Skip to content

Commit 56a5a1d

Browse files
ZheaoliZheaoli
committed
update docs
Signed-off-by: Manjusaka <[email protected]>
1 parent c94edbc commit 56a5a1d

File tree

2 files changed

+93
-3
lines changed

2 files changed

+93
-3
lines changed

config.md

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -349,12 +349,38 @@ For Linux-based systems, the `process` object supports the following process-spe
349349
The `ruleset` currently contains the following types:
350350
* **`handledAccessFS`** (array of strings, OPTIONAL) is an array of FS typed actions that are handled by a ruleset.
351351
If no rule explicitly allow them, they should then be forbidden.
352+
* **`handledAssessNetwork`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are handled by a ruleset. (The NETWORK typed actions are avaliable when the ABI version >= 4. the behavior of the NETWORK typed actions is not used when the ABI version is less than 4 will depend on the **`disableBestEffort`**)
352353
* **`rules`** (object, OPTIONAL) the `rules` field specifies the security policies (i.e., actions allowed on objects) to be added to an existing ruleset.
353354
The `rules` currently contains the following types:
354355
* **`pathBeneath`** (array of objects, OPTIONAL) is an array of the file-hierarchy typed rules.
355356
Entries in the array contain the following properties:
356-
* **`allowedAccess`** (array of strings, OPTIONAL) is an array of FS typed actions that are allowed by a rule.
357+
* **`allowedAccess`** (array of strings, OPTIONAL) is an array of FS typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description:
358+
1. ABI version >= 1:
359+
1. exectute
360+
2. write_file
361+
3. read_file
362+
4. read_dir
363+
5. remove_dir
364+
6. remove_file
365+
7. make_char
366+
8. make_dir
367+
9. make_reg
368+
10. make_sock
369+
11. make_fifo
370+
12. make_block
371+
13. make_sym
372+
2. ABI version >= 2:
373+
1. refer
374+
3. ABI version >= 3:
375+
1. truncate
357376
* **`paths`** (array of strings, OPTIONAL) is an array of files or parent directories of the file hierarchies to restrict.
377+
* **`portBeneath`** (array of objects, OPTIONAL) is an array of the network-hierarchy typed rules.
378+
Entries in the array contain the following properties:
379+
* **`allowedAccess`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description:
380+
1. ABI version >= 4:
381+
1. bind
382+
2. connect
383+
* **`ports`** (array of strings, OPTIONAL) is an array of network ports to restrict.
358384
* **`disableBestEffort`** (bool, OPTIONAL) the `disableBestEffort` field disables the best-effort security approach for Landlock access rights.
359385
This is for conditions when the Landlock access rights explicitly configured by the container are not supported or available in the running kernel.
360386
If the best-effort security approach is enabled (`false`), the runtime SHOULD enforce the strongest rules configured up to the current kernel support, and only be [logged as a warning](runtime.md#warnings) for those not supported.
@@ -420,7 +446,13 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
420446
"make_sock",
421447
"make_fifo",
422448
"make_block",
423-
"make_sym"
449+
"make_sym",
450+
"refer",
451+
"truncate"
452+
],
453+
"handledAssessNetwork": [
454+
"bind",
455+
"connect"
424456
]
425457
},
426458
"rules": {
@@ -456,6 +488,18 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
456488
"/tmp"
457489
]
458490
}
491+
],
492+
"portBeneath": [
493+
{
494+
"allowedAccess": [
495+
"bind",
496+
"connect"
497+
],
498+
"ports": [
499+
80,
500+
443
501+
]
502+
}
459503
]
460504
},
461505
"disableBestEffort": false

schema/defs.json

Lines changed: 47 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,11 @@
4646
"minimum": 0,
4747
"maximum": 100
4848
},
49+
"port": {
50+
"type": "integer",
51+
"minimum": 0,
52+
"maximum": 65535
53+
},
4954
"mapStringString": {
5055
"type": "object",
5156
"patternProperties": {
@@ -75,6 +80,12 @@
7580
"type": "string"
7681
}
7782
},
83+
"ArrayOfPorts":{
84+
"type": "array",
85+
"items": {
86+
"$ref": "#/definitions/port"
87+
}
88+
},
7889
"FilePath": {
7990
"type": "string"
8091
},
@@ -181,7 +192,16 @@
181192
"make_sock",
182193
"make_fifo",
183194
"make_block",
184-
"make_sym"
195+
"make_sym",
196+
"refer",
197+
"truncate"
198+
]
199+
},
200+
"LandlockNetworkAction": {
201+
"type": "string",
202+
"enum": [
203+
"bind",
204+
"connect"
185205
]
186206
},
187207
"ArrayOfLandlockFSActions": {
@@ -190,11 +210,20 @@
190210
"$ref": "#/definitions/LandlockFSAction"
191211
}
192212
},
213+
"ArrayOfLandlockNetworkActions": {
214+
"type": "array",
215+
"items": {
216+
"$ref": "#/definitions/LandlockNetworkAction"
217+
}
218+
},
193219
"LandlockRuleset": {
194220
"type": "object",
195221
"properties": {
196222
"handledAccessFS": {
197223
"$ref": "#/definitions/ArrayOfLandlockFSActions"
224+
},
225+
"handledAssessNetwork": {
226+
"$ref": "#/definitions/ArrayOfLandlockNetworkActions"
198227
}
199228
}
200229
},
@@ -209,12 +238,29 @@
209238
}
210239
}
211240
},
241+
"LandlockRulePortBeneath": {
242+
"type": "object",
243+
"properties": {
244+
"allowedAccess": {
245+
"$ref": "#/definitions/ArrayOfLandlockNetworkActions"
246+
},
247+
"paths": {
248+
"$ref": "#/definitions/ArrayOfPorts"
249+
}
250+
}
251+
},
212252
"ArrayOfLandlockRulePathBeneaths": {
213253
"type": "array",
214254
"items": {
215255
"$ref": "#/definitions/LandlockRulePathBeneath"
216256
}
217257
},
258+
"ArrayOfLandlockRulePortBeneaths": {
259+
"type": "array",
260+
"items": {
261+
"$ref": "#/definitions/LandlockRulePortBeneath"
262+
}
263+
},
218264
"LandlockRules": {
219265
"type": "object",
220266
"properties": {

0 commit comments

Comments
 (0)