11-16-2020, 11:07 PM
Podman with capabilities on Fedora
<div><p>Containerization is a booming technology. As many as seventy-five percent of global organizations could be running some type of containerization technology in the near future. Since widely used technologies are more likely to be targeted by hackers, securing containers is especially important. This article will demonstrate how <a rel="noreferrer noopener" href="https://www.linuxjournal.com/magazine/making-root-unprivileged" target="_blank">POSIX capabilities</a> are used to secure Podman containers. Podman is the default container management tool in RHEL8.</p>
<p> <span id="more-32158"></span> </p>
<h2>Determine the Podman container’s privilege mode</h2>
<p>Containers run in either privileged or unprivileged mode. In privileged mode, <a rel="noreferrer noopener" href="https://linuxcontainers.org/lxc/security/#privileged-containers" target="_blank">the container uid 0 is mapped to the host’s uid 0</a>. For some use cases, unprivileged containers <a href="https://github.com/containers/podman/blob/master/rootless.md" target="_blank" rel="noreferrer noopener">lack sufficient access</a> to the resources of the host machine. Technologies and techniques including Mandatory Access Control (apparmor, SELinux), seccomp filters, dropping of capabilities, and namespaces help to secure containers regardless of their mode of operation.</p>
<p><strong>To determine the privilege mode from outside the container:</strong></p>
<pre class="wp-block-preformatted">$ podman inspect --format="{{.HostConfig.Privileged}}" <container id></pre>
<p>If the above command returns <em>true</em> then the container is running in privileged mode. If it returns <em>false</em> then the container is running in unprivileged mode.</p>
<p><strong>To determine the privilege mode from inside the container:</strong></p>
<pre class="wp-block-preformatted">$ ip link add dummy0 type dummy</pre>
<p>If this command allows you to create an interface then you are running a privileged container. Otherwise you are running an unprivileged container.</p>
<h2>Capabilities</h2>
<p>Namespaces isolate a container’s processes from arbitrary access to the resources of its host and from access to the resources of other containers running on the same host. Processes within <em>privileged</em> containers, however, might still be able to do things like alter the IP routing table, trace arbitrary processes, and load kernel modules. Capabilities allow one to apply finer-grained restrictions on what resources the processes within a container can access or alter; even when the container is running in privileged mode. Capabilities also allow one to assign privileges to an unprivileged container that it would not otherwise have.</p>
<p>For example, to add the <em>NET_ADMIN</em> capability to an unprivileged container so that a network interface can be created inside of the container, you would run <em>podman</em> with parameters similar to the following:</p>
<pre class="wp-block-preformatted">[root@vm1 ~]# podman run -it --cap-add=NET_ADMIN centos
[root@b27fea33ccf1 /]# ip link add dummy0 type dummy
[root@b27fea33ccf1 /]# ip link</pre>
<p>The above commands demonstrate a <em>dummy0</em> interface being created in an unprivileged container. Without the <em>NET_ADMIN</em> capability, an unprivileged container would not be able to create an interface. The above commands demonstrate how to grant a capability to an unprivileged container.</p>
<p>Currently, there are about <a href="https://man7.org/linux/man-pages/man7/capabilities.7.html" target="_blank" rel="noreferrer noopener">39 capabilities</a> that can be granted or denied. Privileged containers are granted many capabilities by default. It is advisable to drop unneeded capabilities from privileged containers to make them more secure.</p>
<p><strong>To drop all capabilities from a container:</strong></p>
<pre class="wp-block-preformatted">$ podman run -it -d --name mycontainer --cap-drop=all centos</pre>
<p><strong>To list a container’s capabilities:</strong></p>
<pre class="wp-block-preformatted">$ podman exec -it 48f11d9fa512 capsh --print</pre>
<p>The above command should show that no capabilities are granted to the container.</p>
<p><strong>Refer to the <em>capabilities</em> man page for a complete list of capabilities:</strong></p>
<pre class="wp-block-preformatted">$ man capabilities</pre>
<p><strong>Use the <em>capsh</em> command to list the capabilities you currently possess:</strong></p>
<pre class="wp-block-preformatted">$ capsh --print</pre>
<p>As another example, the below command demonstrates dropping the <em>NET_RAW</em> capability from a container. Without the <em>NET_RAW</em> capability, servers on the internet cannot be pinged from within the container.</p>
<pre class="wp-block-preformatted">$ podman run -it --name mycontainer1 --cap-drop=net_raw centos
>>> ping google.com (will output error, operation not permitted)</pre>
<p>As a final example, if your container were to only need the <em>SETUID</em> and <em>SETGID</em> capabilities, you could achieve such a permission set by dropping all capabilities and then re-adding only those two.</p>
<pre class="wp-block-preformatted">$ podman run -d --cap-drop=all --cap-add=setuid --cap-add=setgid fedora sleep 5 > /dev/null; pscap | grep sleep</pre>
<p>The <em>pscap</em> command shown above should show the capabilities that have been granted to the container.</p>
<p>I hope you enjoyed this brief exploration of how capabilities are used to secure Podman containers.</p>
<p>Thank You!</p>
</div>
