Add LXD support

Add support for LXD containers, enabling the generation of SELinux
policies for LXD-managed containers.

Signed-off-by: FabienGhd <[email protected]>

Author: FabienGhd

README.md

@@ -30,6 +30,7 @@ Udica supports following container engines:
    * docker v1.13+
    * podman v2.0+
    * containerd v1.5.0+ (using `nerdctl` v0.14+ or crictl)
+   * LXD v5.21.1+
 
 ## Installing
 

tests/test_basic.lxd.json

@@ -0,0 +1,92 @@
+{
+	"architecture": "x86_64",
+	"config": {
+		"image.architecture": "amd64",
+		"image.description": "ubuntu 20.04 LTS amd64 (release) (20240626)",
+		"image.label": "release",
+		"image.os": "ubuntu",
+		"image.release": "focal",
+		"image.serial": "20240626",
+		"image.type": "squashfs",
+		"image.version": "20.04",
+		"volatile.base_image": "afeb6fc84380878e47e1be18b3cd4e0a6671610f94ad3ffc8a50481afbe77a19",
+		"volatile.cloud-init.instance-id": "402d6e74-3ce0-483c-8d46-fdb28cdab306",
+		"volatile.eth0.host_name": "veth21ca03ab",
+		"volatile.eth0.hwaddr": "00:16:3e:fc:a1:ec",
+		"volatile.idmap.base": "0",
+		"volatile.idmap.current": "[{\"Isuid\":true,\"Isgid\":false,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000},{\"Isuid\":false,\"Isgid\":true,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000}]",
+		"volatile.idmap.next": "[{\"Isuid\":true,\"Isgid\":false,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000},{\"Isuid\":false,\"Isgid\":true,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000}]",
+		"volatile.last_state.idmap": "[]",
+		"volatile.last_state.power": "RUNNING",
+		"volatile.last_state.ready": "false",
+		"volatile.uuid": "5835af62-6142-4a7c-9282-35d31ae22cb7",
+		"volatile.uuid.generation": "5835af62-6142-4a7c-9282-35d31ae22cb7"
+	},
+	"created_at": "2024-06-29T16:03:00.781248448Z",
+	"description": "",
+	"devices": {},
+	"ephemeral": false,
+	"expanded_config": {
+		"image.architecture": "amd64",
+		"image.description": "ubuntu 20.04 LTS amd64 (release) (20240626)",
+		"image.label": "release",
+		"image.os": "ubuntu",
+		"image.release": "focal",
+		"image.serial": "20240626",
+		"image.type": "squashfs",
+		"image.version": "20.04",
+		"volatile.base_image": "afeb6fc84380878e47e1be18b3cd4e0a6671610f94ad3ffc8a50481afbe77a19",
+		"volatile.cloud-init.instance-id": "402d6e74-3ce0-483c-8d46-fdb28cdab306",
+		"volatile.eth0.host_name": "veth21ca03ab",
+		"volatile.eth0.hwaddr": "00:16:3e:fc:a1:ec",
+		"volatile.idmap.base": "0",
+		"volatile.idmap.current": "[{\"Isuid\":true,\"Isgid\":false,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000},{\"Isuid\":false,\"Isgid\":true,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000}]",
+		"volatile.idmap.next": "[{\"Isuid\":true,\"Isgid\":false,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000},{\"Isuid\":false,\"Isgid\":true,\"Hostid\":1000000,\"Nsid\":0,\"Maprange\":1000000000}]",
+		"volatile.last_state.idmap": "[]",
+		"volatile.last_state.power": "RUNNING",
+		"volatile.last_state.ready": "false",
+		"volatile.uuid": "5835af62-6142-4a7c-9282-35d31ae22cb7",
+		"volatile.uuid.generation": "5835af62-6142-4a7c-9282-35d31ae22cb7"
+	},
+	"expanded_devices": {
+		"eth0": {
+			"name": "eth0",
+			"network": "lxdbr0",
+			"type": "nic"
+		},
+		"home": {
+			"path": "/home",
+			"readonly": "true",
+			"source": "/home",
+			"type": "disk"
+		},
+		"myport21": {
+			"bind": "host",
+			"connect": "tcp:127.0.0.1:21",
+			"listen": "tcp:0.0.0.0:21",
+			"type": "proxy"
+		},
+		"root": {
+			"path": "/",
+			"pool": "default",
+			"type": "disk"
+		},
+		"spool": {
+			"path": "/var/spool",
+			"source": "/var/spool",
+			"type": "disk"
+		}
+	},
+	"last_used_at": "2024-07-01T15:00:22.55170503Z",
+	"location": "none",
+	"name": "my-ubuntu-container",
+	"profiles": [
+		"default",
+		"myprofile"
+	],
+	"project": "default",
+	"stateful": false,
+	"status": "Running",
+	"status_code": 103,
+	"type": "container"
+}

