Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defense in Depth - SELinux #226

Closed
Tracked by #221
apyrgio opened this issue Oct 17, 2022 · 4 comments
Closed
Tracked by #221

Defense in Depth - SELinux #226

apyrgio opened this issue Oct 17, 2022 · 4 comments
Labels
security

Comments

@apyrgio
Copy link
Contributor

apyrgio commented Oct 17, 2022

Parent issue: #221

If an attacker manages to escape the container, we want to restrict them as much as possible. One way to do so is by using SELinux, which is also mentioned in the CIS Docker advisories (official link, mirror).

There are several issues that make the adoption of an SELinux policy by Dangerzone a bit difficult though:

  1. Generating an SELinux policy is notoriously difficult.
  2. Enforcing an SELinux policy typically requires using Fedora/CentOS hosts, which is not the case for Docker Desktop on Windows/MacOS, which uses Alpine Linux (see https://gitlab.alpinelinux.org/alpine/aports/-/issues/8606)

Once we circumvent these issues, we should check if Dangerzone can take advantage of enforcing SELinux on the host.
@apyrgio apyrgio mentioned this issue Oct 17, 2022
Open
8 tasks
@deeplow
Copy link
Contributor

deeplow commented Feb 6, 2023

A user reported here having issues running dangerzone on a SELinux-enabled system.

@apyrgio
Copy link
Contributor Author

apyrgio commented Aug 16, 2023
edited
Loading

This is an interesting project that we can have in mind for generating SELinux labels: https://github.com/containers/udica

@apyrgio
Copy link
Contributor Author

apyrgio commented Aug 8, 2024

As part of fixing #880, we apply the container_engine_t label to the outer container. This action is basically a no-op for most hosts, except those that use SELinux in enforcing mode.

Ultimately, if a Linux host does not use SELinux, there's no way for Dangerzone to "enable" it. This is an administrative action, and one that may break the workflow of lots of users. As for Windows and macOS, the same issue applies, plus the fact that we have even less control on the Linux VM.

Given that with gVisor, the inner container does not have the capability to open files (due to gVisor's strict seccomp filter), we believe that we have a similar protection as SELinux, in the rare case of container escapes. If we also consider that Dangerzone can utilize SELinux in enforcing mode, then we think it's safe to close this issue.

@apyrgio apyrgio closed this as completed Aug 8, 2024
@EtiennePerot
Copy link
Contributor

EtiennePerot commented Aug 10, 2024
edited
Loading

Given that with gVisor, the inner container does not have the capability to open files (due to gVisor's strict seccomp filter)

To be pedantic, this is actually not true in the configuration that Dangerzone uses, which uses DirectFS, which allows the openat(2) system call in the seccomp filters. However, these are restricted to a handful of file descriptors that correspond to explicit host mountpoints in the OCI config, of which the only one in the Dangerzone configuration is the container image rootfs. There are also other restrictions, such as requiring O_NOFOLLOW, forbidding directory FDs from being passed through in this manner, etc. More details in the DirectFS blog post. It's a tradeoff for (a lot more) I/O speed vs (a little less) security, and can be turned off with --directfs=false. Given that Dangerzone is not performance-sensitive, perhaps this is the right thing to do. Sent #898 to do just that.

EtiennePerot added a commit to EtiennePerot/dangerzone that referenced this issue Aug 10, 2024
@EtiennePerot
Disable gVisor's DirectFS feature.
72e1704 
DirectFS is enabled by default in gVisor to improve I/O performance,
but comes at the cost of enabling the `openat(2)` syscall (with severe
restrictions, but still). As Dangerzone is not performance-sensitive,
and that it is desirable to guarantee for the document conversion
process to not open any files (to mimic some of what SELinux provides),
might as well disable it by default.

See freedomofpress#226.
@EtiennePerot EtiennePerot mentioned this issue Aug 10, 2024
Merged
apyrgio pushed a commit to EtiennePerot/dangerzone that referenced this issue Sep 10, 2024
@EtiennePerot @apyrgio
Disable gVisor's DirectFS feature.
73b0f8b 
DirectFS is enabled by default in gVisor to improve I/O performance,
but comes at the cost of enabling the `openat(2)` syscall (with severe
restrictions, but still). As Dangerzone is not performance-sensitive,
and that it is desirable to guarantee for the document conversion
process to not open any files (to mimic some of what SELinux provides),
might as well disable it by default.

See freedomofpress#226.
apyrgio pushed a commit that referenced this issue Sep 11, 2024
@EtiennePerot @apyrgio
Disable gVisor's DirectFS feature.
29d5ea5 
DirectFS is enabled by default in gVisor to improve I/O performance,
but comes at the cost of enabling the `openat(2)` syscall (with severe
restrictions, but still). As Dangerzone is not performance-sensitive,
and that it is desirable to guarantee for the document conversion
process to not open any files (to mimic some of what SELinux provides),
might as well disable it by default.

See #226.
@apyrgio apyrgio mentioned this issue Oct 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EtiennePerot @apyrgio @deeplow