https://www.sickgaming.net/blog/2020/11/...on-fedora/
<div><p>Containerization is a booming technology. As many as seventy-five percent of global organizations could be running some type of containerization technology in the near future. Since widely used technologies are more likely to be targeted by hackers, securing containers is especially important. This article will demonstrate how <a rel="noreferrer noopener" href="https://www.linuxjournal.com/magazine/making-root-unprivileged" target="_blank">POSIX capabilities</a> are used to secure Podman containers. Podman is the default container management tool in RHEL8.</p>
<p> <span id="more-32158"></span> </p>
<h2>Determine the Podman container’s privilege mode</h2>
<p>Containers run in either privileged or unprivileged mode. In privileged mode, <a rel="noreferrer noopener" href="https://linuxcontainers.org/lxc/security/#privileged-containers" target="_blank">the container uid 0 is mapped to the host’s uid 0</a>. For some use cases, unprivileged containers <a href="https://github.com/containers/podman/blob/master/rootless.md" target="_blank" rel="noreferrer noopener">lack sufficient access</a> to the resources of the host machine. Technologies and techniques including Mandatory Access Control (apparmor, SELinux), seccomp filters, dropping of capabilities, and namespaces help to secure containers regardless of their mode of operation.</p>
<p><strong>To determine the privilege mode from outside the container:</strong></p>
<pre class="wp-block-preformatted">$ podman inspect --format="{{.HostConfig.Privileged}}" <container id></pre>
<p>If the above command returns <em>true</em> then the container is running in privileged mode. If it returns <em>false</em> then the container is running in unprivileged mode.</p>
<p><strong>To determine the privilege mode from inside the container:</strong></p>
<pre class="wp-block-preformatted">$ ip link add dummy0 type dummy</pre>
<p>If this command allows you to create an interface then you are running a privileged container. Otherwise you are running an unprivileged container.</p>
<h2>Capabilities</h2>
<p>Namespaces isolate a container’s processes from arbitrary access to the resources of its host and from access to the resources of other containers running on the same host. Processes within <em>privileged</em> containers, however, might still be able to do things like alter the IP routing table, trace arbitrary processes, and load kernel modules. Capabilities allow one to apply finer-grained restrictions on what resources the processes within a container can access or alter; even when the container is running in privileged mode. Capabilities also allow one to assign privileges to an unprivileged container that it would not otherwise have.</p>
<p>For example, to add the <em>NET_ADMIN</em> capability to an unprivileged container so that a network interface can be created inside of the container, you would run <em>podman</em> with parameters similar to the following:</p>
<pre class="wp-block-preformatted">[root@vm1 ~]# podman run -it --cap-add=NET_ADMIN centos
[root@b27fea33ccf1 /]# ip link add dummy0 type dummy
[root@b27fea33ccf1 /]# ip link</pre>
<p>The above commands demonstrate a <em>dummy0</em> interface being created in an unprivileged container. Without the <em>NET_ADMIN</em> capability, an unprivileged container would not be able to create an interface. The above commands demonstrate how to grant a capability to an unprivileged container.</p>
<p>Currently, there are about <a href="https://man7.org/linux/man-pages/man7/capabilities.7.html" target="_blank" rel="noreferrer noopener">39 capabilities</a> that can be granted or denied. Privileged containers are granted many capabilities by default. It is advisable to drop unneeded capabilities from privileged containers to make them more secure.</p>
<p><strong>To drop all capabilities from a container:</strong></p>
<pre class="wp-block-preformatted">$ podman run -it -d --name mycontainer --cap-drop=all centos</pre>
<p><strong>To list a container’s capabilities:</strong></p>
<pre class="wp-block-preformatted">$ podman exec -it 48f11d9fa512 capsh --print</pre>
<p>The above command should show that no capabilities are granted to the container.</p>
<p><strong>Refer to the <em>capabilities</em> man page for a complete list of capabilities:</strong></p>
<pre class="wp-block-preformatted">$ man capabilities</pre>
<p><strong>Use the <em>capsh</em> command to list the capabilities you currently possess:</strong></p>
<pre class="wp-block-preformatted">$ capsh --print</pre>
<p>As another example, the below command demonstrates dropping the <em>NET_RAW</em> capability from a container. Without the <em>NET_RAW</em> capability, servers on the internet cannot be pinged from within the container.</p>
<pre class="wp-block-preformatted">$ podman run -it --name mycontainer1 --cap-drop=net_raw centos
>>> ping google.com (will output error, operation not permitted)</pre>
<p>As a final example, if your container were to only need the <em>SETUID</em> and <em>SETGID</em> capabilities, you could achieve such a permission set by dropping all capabilities and then re-adding only those two.</p>
<pre class="wp-block-preformatted">$ podman run -d --cap-drop=all --cap-add=setuid --cap-add=setgid fedora sleep 5 > /dev/null; pscap | grep sleep</pre>
<p>The <em>pscap</em> command shown above should show the capabilities that have been granted to the container.</p>
<p>I hope you enjoyed this brief exploration of how capabilities are used to secure Podman containers.</p>
<p>Thank You!</p>
</div>
https://www.sickgaming.net/blog/2020/11/...on-fedora/