CRI-O Has builtin SELinux support
While looking at a container-selinux bugzilla, I noticed that:
NSS inside of a container is doing something with the network which is triggering a request to the kernel to load the net-pf-0 kernel module. I told the reporter that I would rather deny containers the ability to trigger the kernel to load kernel modules.
Googling I found:
http://www.tldp.org/HOWTO/Kerneld/configuration.html
Which talks about how several network protocol families (IPX, AppleTalk, AX.25) can be loaded as modules.
Some network protocols can be loaded as modules as well. The kernel asks kerneld for a protocol family (e.g. IPX) with a request for net-pf-X where X is a number indicating what family is wanted. E.g. net-pf-3 is AX.25, net-pf-4 is IPX and net-pf-5 is AppleTalk; These numbers are determined by the AF_AX25, AF_IPX etc. definitions in the linux source file include/linux/socket.h. So to autoload the IPX module, you would need an entry like this in /etc/conf.modules:
Digging into this a little deeper, the module the container was trying to get the kernel to load is net-pf-0, if you look in /usr/include/bits/socket.h, you will see that 0 is AF_UNSPEC. I have no idea what this module does, or if NSS actually needs it.
If we allowed containers to trigger the loading of kernel modules, suddenly containers could get the kernel to load random network modules like AppleTalk or other weird old parts of the kernel. The modules could potentially lead to syscall attacks, that even SECCOMP would not block. If the Module is not loaded into the kernel it is less likely the container process could trigger a break out using it. I have been told that one of the known breakout of Virtualization was triggered by the kernel floppy disk code.
Do you use Floppy disks? Well the kernel still supports them.
I believe it is better that we don’t allow this access. This puts the control into the Administrators hands to load the kernel modules that he wants to be running on his container host.
Most likely the NSS application runs fine without this kernel module.
This shows the value of SELinux in blocking certain potential attack vectors on the system.
