Make SCC with less capabilities more restrictive.

adelton · adelton · commit 07bf57216511 · 2017-07-11T09:09:01.000+02:00
diff --git a/pkg/security/scc/byrestrictions.go b/pkg/security/scc/byrestrictions.go
@@ -1,6 +1,7 @@
 package scc
 
 import (
+	kapi "k8s.io/kubernetes/pkg/api"
 	securityapi "github.com/openshift/origin/pkg/security/apis/security"
 )
 
@@ -30,6 +31,15 @@ const runAsNonRootWeight int = 30000
 const runAsRangeWeight int = 20000
 const runAsUserWeight int = 10000
 
+const runCapsDefaultWeight int = 5000
+const runCapsAddOneWeight int = 300
+const runCapsAllowAllWeight int = 4000
+const runCapsAllowOneWeight int = 10
+const runCapsDropAllWeight int = -3000
+const runCapsDropOneWeight int = -50
+const runCapsMaxWeight int = 10000
+const runCapsMinWeight int = 0
+
 // pointValue places a value on the SCC based on the settings of the SCC that can be used
 // to determine how restrictive it is.  The lower the number, the more restrictive it is.
 func pointValue(constraint *securityapi.SecurityContextConstraints) int {
@@ -42,6 +52,9 @@ func pointValue(constraint *securityapi.SecurityContextConstraints) int {
 	// add points based on volume requests
 	points += volumePointValue(constraint)
 
+	// add points based on capabilities
+	points += capabilitiesPointValue(constraint)
+
 	// strategies in order of least restrictive to most restrictive
 	switch constraint.SELinuxContext.Type {
 	case securityapi.SELinuxStrategyRunAsAny:
@@ -96,3 +109,39 @@ func volumePointValue(scc *securityapi.SecurityContextConstraints) int {
 	}
 	return 0
 }
+
+// hasCap checks for needle in haystack.
+func hasCap(needle kapi.Capability, haystack []kapi.Capability) bool {
+	for _, c := range haystack {
+		if needle == c {
+			return true
+		}
+	}
+	return false
+}
+
+// capabilitiesPointValue returns a score based on the capabilities allowed,
+// added, or removed by the SCC. This allow us to prefer the more restrictive
+// SCC.
+func capabilitiesPointValue(scc *securityapi.SecurityContextConstraints) int {
+	points := runCapsDefaultWeight
+	points += runCapsAddOneWeight * len(scc.DefaultAddCapabilities)
+	if hasCap(kapi.CapabilityAll, scc.AllowedCapabilities) {
+		points += runCapsAllowAllWeight
+	} else if hasCap("ALL", scc.AllowedCapabilities) {
+		points += runCapsAllowAllWeight
+	} else {
+		points += runCapsAllowOneWeight * len(scc.AllowedCapabilities)
+	}
+	if hasCap("ALL", scc.RequiredDropCapabilities) {
+		points += runCapsDropAllWeight
+	} else {
+		points += runCapsDropOneWeight * len(scc.RequiredDropCapabilities)
+	}
+	if (points > runCapsMaxWeight) {
+		return runCapsMaxWeight
+	} else if (points < runCapsMinWeight) {
+		return runCapsMinWeight
+	}
+	return points
+}
diff --git a/pkg/security/scc/byrestrictions_test.go b/pkg/security/scc/byrestrictions_test.go
@@ -3,6 +3,7 @@ package scc
 import (
 	"testing"
 
+	kapi "k8s.io/kubernetes/pkg/api"
 	securityapi "github.com/openshift/origin/pkg/security/apis/security"
 )
 
@@ -33,15 +34,15 @@ func TestPointValue(t *testing.T) {
 	// run through all combos of user strategy + seLinux strategy + priv
 	for userStrategy, userStrategyPoints := range userStrategies {
 		for seLinuxStrategy, seLinuxStrategyPoints := range seLinuxStrategies {
-			expectedPoints := privilegedWeight + userStrategyPoints + seLinuxStrategyPoints
+			expectedPoints := privilegedWeight + userStrategyPoints + seLinuxStrategyPoints + runCapsDefaultWeight
 			scc := newSCC(true, seLinuxStrategy, userStrategy)
 			actualPoints := pointValue(scc)
 
 			if actualPoints != expectedPoints {
 				t.Errorf("privileged, user: %v, seLinux %v expected %d score but got %d", userStrategy, seLinuxStrategy, expectedPoints, actualPoints)
 			}
 
