Support xattr translation #2735
Conversation
|
Hi @stefanberger. Thanks for your PR. I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
|
Is there a strong need to have this |
|
We're giving a bit of conflicting review here, this came from So...I think we're all agreed that we want a higher level IMA bit, but supporting this allows easily iterating on it outside of the core for now. |
rust/src/treefile.rs
Outdated
| @@ -1106,6 +1109,9 @@ pub(crate) struct TreeComposeConfig { | |||
| #[serde(skip_serializing_if = "Option::is_none")] | |||
| #[serde(rename = "add-commit-metadata")] | |||
| add_commit_metadata: Option<BTreeMap<String, serde_json::Value>>, | |||
| #[serde(skip_serializing_if = "Option::is_none")] | |||
| #[serde(rename = "xattr-translation")] | |||
| xattr_translation: Option<BTreeMap<String, serde_json::Value>>, | |||
There was a problem hiding this comment.
| xattr_translation: Option<BTreeMap<String, serde_json::Value>>, | |
| xattr_translation: Option<BTreeMap<String, String>>, |
Since what we're mapping here is xattr names it seems reasonable to constrain them both to UTF-8 strings. (ostree core supports both as bytestrings, but there's really no sane reason to use non-UTF8 xattr names IMO)
There was a problem hiding this comment.
Yeah, agreed. Unlike add_commit_metadata just above which has to use Value because it can be any type.
|
One sidechannel discussion we just had is whether since rofiles-fuse now supports directly setting xattrs, and we extend the allowlist to include the ima attribute, if any translation support is necessary. I think even though rpm-ostree composes run privileged today, it will generally be a problem for "cross builds" if we try to directly set the privileged attribute on the build host. For example, today it works to run rpm-ostree in unprivileged podman - there we still can't set true So I think this "map user. attribute" helps us avoid any dependencies on the host which is a good thing. |
|
So now that we have xattr support in rofiles-fuse (thanks for that!), I think nothing stops us from directly setting the privileged xattr, right? rpm-ostree composes today require privileged root anyway. So then, all we need to do for now to unblock experimenting is diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
index fd56993e..6c4fe4c0 100644
--- a/src/libpriv/rpmostree-postprocess.cxx
+++ b/src/libpriv/rpmostree-postprocess.cxx
@@ -1262,6 +1262,7 @@ filter_xattrs_impl (OstreeRepo *repo,
/* If you have a use case for something else, file an issue */
static const char *accepted_xattrs[] =
{ "security.capability", /* https://lwn.net/Articles/211883/ */
+ "security.ima",
"user.pax.flags" /* https://github.com/projectatomic/rpm-ostree/issues/412 */
};
g_autoptr(GVariant) existing_xattrs = NULL;That avoids having to cement this API in the treefile, which feels like we should discuss a bit more after fleshing out the client-side story (I'm not sure if for your use case or for IoT whether package layering is supported, but at the rpm-ostree level we should figure out how we want to support that in an IMA-enabled system, which likely will affect the server-side of this). |
|
By analogy today, the way rpm-ostree handles SELinux is that we synthesize the label when committing the objects, we don't actually try to set the physical xattr on the files. For |
rust/src/treefile.rs
Outdated
| @@ -1106,6 +1109,9 @@ pub(crate) struct TreeComposeConfig { | |||
| #[serde(skip_serializing_if = "Option::is_none")] | |||
| #[serde(rename = "add-commit-metadata")] | |||
| add_commit_metadata: Option<BTreeMap<String, serde_json::Value>>, | |||
| #[serde(skip_serializing_if = "Option::is_none")] | |||
| #[serde(rename = "xattr-translation")] | |||
| xattr_translation: Option<BTreeMap<String, serde_json::Value>>, | |||
There was a problem hiding this comment.
Yeah, agreed. Unlike add_commit_metadata just above which has to use Value because it can be any type.
| continue; | ||
| } | ||
| } | ||
| if (tdata->xattr_translate != NULL) |
There was a problem hiding this comment.
