufanele ukhombe zonke izingcingo ezingase zidingwe uhlelo lokusebenza, kodwa le ndlela ithuthukisa kakhulu ukuphepha:
Kunconywa kakhulu ukusebenzisa indlela yokugunyazwa njengoba ilula futhi ithembekile. Uhlu lokuvinjelwa luzodinga ukubuyekezwa noma nini lapho ikholi yesistimu engaba yingozi (noma ifulegi/inketho eyingozi uma isohlwini oluvinjelwe) yengezwa. Ngaphezu kwalokho, ngokuvamile kungenzeka ukushintsha ukumelwa kwepharamitha ngaphandle kokushintsha ingqikithi yayo futhi ngaleyo ndlela kudlule imikhawulo yohlu oluvinjelwe.
Ngezinhlelo zokusebenza ze-Go, ngithuthukise ithuluzi elikhethekile elihambisana nohlelo lokusebenza futhi liqoqa zonke izingcingo ezenziwe ngesikhathi sokushaya. Isibonelo, kuhlelo lokusebenza olulandelayo:
package main
import "fmt"
func main() {
fmt.Println("test")
}
... ake sethule gosystract Ngakho:
go install https://github.com/pjbgf/gosystract
gosystract --template='{{- range . }}{{printf ""%s",n" .Name}}{{- end}}' application-path... futhi sithola umphumela olandelayo:
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp",
"arch_prctl",Okwamanje, lesi yisibonelo nje—imininingwane eyengeziwe mayelana namathuluzi izolandela.
Ithiphu # 6: Vumela kuphela lezo zingcingo ozidingayo ngempela futhi uvimbele zonke ezinye.
7. Beka izisekelo ezifanele (noma lungiselela ukuziphatha okungalindelekile)
I-kernel izophoqelela iphrofayela kungakhathaliseki ukuthi ubhala ini kuyo. Noma kungeyona into obuyifuna. Isibonelo, uma uvimba ukufinyelela kumakholi afana exit noma exit_group, isitsha ngeke sikwazi ukuvala kahle ngisho nomyalo olula njengo echo hi o isikhathi esingaziwa. Ngenxa yalokho, uzothola ukusetshenziswa okuphezulu kwe-CPU kuqoqo:
Ezimweni ezinjalo, insiza ingakusiza strace - izobonisa ukuthi inkinga ingaba yini:
sudo strace -c -p 9331
Qinisekisa ukuthi amaphrofayili aqukethe zonke izingcingo zesistimu ezidingwa uhlelo lokusebenza ngesikhathi sokusebenza.
Ithiphu # 7: Naka imininingwane futhi uqinisekise ukuthi zonke izingcingo zesistimu ezidingekayo zigunyaziwe.
Lokhu kuphetha ingxenye yokuqala yochungechunge lwezihloko zokusebenzisa i-seccomp ku-Kubernetes ngomoya we-SecDevOps. Ezingxenyeni ezilandelayo sizokhuluma ngokuthi kungani lokhu kubalulekile nokuthi ungayenza kanjani inqubo ngokuzenzakalelayo.
I-PS evela kumhumushi
Funda futhi kubhulogi yethu:
- «";
- «";
- «";
- «".
Source: www.habr.com