patch alt cgroups regex #1522
patch alt cgroups regex #1522
Conversation
vbotez
requested review from
amartinezfayo,
APTy,
azdagron,
evan2645 and
marcosy
as code owners
vbotez
force-pushed
the
issue-1518-patch-alt-cgroups-for-docker-agent-plugin
branch
2 times, most recently
from
703e462 to
7a31f3b
Compare
There was a problem hiding this comment.
Thank you for this @vbotez!
I think that it would be good to update dockerfinder_test.go to capture this case.
It should be easy to add a matcher for this and an expected match in the test cases.
| @@ -101,7 +108,7 @@ func (f *containerIDFinder) FindContainerID(cgroup string) (string, bool) { | |||
| if len(matches) == 0 { | |||
| return "", false | |||
| } | |||
| return matches[submatchIndex], true | |||
| return string(matches[submatchIndex]), true | |||
There was a problem hiding this comment.
I don't think that converting to string is needed.
There was a problem hiding this comment.
Indeed the conversion is not needed. I was working on code from 0.9.0 tag that has this conversion. I just noticed that this was removed in master branch (I guess also removed from 0.10.0 release). I will fix this - maybe a rebase on master branch should do the trick
pkg/agent/plugin/workloadattestor/docker/cgroup/dockerfinder.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
This solution is very specifically allowing an exception to the matcher pattern rules to allow a pattern specific for FHEL. When the matcher functionality was introduced, we wanted to be strict about what patterns we allowed to make this simple for the operator. However, perhaps it is time to make the pattern slightly more flexible.
For id matching we could allow an optional prefix or suffix to the <id> token. The code could search for <id> in the segment, and if found, replace it with regexp.QuoteMeta(prefix) + regexpContainerId + regexp.QuoteMeta(suffix). There are some corner cases, like when more than one <id> token is found in a segment (or across multiple segments), but assuming we handle those, i think this becomes slightly more flexible than the current pattern syntax but enough to cover RHEL and maybe others.
We could keep the whole segment match for * as is.
Thoughts?
|
Hi @vbotez! Just following up to see if you had time/interest in making the suggested changes or if we should pick up the work and get this over the finish line? Either way is fine, of course! |
|
Hello @azdagron! I do intend to make the suggested changes and pass this PR. It’s just that I’m a bit caught up in some other topics as well now and that’s why you did not see to much activity on this. |
|
Thanks @vbotez! I was going over my proposed solution again in my head and realized that it would complicate the "ambiguous pattern" configuration validation step we do. I haven't thought through all of the implications yet. I'm curious what others think about simplifying our approach to a heuristics based one that just looks for cgroups with "docker" in the name and have a single 64-hex character ID (docker container IDs are 256-bit). The pro is that we can get rid of this fragile pattern approach and immediately accommodate differing cgroup name variants without requiring operator intervention. The downside is the risk that we identify something as a container ID that isn't one. I'm not sure what an attack vector would look like for that though since it would imply injecting the malicious container ID into the cgroups of the valid container. We could also fail the heuristic if we obtain more than one unique ID across the set of cgroup names. So the algorithm I'm suggesting is:
Thoughts anybody? |
|
I’m just wondering if there is so much cgroup naming diversity out there to account for this. |
I like this 👍 |
I think that should work well to solve this. I've been unable to come up with a realistic attack injecting a malicious container ID into the cgroups of the valid container. |
|
Marknig this PR as 'draft' for now until I test the necessary changes proposed by @azdagron |
|
I pushed a commit to vbotez:issue-1518-patch-alt-cgroups-for-docker-agent-plugin but it isn't showing up on this PR for some reason... |
|
Tried toggling "draft" status to see if that would help but it didn't. |
Signed-off-by: Vlad <vlad.botez@orange.com>
Co-Authored-By: Agustín Martínez Fayó <amartinezfayo@users.noreply.github.com>
- Uses a simple regex to extract the container ID - Replaces the default finder with the above regex - Still supports the legacy and pattern-based finders Signed-off-by: Andrew Harding <andrew.harding@hpe.com>
azdagron
force-pushed
the
issue-1518-patch-alt-cgroups-for-docker-agent-plugin
branch
from
91d9bae to
71eb755
Compare
Pull Request check list
Affected functionality
spire-agent worload attestor docker plugin does not match id from cgroups matching pattern
docker-<id>.scopeDescription of change
added two new constants:
altContainerIDTokenandregexpAltContainerIDplus a new case statement:This will work on matching patterns of type
/system.slice/docker-<id>.scope.As sugested in the issue comment - it will need the following configuration in spire-agent:
Which issue this PR fixes
Issue #1518
Tested on RHEL 7.7