udica/parse.py

@@ -16,20 +16,15 @@
 import abc
 import json
 
-#: Constant for the podman engine
+#: Constants for container engines
 ENGINE_PODMAN = "podman"
-
-#: Constant for the cri-o engine
 ENGINE_CRIO = "CRI-O"
-
-#: Constant for the docker engine
 ENGINE_DOCKER = "docker"
-
-#: Constant for the containerd engine
 ENGINE_CONTAINERD = "containerd"
+ENGINE_LXD = "LXD"
 
 #: All supported engines
-ENGINE_ALL = [ENGINE_PODMAN, ENGINE_CRIO, ENGINE_DOCKER, ENGINE_CONTAINERD]
+ENGINE_ALL = [ENGINE_PODMAN, ENGINE_CRIO, ENGINE_DOCKER, ENGINE_CONTAINERD, ENGINE_LXD]
 
 
 # Decorator for verifying that getting value from "data" won't
@@ -69,17 +64,34 @@ def json_is_containerd_format(json_rep):
 
 def json_is_podman_format(json_rep):
     """Check if the inspected file is in a format from podman."""
-    return isinstance(json_rep, list) and (
-        "container=oci" in json_rep[0]["Config"]["Env"]
-        or "container=podman" in json_rep[0]["Config"]["Env"]
+    return (
+        isinstance(json_rep, list)
+        and (
+            "container=oci" in json_rep[0]["Config"]["Env"]
+            or "container=podman" in json_rep[0]["Config"]["Env"]
+        )
+    )
+
+def json_is_lxd_format(json_rep):
+    """Check if the inspected file is in a format from LXD."""
+    return (
+        # LXD's inspection output returns a single dictionary for a single container
+        isinstance(json_rep, dict)
+        and "expanded_devices" in json_rep
+        and "architecture" in json_rep
+        and "config" in json_rep
     )
 
 
 def get_engine_helper(data, ContainerEngine):
     engine = validate_container_engine(ContainerEngine)
+    
     if engine == "-":
         json_rep = json.loads(data)
-        if json_is_list(json_rep):
+
+        if json_is_lxd_format(json_rep):
+            return LxdHelper()
+        elif json_is_list(json_rep):
             if json_is_containerd_format(json_rep):
                 return ContainerdHelper()
             elif json_is_podman_format(json_rep):
@@ -96,7 +108,9 @@ def get_engine_helper(data, ContainerEngine):
             return CrioHelper()
         elif engine == ENGINE_CONTAINERD:
             return ContainerdHelper()
-        raise RuntimeError("Unkown engine")
+        elif engine == ENGINE_LXD:
+            return LxdHelper()
+        raise RuntimeError("Unknown engine")
 
 
 class EngineHelper(abc.ABC):
@@ -259,6 +273,49 @@ def get_caps(self, data, opts):
             return opts["Caps"].split(",")
         return data[0]["Spec"]["process"]["capabilities"]["effective"]
 
+class LxdHelper(EngineHelper):
+    def __init__(self):
+        super().__init__(ENGINE_LXD)
+
+    @getter_decorator
+    def get_devices(self, data):
+        # Extract devices from the config
+        devices = []
+        config_devices = data["expanded_devices"]
+        for name, device in config_devices.items():
+            if device["type"] == "unix-block" or device["type"] == "unix-char":
+                device["PathOnHost"] = device.get("path", "")
+                devices.append(device)
+        return devices
+
+    @getter_decorator
+    def get_mounts(self, data):
+        # Extract mounts (disk devices)
+        mounts = []
+        config_devices = data["expanded_devices"]
+        for name, device in config_devices.items():
+            if device["type"] == "disk":
+                mounts.append(device)
+        return mounts
+
+    @getter_decorator
+    def get_ports(self, data):
+        # Extract port information from the LXD JSON configuration
+        ports = []
+        for name, device in data["expanded_devices"].items():
+            if device["type"] == "proxy":
+                port_info = {
+                    "portNumber": int(device["listen"].split(":")[-1]),
+                    "protocol": device["connect"].split(":")[0]
+                }
+                ports.append(port_info)
+        return ports
+
+    @getter_decorator
+    def get_caps(self, data, opts):
+        # Capabilities are not part of LXD spec directly
+        return []
+
 
 def parse_cap(data):
     return data.decode().split("\n")[1].split(",")

udica/perms.py

@@ -13,6 +13,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
+# Dictionary of permissions for various device and file types
 perm = {
     "device_rw": "getattr read write append ioctl lock open",
     "dir_rw": "add_name create getattr ioctl lock open read remove_name rmdir search setattr write",
@@ -25,4 +26,5 @@
     "socket_ro": "getattr open read",
 }
 