-			expectedPoints = userStrategyPoints + seLinuxStrategyPoints
+			expectedPoints = userStrategyPoints + seLinuxStrategyPoints + runCapsDefaultWeight
 			scc = newSCC(false, seLinuxStrategy, userStrategy)
 			actualPoints = pointValue(scc)
 
@@ -51,14 +52,15 @@ func TestPointValue(t *testing.T) {
 		}
 	}
 
-	// sanity check to ensure volume score is added (specific volumes scores are tested below
+	// sanity check to ensure volume and capabilities scores are added (specific volumes
+	// and capabilities scores are tested below)
 	scc := newSCC(false, securityapi.SELinuxStrategyMustRunAs, securityapi.RunAsUserStrategyMustRunAs)
 	scc.Volumes = []securityapi.FSType{securityapi.FSTypeHostPath}
 	actualPoints := pointValue(scc)
-	// SELinux + User + host path volume
-	expectedPoints := runAsUserWeight + runAsUserWeight + hostVolumeWeight
+	// SELinux + User + host path volume + default capabilities
+	expectedPoints := runAsUserWeight + runAsUserWeight + hostVolumeWeight + runCapsDefaultWeight
 	if actualPoints != expectedPoints {
-		t.Errorf("volume score was not added to the scc point value correctly!")
+		t.Errorf("volume score was not added to the scc point value correctly, got %d!", actualPoints)
 	}
 }
 
@@ -168,3 +170,76 @@ func TestVolumePointValue(t *testing.T) {
 		}
 	}
 }
+
+func TestCapabilitiesPointValue(t *testing.T) {
+	newSCC := func(def []kapi.Capability, allow []kapi.Capability, drop []kapi.Capability) *securityapi.SecurityContextConstraints {
+		return &securityapi.SecurityContextConstraints{
+			DefaultAddCapabilities: def,
+			AllowedCapabilities: allow,
+			RequiredDropCapabilities: drop,
+		}
+	}
+
+	tests := map[string]struct {
+		defaultAdd     []kapi.Capability
+		allowed        []kapi.Capability
+		requiredDrop   []kapi.Capability
+		expectedPoints int
+	}{
+		"nothing specified": {
+			defaultAdd:     nil,
+			allowed:        nil,
+			requiredDrop:   nil,
+			expectedPoints: runCapsDefaultWeight,
+		},
+		"default": {
+			defaultAdd:     []kapi.Capability{"KILL", "MKNOD"},
+			allowed:        nil,
+			requiredDrop:   nil,
+			expectedPoints: runCapsDefaultWeight + 2 * runCapsAddOneWeight,
+		},
+		"allow": {
+			defaultAdd:     nil,
+			allowed:        []kapi.Capability{"KILL", "MKNOD"},
+			requiredDrop:   nil,
+			expectedPoints: runCapsDefaultWeight + 2 * runCapsAllowOneWeight,
+		},
+		"allow star": {
+			defaultAdd:     nil,
+			allowed:        []kapi.Capability{"*"},
+			requiredDrop:   nil,
+			expectedPoints: runCapsDefaultWeight + runCapsAllowAllWeight,
+		},
+		"allow all": {
+			defaultAdd:     nil,
+			allowed:        []kapi.Capability{"ALL"},
+			requiredDrop:   nil,
+			expectedPoints: runCapsDefaultWeight + runCapsAllowAllWeight,
+		},
+		"drop": {
+			defaultAdd:     nil,
+			allowed:        nil,
+			requiredDrop:   []kapi.Capability{"KILL", "MKNOD"},
+			expectedPoints: runCapsDefaultWeight + 2 * runCapsDropOneWeight,
+		},
+		"drop all": {
+			defaultAdd:     nil,
+			allowed:        nil,
+			requiredDrop:   []kapi.Capability{"ALL"},
+			expectedPoints: runCapsDefaultWeight + runCapsDropAllWeight,
+		},
+		"mixture": {
+			defaultAdd:     []kapi.Capability{"SETUID", "SETGID"},
+			allowed:        []kapi.Capability{"*"},
+			requiredDrop:   []kapi.Capability{"SYS_CHROOT"},
+			expectedPoints: runCapsDefaultWeight + 2 * runCapsAddOneWeight + runCapsAllowAllWeight + runCapsDropOneWeight,
+		},
+	}
+	for k, v := range tests {
+		scc := newSCC(v.defaultAdd, v.allowed, v.requiredDrop)
+		actualPoints := capabilitiesPointValue(scc)
+		if actualPoints != v.expectedPoints {
+			t.Errorf("%s expected %d capability score but got %d", k, v.expectedPoints, actualPoints)
+		}
+	}
+}
