From 56a5a1d1527c284f267852220cd41ce82b5de12a Mon Sep 17 00:00:00 2001 From: Manjusaka Date: Wed, 28 Feb 2024 00:04:48 +0800 Subject: [PATCH] update docs Signed-off-by: Manjusaka --- config.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++-- schema/defs.json | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 93 insertions(+), 3 deletions(-) diff --git a/config.md b/config.md index ec0543495..870168506 100644 --- a/config.md +++ b/config.md @@ -349,12 +349,38 @@ For Linux-based systems, the `process` object supports the following process-spe The `ruleset` currently contains the following types: * **`handledAccessFS`** (array of strings, OPTIONAL) is an array of FS typed actions that are handled by a ruleset. If no rule explicitly allow them, they should then be forbidden. + * **`handledAssessNetwork`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are handled by a ruleset. (The NETWORK typed actions are avaliable when the ABI version >= 4. the behavior of the NETWORK typed actions is not used when the ABI version is less than 4 will depend on the **`disableBestEffort`**) * **`rules`** (object, OPTIONAL) the `rules` field specifies the security policies (i.e., actions allowed on objects) to be added to an existing ruleset. The `rules` currently contains the following types: * **`pathBeneath`** (array of objects, OPTIONAL) is an array of the file-hierarchy typed rules. Entries in the array contain the following properties: - * **`allowedAccess`** (array of strings, OPTIONAL) is an array of FS typed actions that are allowed by a rule. + * **`allowedAccess`** (array of strings, OPTIONAL) is an array of FS typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description: + 1. ABI version >= 1: + 1. exectute + 2. write_file + 3. read_file + 4. read_dir + 5. remove_dir + 6. remove_file + 7. make_char + 8. make_dir + 9. make_reg + 10. make_sock + 11. make_fifo + 12. make_block + 13. make_sym + 2. ABI version >= 2: + 1. refer + 3. ABI version >= 3: + 1. truncate * **`paths`** (array of strings, OPTIONAL) is an array of files or parent directories of the file hierarchies to restrict. + * **`portBeneath`** (array of objects, OPTIONAL) is an array of the network-hierarchy typed rules. + Entries in the array contain the following properties: + * **`allowedAccess`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description: + 1. ABI version >= 4: + 1. bind + 2. connect + * **`ports`** (array of strings, OPTIONAL) is an array of network ports to restrict. * **`disableBestEffort`** (bool, OPTIONAL) the `disableBestEffort` field disables the best-effort security approach for Landlock access rights. This is for conditions when the Landlock access rights explicitly configured by the container are not supported or available in the running kernel. If the best-effort security approach is enabled (`false`), the runtime SHOULD enforce the strongest rules configured up to the current kernel support, and only be [logged as a warning](runtime.md#warnings) for those not supported. @@ -420,7 +446,13 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are "make_sock", "make_fifo", "make_block", - "make_sym" + "make_sym", + "refer", + "truncate" + ], + "handledAssessNetwork": [ + "bind", + "connect" ] }, "rules": { @@ -456,6 +488,18 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are "/tmp" ] } + ], + "portBeneath": [ + { + "allowedAccess": [ + "bind", + "connect" + ], + "ports": [ + 80, + 443 + ] + } ] }, "disableBestEffort": false diff --git a/schema/defs.json b/schema/defs.json index 259697be0..1f008c608 100644 --- a/schema/defs.json +++ b/schema/defs.json @@ -46,6 +46,11 @@ "minimum": 0, "maximum": 100 }, + "port": { + "type": "integer", + "minimum": 0, + "maximum": 65535 + }, "mapStringString": { "type": "object", "patternProperties": { @@ -75,6 +80,12 @@ "type": "string" } }, + "ArrayOfPorts":{ + "type": "array", + "items": { + "$ref": "#/definitions/port" + } + }, "FilePath": { "type": "string" }, @@ -181,7 +192,16 @@ "make_sock", "make_fifo", "make_block", - "make_sym" + "make_sym", + "refer", + "truncate" + ] + }, + "LandlockNetworkAction": { + "type": "string", + "enum": [ + "bind", + "connect" ] }, "ArrayOfLandlockFSActions": { @@ -190,11 +210,20 @@ "$ref": "#/definitions/LandlockFSAction" } }, + "ArrayOfLandlockNetworkActions": { + "type": "array", + "items": { + "$ref": "#/definitions/LandlockNetworkAction" + } + }, "LandlockRuleset": { "type": "object", "properties": { "handledAccessFS": { "$ref": "#/definitions/ArrayOfLandlockFSActions" + }, + "handledAssessNetwork": { + "$ref": "#/definitions/ArrayOfLandlockNetworkActions" } } }, @@ -209,12 +238,29 @@ } } }, + "LandlockRulePortBeneath": { + "type": "object", + "properties": { + "allowedAccess": { + "$ref": "#/definitions/ArrayOfLandlockNetworkActions" + }, + "paths": { + "$ref": "#/definitions/ArrayOfPorts" + } + } + }, "ArrayOfLandlockRulePathBeneaths": { "type": "array", "items": { "$ref": "#/definitions/LandlockRulePathBeneath" } }, + "ArrayOfLandlockRulePortBeneaths": { + "type": "array", + "items": { + "$ref": "#/definitions/LandlockRulePortBeneath" + } + }, "LandlockRules": { "type": "object", "properties": {