Skip to content

Commit

Permalink
update docs
Browse files Browse the repository at this point in the history 
Signed-off-by: Manjusaka <[email protected]>
  • Loading branch information
@Zheaoli
Zheaoli committed Feb 27, 2024
1 parent c94edbc commit 56a5a1d
Show file tree
Hide file tree
Showing 2 changed files with 93 additions and 3 deletions.
48 changes: 46 additions & 2 deletions config.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,12 +349,38 @@ For Linux-based systems, the `process` object supports the following process-spe
The `ruleset` currently contains the following types:
* **`handledAccessFS`** (array of strings, OPTIONAL) is an array of FS typed actions that are handled by a ruleset.
If no rule explicitly allow them, they should then be forbidden.
* **`handledAssessNetwork`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are handled by a ruleset. (The NETWORK typed actions are avaliable when the ABI version >= 4. the behavior of the NETWORK typed actions is not used when the ABI version is less than 4 will depend on the **`disableBestEffort`**)
* **`rules`** (object, OPTIONAL) the `rules` field specifies the security policies (i.e., actions allowed on objects) to be added to an existing ruleset.
The `rules` currently contains the following types:
* **`pathBeneath`** (array of objects, OPTIONAL) is an array of the file-hierarchy typed rules.
Entries in the array contain the following properties:
* **`allowedAccess`** (array of strings, OPTIONAL) is an array of FS typed actions that are allowed by a rule.
* **`allowedAccess`** (array of strings, OPTIONAL) is an array of FS typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description:
1. ABI version >= 1:
1. exectute
2. write_file
3. read_file
4. read_dir
5. remove_dir
6. remove_file
7. make_char
8. make_dir
9. make_reg
10. make_sock
11. make_fifo
12. make_block
13. make_sym
2. ABI version >= 2:
1. refer
3. ABI version >= 3:
1. truncate
* **`paths`** (array of strings, OPTIONAL) is an array of files or parent directories of the file hierarchies to restrict.
* **`portBeneath`** (array of objects, OPTIONAL) is an array of the network-hierarchy typed rules.
Entries in the array contain the following properties:
* **`allowedAccess`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description:
1. ABI version >= 4:
1. bind
2. connect
* **`ports`** (array of strings, OPTIONAL) is an array of network ports to restrict.
* **`disableBestEffort`** (bool, OPTIONAL) the `disableBestEffort` field disables the best-effort security approach for Landlock access rights.
This is for conditions when the Landlock access rights explicitly configured by the container are not supported or available in the running kernel.
If the best-effort security approach is enabled (`false`), the runtime SHOULD enforce the strongest rules configured up to the current kernel support, and only be [logged as a warning](runtime.md#warnings) for those not supported.
Expand Down Expand Up @@ -420,7 +446,13 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
"make_sock",
"make_fifo",
"make_block",
"make_sym"
"make_sym",
"refer",
"truncate"
],
"handledAssessNetwork": [
"bind",
"connect"
]
},
"rules": {
Expand Down Expand Up @@ -456,6 +488,18 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
"/tmp"
]
}
],
"portBeneath": [
{
"allowedAccess": [
"bind",
"connect"
],
"ports": [
80,
443
]
}
]
},
"disableBestEffort": false
Expand Down
48 changes: 47 additions & 1 deletion schema/defs.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@
"minimum": 0,
"maximum": 100
},
"port": {
"type": "integer",
"minimum": 0,
"maximum": 65535
},
"mapStringString": {
"type": "object",
"patternProperties": {
Expand Down Expand Up @@ -75,6 +80,12 @@
"type": "string"
}
},
"ArrayOfPorts":{
"type": "array",
"items": {
"$ref": "#/definitions/port"
}
},
"FilePath": {
"type": "string"
},
Expand Down Expand Up @@ -181,7 +192,16 @@
"make_sock",
"make_fifo",
"make_block",
"make_sym"
"make_sym",
"refer",
"truncate"
]
},
"LandlockNetworkAction": {
"type": "string",
"enum": [
"bind",
"connect"
]
},
"ArrayOfLandlockFSActions": {
Expand All @@ -190,11 +210,20 @@
"$ref": "#/definitions/LandlockFSAction"
}
},
"ArrayOfLandlockNetworkActions": {
"type": "array",
"items": {
"$ref": "#/definitions/LandlockNetworkAction"
}
},
"LandlockRuleset": {
"type": "object",
"properties": {
"handledAccessFS": {
"$ref": "#/definitions/ArrayOfLandlockFSActions"
},
"handledAssessNetwork": {
"$ref": "#/definitions/ArrayOfLandlockNetworkActions"
}
}
},
Expand All @@ -209,12 +238,29 @@
}
}
},
"LandlockRulePortBeneath": {
"type": "object",
"properties": {
"allowedAccess": {
"$ref": "#/definitions/ArrayOfLandlockNetworkActions"
},
"paths": {
"$ref": "#/definitions/ArrayOfPorts"
}
}
},
"ArrayOfLandlockRulePathBeneaths": {
"type": "array",
"items": {
"$ref": "#/definitions/LandlockRulePathBeneath"
}
},
"ArrayOfLandlockRulePortBeneaths": {
"type": "array",
"items": {
"$ref": "#/definitions/LandlockRulePortBeneath"
}
},
"LandlockRules": {
"type": "object",
"properties": {
Expand Down

0 comments on commit 56a5a1d

Please sign in to comment.