Make SCC with less capabilities more restrictive.

adelton · adelton · commit 99c756d55a53 · 2017-06-27T11:48:12.000+02:00
diff --git a/pkg/security/scc/byrestrictions.go b/pkg/security/scc/byrestrictions.go
@@ -1,6 +1,7 @@
 package scc
 
 import (
+	kapi "k8s.io/kubernetes/pkg/api"
 	securityapi "github.com/openshift/origin/pkg/security/apis/security"
 )
 
@@ -28,6 +29,9 @@ func pointValue(constraint *securityapi.SecurityContextConstraints) int {
 	// add points based on volume requests
 	points += volumePointValue(constraint)
 
+	// add points based on capabilities
+	points += capabilitiesPointValue(constraint)
+
 	// strategies in order of least restrictive to most restrictive
 	switch constraint.SELinuxContext.Type {
 	case securityapi.SELinuxStrategyRunAsAny:
@@ -82,3 +86,39 @@ func volumePointValue(scc *securityapi.SecurityContextConstraints) int {
 	}
 	return 0
 }
+
+// hasCap checks for needle in haystack.
+func hasCap(needle kapi.Capability, haystack []kapi.Capability) bool {
+	for _, c := range haystack {
+		if needle == c {
+			return true
+		}
+	}
+	return false
+}
+
+// capabilitiesPointValue returns a score based on the capabilities allowed,
+// added, or removed by the SCC. This allow us to prefer the more restrictive
+// SCC.
+func capabilitiesPointValue(scc *securityapi.SecurityContextConstraints) int {
+	points := 5000
+	points += 300 * len(scc.DefaultAddCapabilities)
+	if hasCap(kapi.CapabilityAll, scc.AllowedCapabilities) {
+		points += 4000
+	} else if hasCap("ALL", scc.AllowedCapabilities) {
+		points += 4000
+	} else {
+		points += 10 * len(scc.AllowedCapabilities)
+	}
+	if hasCap("ALL", scc.RequiredDropCapabilities) {
+		points -= 3000
+	} else {
+		points -= 50 * len(scc.RequiredDropCapabilities)
+	}
+	if (points > 10000) {
+		return 10000
+	} else if (points < 0) {
+		return 0
+	}
+	return points
+}
diff --git a/pkg/security/scc/byrestrictions_test.go b/pkg/security/scc/byrestrictions_test.go
@@ -3,6 +3,7 @@ package scc
 import (
 	"testing"
 
+	kapi "k8s.io/kubernetes/pkg/api"
 	securityapi "github.com/openshift/origin/pkg/security/apis/security"
 )
 
@@ -39,15 +40,15 @@ func TestPointValue(t *testing.T) {
 	// run through all combos of user strategy + seLinux strategy + priv
 	for userStrategy, userStrategyPoints := range userStrategies {
 		for seLinuxStrategy, seLinuxStrategyPoints := range seLinuxStrategies {
-			expectedPoints := privilegedPoints + userStrategyPoints + seLinuxStrategyPoints
+			expectedPoints := 5000 + privilegedPoints + userStrategyPoints + seLinuxStrategyPoints
 			scc := newSCC(true, seLinuxStrategy, userStrategy)
 			actualPoints := pointValue(scc)
 
 			if actualPoints != expectedPoints {
 				t.Errorf("privileged, user: %v, seLinux %v expected %d score but got %d", userStrategy, seLinuxStrategy, expectedPoints, actualPoints)
 			}
 
-			expectedPoints = userStrategyPoints + seLinuxStrategyPoints
+			expectedPoints = 5000 + userStrategyPoints + seLinuxStrategyPoints
 			scc = newSCC(false, seLinuxStrategy, userStrategy)
 			actualPoints = pointValue(scc)
 
@@ -57,12 +58,13 @@ func TestPointValue(t *testing.T) {
 		}
 	}
 
-	// sanity check to ensure volume score is added (specific volumes scores are tested below
+	// sanity check to ensure volume and capabilities scores are added (specific volumes
+	// and capabilities scores are tested below
 	scc := newSCC(false, securityapi.SELinuxStrategyMustRunAs, securityapi.RunAsUserStrategyMustRunAs)
 	scc.Volumes = []securityapi.FSType{securityapi.FSTypeHostPath}
 	actualPoints := pointValue(scc)
-	if actualPoints != 120000 { //10000 (SELinux) + 10000 (User) + 100000 (host path volume)
-		t.Errorf("volume score was not added to the scc point value correctly!")
+	if actualPoints != 125000 { //10000 (SELinux) + 10000 (User) + 100000 (host path volume) + 5000 capabilities
+		t.Errorf("volume score was not added to the scc point value correctly, got %d!", actualPoints)
 	}
 }
 
@@ -172,3 +174,76 @@ func TestVolumePointValue(t *testing.T) {
 		}
 	}
 }
+
+func TestCapabilitiesPointValue(t *testing.T) {
+	newSCC := func(def []kapi.Capability, allow []kapi.Capability, drop []kapi.Capability) *securityapi.SecurityContextConstraints {
+		return &securityapi.SecurityContextConstraints{
+			DefaultAddCapabilities: def,
+			AllowedCapabilities: allow,
+			RequiredDropCapabilities: drop,
+		}
+	}
+
+	tests := map[string]struct {
+		defaultAdd     []kapi.Capability
+		allowed        []kapi.Capability
+		requiredDrop   []kapi.Capability
+		expectedPoints int
+	}{
+		"nothing specified": {
+			defaultAdd:     nil,
+			allowed:        nil,
+			requiredDrop:   nil,
+			expectedPoints: 5000,
+		},
+		"default": {
+			defaultAdd:     []kapi.Capability{"KILL", "MKNOD"},
+			allowed:        nil,
+			requiredDrop:   nil,
+			expectedPoints: 5600,
+		},
+		"allow": {
+			defaultAdd:     nil,
+			allowed:        []kapi.Capability{"KILL", "MKNOD"},
+			requiredDrop:   nil,
+			expectedPoints: 5020,
+		},
+		"allow star": {
+			defaultAdd:     nil,
+			allowed:        []kapi.Capability{"*"},
+			requiredDrop:   nil,
+			expectedPoints: 9000,
+		},
+		"allow all": {
+			defaultAdd:     nil,
+			allowed:        []kapi.Capability{"ALL"},
+			requiredDrop:   nil,
+			expectedPoints: 9000,
+		},
+		"drop": {
+			defaultAdd:     nil,
+			allowed:        nil,
+			requiredDrop:   []kapi.Capability{"KILL", "MKNOD"},
+			expectedPoints: 4900,
+		},
+		"drop all": {
+			defaultAdd:     nil,
+			allowed:        nil,
+			requiredDrop:   []kapi.Capability{"ALL"},
+			expectedPoints: 2000,
+		},
+		"mixture": {
+			defaultAdd:     []kapi.Capability{"SETUID", "SETGID"},
+			allowed:        []kapi.Capability{"*"},
+			requiredDrop:   []kapi.Capability{"SYS_CHROOT"},
+			expectedPoints: 9550,
+		},
+	}
+	for k, v := range tests {
+		scc := newSCC(v.defaultAdd, v.allowed, v.requiredDrop)
+		actualPoints := capabilitiesPointValue(scc)
+		if actualPoints != v.expectedPoints {
+			t.Errorf("%s expected %d capability score but got %d", k, v.expectedPoints, actualPoints)
+		}
+	}
+}