Should this come before handling of accepted_xattrs? That way, you can translate towards something in the hardcoded list.
|
Thanks for getting back to me so quickly. So here are a couple of things :
|
I run makesudoinstall from rpm-ostree git into a toolbox container in which I also did the same from coreos-assembler git. But you can also use coreos-assembler as a toolbox/dev container. Basically, set things up so the same container has access to both rpm-ostree git and the config git/cosa builddir. A bit more here https://coreos.github.io/coreos-assembler/devel/ |
Mmmm....I don't have a really strong opinion on this. A compromise position might be automatically translating That said also, an entirely separate path is to support this outside of generating a commit; something like a high level tool That would maximize flexibility. And a further benefit is it would help for the CI versus delivery problem (CI won't have a key, or at least not the production key) etc. |
It depends on what is writing the extended attributes. evmctl can either write security.ima or user.ima.
I am not sure what it would take to build What should be the difference between the production build server and a CI server in terms of the config? Would they both use identical config files (tree file etc.) but only the key on the system would be different? Is there an existing example of how this has been done in the past? Can environment variables (containing base64 encoded key for example) be passed to the cosa build container and from there into a postprocess script? That could be a possibility to pass in a key with the same mechanism but the key could be different on CI and production build servers. |
|
OK, this is analogous in need to how we handle GPG signing of the commit object today. See this bit in the FCOS pipeline: That GPG signature in this case is just an additional Now, IMA is much more complex because we're signing lots of files. (There's also a further complication you touched on that in some cases we may want to reuse already extant signatures inside an RPM we downloaded (that will need work to do). But we can't rely solely on RPM signatures because not all of our content comes from RPM, and further at some point I'd like to support locally-generated signatures too. But we can ignore that for now) I guess the tradeoff here is: If we do signatures as a secondary step, it's much cleaner because we don't need to hack in our signing script and key into It's more efficient hence to generate the signatures as part of the single build process, but that requires having the key be present on the same container doing the build. I suspect the need for "signing services" are going to drive the architecture here towards us providing a distinct tool - or at least a clearly distinct phase. |
|
(for the gpg implementation specific to Fedora/FCOS, see https://github.com/coreos/coreos-assembler/blob/master/src/cmd-sign ) |
|
I think my short term proposal is: let's just hardcode translating Now, using the ostree API it's completely possible to walk an ostree commit and generate a new one derived from it in a completely unprivileged fashion even (the same way one can generate gpg signatures as non-root). I can try to carve off a bit of time later today to demo code to do that and inject an arbitrary xattr on arbitrary files, then we can look at plugging it into |
|
@stefanberger: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I can look into this but it will take a while even though it will only be a few lines. Most of the existing code will go.. |
stefanberger
force-pushed
the
stefanberger/xattr_translate_work
branch
from
e897ffa to
c586c61
Compare
Signed-off-by: Stefan Berger <[email protected]>
stefanberger
force-pushed
the
stefanberger/xattr_translate_work
branch
from
c586c61 to
7a4858e
Compare
|
Hardcoded translation now... |
|
@cgwalters Patrick also has this patch here for ostree level xattr translation: puiterwijk/ostree@f89bbaf . I don't think he has sent a PR for it. Is it needed? |
|
OK #2747 is some stub code that demonstrates rewriting an input ostree commit, injecting an arbitrary new xattr. We can now extend it to actually fork off |
|
@stefanberger I believe that commit is no longer necessary. |
Ok. Unfortunately I am not much of a Rust expert. The Rust code will need to calculate the sha256 hash over each file. It should probably then be calling this function here, if we ever wanted to pass passwords for keys: https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/src/libimaevm.c#l973 The function we have to end up in is this one. It will parse the key every time, though. (https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/src/libimaevm.c#l886) There are some funny things going on with a global variable |
This adds support for a treefile "xattr-translation" dictionary, and
will then translate extended attributes when they are committed into the
ostree commit.
This can be used for example to translate "user.ima" (which is a common
attribute used by for example ima-evm-utils) to "security.ima", which
would require root permissions to write to during compose. Add the
following to a treefile to achieve this:
Signed-off-by: Patrick Uiterwijk [email protected]
Signed-off-by: Stefan Berger [email protected]