+# Dictionary of socket types mapped to their corresponding SELinux object class
 socket = {"tcp": "tcp_socket", "udp": "udp_socket", "sctp": "sctp_socket"}

udica/policy.py

@@ -181,6 +181,8 @@ def create_policy(
         write_policy_for_crio_mounts(mounts, policy)
     elif inspect_format == "containerd":
         write_policy_for_containerd_mounts(mounts, policy)
+    elif inspect_format == "LXD":
+        write_policy_for_lxd_mounts(mounts, policy)
     else:
         write_policy_for_podman_mounts(mounts, policy)
 
@@ -567,6 +569,111 @@ def write_policy_for_containerd_mounts(mounts, policy):
                     )
 
 
+def write_policy_for_lxd_mounts(mounts, policy):
+    for item in sorted(mounts, key=lambda x: str(x["source"])):
+        if not item["source"].find("/"):
+            if item["source"] == LOG_CONTAINER and "ro" in item.get("options", []):
+                policy.write("    (blockinherit log_container)\n")
+                add_template("log_container")
+                continue
+
+            if item["source"] == LOG_CONTAINER and "ro" not in item.get("options", []):
+                policy.write("    (blockinherit log_rw_container)\n")
+                add_template("log_container")
+                continue
+
+            if item["source"] == HOME_CONTAINER and "ro" in item.get("options", []):
+                policy.write("    (blockinherit home_container)\n")
+                add_template("home_container")
+                continue
+
+            if item["source"] == HOME_CONTAINER and "ro" not in item.get("options", []):
+                policy.write("    (blockinherit home_rw_container)\n")
+                add_template("home_container")
+                continue
+
+            if item["source"] == TMP_CONTAINER and "ro" in item.get("options", []):
+                policy.write("    (blockinherit tmp_container)\n")
+                add_template("tmp_container")
+                continue
+
+            if item["source"] == TMP_CONTAINER and "ro" not in item.get("options", []):
+                policy.write("    (blockinherit tmp_rw_container)\n")
+                add_template("tmp_container")
+                continue
+
+            if item["source"] == CONFIG_CONTAINER and "ro" in item.get("options", []):
+                policy.write("    (blockinherit config_container)\n")
+                add_template("config_container")
+                continue
+
+            if item["source"] == CONFIG_CONTAINER and "ro" not in item.get("options", []):
+                policy.write("    (blockinherit config_rw_container)\n")
+                add_template("config_container")
+                continue
+
+            contexts = list_contexts(item["source"])
+            for context in contexts:
+                if "ro" not in item.get("options", []):
+                    policy.write(
+                        "    (allow process "
+                        + context
+                        + " ( dir ( "
+                        + perms.perm["dir_rw"]
+                        + " ))) \n"
+                    )
+                    policy.write(
+                        "    (allow process "
+                        + context
+                        + " ( file ( "
+                        + perms.perm["file_rw"]
+                        + " ))) \n"
+                    )
+                    policy.write(
+                        "    (allow process "
+                        + context
+                        + " ( fifo_file ( "
+                        + perms.perm["fifo_rw"]
+                        + " ))) \n"
+                    )
+                    policy.write(
+                        "    (allow process "
+                        + context
+                        + " ( sock_file ( "
+                        + perms.perm["socket_rw"]
+                        + " ))) \n"
+                    )
+                if "ro" in item.get("options", []):
+                    policy.write(
+                        "    (allow process "
+                        + context
+                        + " ( dir ( "
+                        + perms.perm["dir_ro"]
+                        + " ))) \n"
+                    )
+                    policy.write(
+                        "    (allow process "
+                        + context
+                        + " ( file ( "
+                        + perms.perm["file_ro"]
+                        + " ))) \n"
+                    )
+                    policy.write(
+                        "    (allow process "
+                        + context
+                        + " ( fifo_file ( "
+                        + perms.perm["fifo_ro"]
+                        + " ))) \n"
+                    )
+                    policy.write(
+                        "    (allow process "
+                        + context
+                        + " ( sock_file ( "
+                        + perms.perm["socket_ro"]
+                        + " ))) \n"
+                    )
+
+
 def load_policy(opts):
     PWD = getcwd()