OpenShift – Securing Containers by Stripping Capabilities

  • laurent 

Let say you want to prove to your security team that running a pod in Red Hat OpenShift is really removing capabilities from the running container.  There is not much documentation out there which explains how to find what capabilities get stripped so I will walk you through how you can make the case.

Step 1. Choose the pod you want to inspect in OpenShift

[root@osemaster log]# oc describe pod box-1-wkxdh

Name: box-1-wkxdh

Namespace: box

Security Policy: restricted

Node: host100.rdu.salab.redhat.com/10.11.164.100

Start Time: Fri, 21 Jul 2017 16:09:35 -0400

Labels: app=box

deployment=box-1

deploymentconfig=box

Status: Running

IP: 10.129.1.29

Controllers: ReplicationController/box-1
Containers:
  box:
    Container ID: docker://0f1596822c5b73159a37c96145d96e1b966fafb4496c630b294dff8237b2925e
    Image: 172.30.94.61:5000/box/box@sha256:94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984
    Image ID: docker-pullable://172.30.94.61:5000/box/box@sha256:94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984

Step 2. We see that the container runs on host100. So lets login to host100 and see if this container is running

[root@host100 ~]# docker ps | grep 84
0f1596822c5b        172.30.94.61:5000/box/box@sha256:94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984    "container-entrypoint"   7 weeks ago         Up 7 weeks                              k8s_box.caa9b8b4_box-1-wkxdh_box_80b5e05d-6e50-11e7-90e0-001a4a16016f_f37a14e0

We see that the sha 94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984 of the container image is matching

Step 3. Now we need to get the pid of the running container process

[root@host100 ~]# docker inspect a2ff442a9381 | grep -i Pid | head -1

            "Pid": 41086,

Step 4. Lets find the CapBnd.

[root@host100 ~]# cat /proc/41086/status | grep CapBnd
CapBnd:	00000000a80425fb

Step 5. We now translate that 00000000a80425fb into something readable.

[root@host100 ~]# capsh --decode=00000000a80425fb
0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap

Step 6. So what are all capabilities?

[root@host100 ~]# capsh --decode=0x0000001fffffffff
0x0000001fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36

Step 7. That means that the following capabilities were removed on launch:

-cap_dac_read_search
-cap_linux_immutable
-cap_net_broadcast
cap_net_admin
-cap_ipc_lock
-cap_ipc_owner
-cap_sys_module
-cap_sys_rawio
-cap_sys_ptrace
-cap_sys_pacct
cap_sys_admin
-cap_sys_boot
-cap_sys_nice
-cap_sys_resource
-cap_sys_time
-cap_sys_tty_config
-cap_lease
-cap_audit_control
-cap_mac_override
-cap_mac_admin
-cap_syslog
-cap_wake_alarm
-cap_block_suspend

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.