Initial work on limiting what names an agent can register by the seliux context. #1023
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is very useful for arrays of strings for example.
This lists the sections in a config.
This will be needed for later use.
This is mainly doable for UDS sockets, but will allow us to limit what name can register by the selinux label.
This extends how we configure allowed node names, and allows us to configure per-node-name requirements. A node name can now either be in the allowed names list, or the controller config (or via a .d dropin) can have a section named "[agent FOO]", with a key Allowed=true. If a named node is allowed, we look for the "RequiredSelinuxContext" key in the above section, and if it is set, we require the connecting agent to have the given selinux context type. Note: We already disallow most processes (except bluechi_agent_t and haproxy_t) to connect to the controller, but with this we can limit what names they can claim. For example, we could enforce a special name for an agent running in qm.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This extends how we configure allowed node names, and allows us to configure per-node-name requirements.
A node name can now either be in the allowed names list, or the controller config (or via a .d dropin) can have a section named "[agent FOO]", with a key Allowed=true.
If a named node is allowed, we look for the "RequiredSelinuxContext" key in the above section, and if it is set, we require the connecting agent to have the given selinux context type.
Note: We already disallow most processes (except bluechi_agent_t and haproxy_t) to connect to the controller, but with this we can limit what names they can claim. For example, we could enforce a special name for an agent running in qm.