Why do we limit the messages that can be sent to the conmon socket. #461
Comments
|
Is there an issue/customer case to get some more context? |
|
No, just came from a meeting with a customer, that would like to track via dbus other messages. In the original commit for this code, it was mentioned that this could be extended. |
|
They want to send messages like I guess. Where CO is based on the company name. |
|
I think also outside of this particular customer, it would be nice to be able to use other standardized messages from https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#Description. For example |
|
I don't know the details, but when I added this logic to runc/crun/conmon, I asked Lennart if there are potential risks with doing so, and he told me that READY is safe. In fact systemd-nspawn is doing the same: https://github.com/systemd/systemd/blob/main/src/nspawn/nspawn.c#L4225-L4235 I see there that the Not sure about the others. We can probably enable more of them if we think of the consequences of a rogue container that can forge that messages. |
|
STOPPING seems quite safe to me at least, and its been brought up by the customer. |
|
RELOADING, ERRNO, BUSERROR, MONOTONIC_USEC, EXTEND_TIMEOUT_USEC seems safe too |
|
can |
|
@giuseppe Yeah, possibly... Maybe best to not include that, at least without some opt-in. |
|
Yes lets eliminate that. |
Several of the standard sd-notify messages are safe to use from a container and are very useful. This commit cleans up the general handling of notify messages and allows forwarding of: * READY=1 * RELOADING=1 * STOPPING=1 * WATCHDOG=1 * WATCHDOG=trigger * STATUS=... * ERRNO=... * BUSERROR=... * MONOTONIC_USEC... See https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#Well-known%20assignments for documentation of these. Note: We don't allow unknown messages to be forewarded. For one, all the file-descriptor based ones are currently unsupported (since the forwarding doesn't handle fds), but also some options (current and future) may be security sensitive. This fixes containers#461
Several of the standard sd-notify messages are safe to use from a container and are very useful. This commit cleans up the general handling of notify messages and allows forwarding of: * READY=1 * RELOADING=1 * STOPPING=1 * WATCHDOG=1 * WATCHDOG=trigger * STATUS=... * ERRNO=... * BUSERROR=... * MONOTONIC_USEC... See https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#Well-known%20assignments for documentation of these. Note: We don't allow unknown messages to be forewarded. For one, all the file-descriptor based ones are currently unsupported (since the forwarding doesn't handle fds), but also some options (current and future) may be security sensitive. This fixes containers#461 Signed-off-by: Alexander Larsson <[email protected]>
Several of the standard sd-notify messages are safe to use from a container and are very useful. This commit cleans up the general handling of notify messages and allows forwarding of: * READY=1 * RELOADING=1 * STOPPING=1 * WATCHDOG=1 * WATCHDOG=trigger * STATUS=... * ERRNO=... * BUSERROR=... * MONOTONIC_USEC... See https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#Well-known%20assignments for documentation of these. Note: We don't allow unknown messages to be forewarded. For one, all the file-descriptor based ones are currently unsupported (since the forwarding doesn't handle fds), but also some options (current and future) may be security sensitive. This fixes containers#461 and containers#311 Signed-off-by: Alexander Larsson <[email protected]>
Several of the standard sd-notify messages are safe to use from a container and are very useful. This commit cleans up the general handling of notify messages and allows forwarding of: * READY=1 * RELOADING=1 * STOPPING=1 * WATCHDOG=1 * WATCHDOG=trigger * STATUS=... * ERRNO=... * BUSERROR=... * MONOTONIC_USEC... See https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#Well-known%20assignments for documentation of these. Note: We don't allow unknown messages to be forewarded. For one, all the file-descriptor based ones are currently unsupported (since the forwarding doesn't handle fds), but also some options (current and future) may be security sensitive. fixes containers#461 fixes containers#311 Signed-off-by: Alexander Larsson <[email protected]>
Several of the standard sd-notify messages are safe to use from a container and are very useful. This commit cleans up the general handling of notify messages and allows forwarding of: * READY=1 * RELOADING=1 * STOPPING=1 * WATCHDOG=1 * WATCHDOG=trigger * STATUS=... * ERRNO=... * BUSERROR=... * MONOTONIC_USEC... See https://www.freedesktop.org/software/systemd/man/latest/sd_notify.html#Well-known%20assignments for documentation of these. Note: We don't allow unknown messages to be forewarded. For one, all the file-descriptor based ones are currently unsupported (since the forwarding doesn't handle fds), but also some options (current and future) may be security sensitive. fixes containers#461 fixes containers#311 Signed-off-by: Alexander Larsson <[email protected]>
containers/buildah#5125 (comment)
A customer wants to be able to send messages other then the two that are allowed and would like to be able to define their own.
If we allow general messages through, does this cause a security risk?
If so then we could add a mechanism for the caller of conmon to pass down valid messages to be allowed to pass.
Thoughts?
The text was updated successfully, but these errors were encountered: