default-validator: implement finer-grained validation.

Implement role based overrides for authenticated plugins. This
allows setting a restrictive default configuration and override
it with more liberal configuration for some plugins/roles.

Signed-off-by: Krisztian Litkey <krisztian.litkey@intel.com>

Author: klihub

pkg/adaptation/adaptation.go

@@ -137,7 +137,7 @@ func WithBuiltinPlugins(plugins ...*builtin.BuiltinPlugin) Option {
 }
 
 // WithDefaultValidator sets up builtin validator plugin if it is configured.
-func WithDefaultValidator(cfg *validator.DefaultValidatorConfig) Option {
+func WithDefaultValidator(cfg *validator.DefaultConfig) Option {
 	return func(r *Adaptation) error {
 		if plugin := validator.GetDefaultValidator(cfg); plugin != nil {
 			r.builtin = append([]*builtin.BuiltinPlugin{plugin}, r.builtin...)

pkg/adaptation/adaptation_suite_test.go

@@ -1093,9 +1093,11 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				&mockRuntime{
 					options: []nri.Option{
 						nri.WithDefaultValidator(
-							&validator.DefaultValidatorConfig{
-								Enable:                  true,
-								RejectOCIHookAdjustment: true,
+							&validator.DefaultConfig{
+								Enable: true,
+								Config: &validator.Config{
+									RejectOCIHookAdjustment: boolptr(true),
+								},
 							},
 						),
 					},
@@ -1186,9 +1188,11 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				&mockRuntime{
 					options: []nri.Option{
 						nri.WithDefaultValidator(
-							&validator.DefaultValidatorConfig{
-								Enable:                                true,
-								RejectRuntimeDefaultSeccompAdjustment: true,
+							&validator.DefaultConfig{
+								Enable: true,
+								Config: &validator.Config{
+									RejectRuntimeDefaultSeccompAdjustment: boolptr(true),
+								},
 							},
 						),
 					},
@@ -1289,9 +1293,11 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				&mockRuntime{
 					options: []nri.Option{
 						nri.WithDefaultValidator(
-							&validator.DefaultValidatorConfig{
-								Enable:                                true,
-								RejectRuntimeDefaultSeccompAdjustment: false,
+							&validator.DefaultConfig{
+								Enable: true,
+								Config: &validator.Config{
+									RejectRuntimeDefaultSeccompAdjustment: boolptr(false),
+								},
 							},
 						),
 					},
@@ -1392,9 +1398,11 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				&mockRuntime{
 					options: []nri.Option{
 						nri.WithDefaultValidator(
-							&validator.DefaultValidatorConfig{
-								Enable:                        true,
-								RejectCustomSeccompAdjustment: true,
+							&validator.DefaultConfig{
+								Enable: true,
+								Config: &validator.Config{
+									RejectCustomSeccompAdjustment: boolptr(true),
+								},
 							},
 						),
 					},
@@ -1496,9 +1504,11 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				&mockRuntime{
 					options: []nri.Option{
 						nri.WithDefaultValidator(
-							&validator.DefaultValidatorConfig{
-								Enable:                        true,
-								RejectCustomSeccompAdjustment: false,
+							&validator.DefaultConfig{
+								Enable: true,
+								Config: &validator.Config{
+									RejectCustomSeccompAdjustment: boolptr(false),
+								},
 							},
 						),
 					},
@@ -1600,9 +1610,11 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				&mockRuntime{
 					options: []nri.Option{
 						nri.WithDefaultValidator(
-							&validator.DefaultValidatorConfig{
-								Enable:                            true,
-								RejectUnconfinedSeccompAdjustment: true,
+							&validator.DefaultConfig{
+								Enable: true,
+								Config: &validator.Config{
+									RejectUnconfinedSeccompAdjustment: boolptr(true),
+								},
 							},
 						),
 					},
@@ -1703,9 +1715,11 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				&mockRuntime{
 					options: []nri.Option{
 						nri.WithDefaultValidator(
-							&validator.DefaultValidatorConfig{
-								Enable:                            true,
-								RejectUnconfinedSeccompAdjustment: false,
+							&validator.DefaultConfig{
+								Enable: true,
+								Config: &validator.Config{
+									RejectUnconfinedSeccompAdjustment: boolptr(false),
+								},
 							},
 						),
 					},
@@ -1807,7 +1821,7 @@ var _ = Describe("Plugin container creation adjustments", func() {
 				&mockRuntime{
 					options: []nri.Option{
 						nri.WithDefaultValidator(
-							&validator.DefaultValidatorConfig{
+							&validator.DefaultConfig{
 								Enable: true,
 								RequiredPlugins: []string{
 									"foo",
@@ -3052,3 +3066,7 @@ func protoDiff(a, b proto.Message) string {
 func protoEqual(a, b proto.Message) bool {
 	return cmp.Equal(a, b, cmpopts.EquateEmpty(), protocmp.Transform())
 }
+
+func boolptr(v bool) *bool {
+	return &v
+}

plugins/default-validator/builtin/plugin.go

@@ -26,12 +26,13 @@ import (
 )
 
 type (
-	DefaultValidatorConfig = validator.DefaultValidatorConfig
+	Config        = validator.Config
+	DefaultConfig = validator.DefaultConfig
 )
 
 // GetDefaultValidator returns a configured instance of the default validator.
 // If default validation is disabled nil is returned.
-func GetDefaultValidator(cfg *DefaultValidatorConfig) *builtin.BuiltinPlugin {
+func GetDefaultValidator(cfg *DefaultConfig) *builtin.BuiltinPlugin {
 	if cfg == nil || !cfg.Enable {
 		log.Infof(context.TODO(), "built-in NRI default validator is disabled")
 		return nil

plugins/default-validator/default-validator.go

@@ -30,20 +30,12 @@ import (
 	yaml "gopkg.in/yaml.v3"
 )
 
-type DefaultValidatorConfig struct {
+type DefaultConfig struct {
 	// Enable the default validator plugin.
 	Enable bool `yaml:"enable" toml:"enable"`
-	// RejectOCIHookAdjustment fails validation if OCI hooks are adjusted.
-	RejectOCIHookAdjustment bool `yaml:"rejectOCIHookAdjustment" toml:"reject_oci_hook_adjustment"`
-	// RejectRuntimeDefaultSeccompAdjustment fails validation if a runtime default seccomp
-	// policy is adjusted.
-	RejectRuntimeDefaultSeccompAdjustment bool `yaml:"rejectRuntimeDefaultSeccompAdjustment" toml:"reject_runtime_default_seccomp_adjustment"`
-	// RejectUnconfinedSeccompAdjustment fails validation if an unconfined seccomp policy is
-	// adjusted.
-	RejectUnconfinedSeccompAdjustment bool `yaml:"rejectUnconfinedSeccompAdjustment" toml:"reject_unconfined_seccomp_adjustment"`
-	// RejectCustomSeccompAdjustment fails validation if a custom seccomp policy (aka LOCALHOST)
-	// is adjusted.
-	RejectCustomSeccompAdjustment bool `yaml:"rejectCustomSeccompAdjustment" toml:"reject_custom_seccomp_adjustment"`
+	*Config
+	// Overrides provide per-role overrides to the default configuration.
+	Overrides map[string]*Config `yaml:"overrides" toml:"overrides"`
 	// RequiredPlugins list globally required plugins. These must be present
 	// or otherwise validation will fail.
 	// WARNING: This is a global setting and will affect all containers. In
@@ -59,9 +51,24 @@ type DefaultValidatorConfig struct {
 	TolerateMissingAnnotation string `yaml:"tolerateMissingPluginsAnnotation" toml:"tolerate_missing_plugins_annotation"`
 }
 
+// Config provides validation defaults or per role overrides.
+type Config struct {
+	// RejectOCIHookAdjustment fails validation if OCI hooks are adjusted.
+	RejectOCIHookAdjustment *bool `yaml:"rejectOCIHookAdjustment" toml:"reject_oci_hook_adjustment"`
+	// RejectRuntimeDefaultSeccompAdjustment fails validation if a runtime default seccomp
+	// policy is adjusted.
+	RejectRuntimeDefaultSeccompAdjustment *bool `yaml:"rejectRuntimeDefaultSeccompAdjustment" toml:"reject_runtime_default_seccomp_adjustment"`
+	// RejectUnconfinedSeccompAdjustment fails validation if an unconfined seccomp policy is
+	// adjusted.
+	RejectUnconfinedSeccompAdjustment *bool `yaml:"rejectUnconfinedSeccompAdjustment" toml:"reject_unconfined_seccomp_adjustment"`
+	// RejectCustomSeccompAdjustment fails validation if a custom seccomp policy (aka LOCALHOST)
+	// is adjusted.
+	RejectCustomSeccompAdjustment *bool `yaml:"rejectCustomSeccompAdjustment" toml:"reject_custom_seccomp_adjustment"`
+}
+
 // DefaultValidator implements default validation.
 type DefaultValidator struct {
-	cfg DefaultValidatorConfig
+	cfg DefaultConfig
 }
 
 const (
@@ -75,12 +82,12 @@ var (
 )
 
 // NewDefaultValidator creates a new instance of the validator.
-func NewDefaultValidator(cfg *DefaultValidatorConfig) *DefaultValidator {
+func NewDefaultValidator(cfg *DefaultConfig) *DefaultValidator {
 	return &DefaultValidator{cfg: *cfg}
 }
 
 // SetConfig sets new configuration for the validator.
-func (v *DefaultValidator) SetConfig(cfg *DefaultValidatorConfig) {
+func (v *DefaultValidator) SetConfig(cfg *DefaultConfig) {
 	if cfg == nil {
 		return
 	}
@@ -92,50 +99,64 @@ func (v *DefaultValidator) ValidateContainerAdjustment(ctx context.Context, req
 	log.Debugf(ctx, "Validating adjustment of container %s/%s/%s",
 		req.GetPod().GetNamespace(), req.GetPod().GetName(), req.GetContainer().GetName())
 
-	if err := v.validateOCIHooks(req); err != nil {
+	plugins := req.GetPluginMap()
+
+	if err := v.validateOCIHooks(req, plugins); err != nil {
 		log.Errorf(ctx, "rejecting adjustment: %v", err)
 		return err
 	}
 
-	if err := v.validateSeccompPolicy(req); err != nil {
+	if err := v.validateSeccompPolicy(req, plugins); err != nil {
 		log.Errorf(ctx, "rejecting adjustment: %v", err)
 		return err
 	}
 
-	if err := v.validateRequiredPlugins(req); err != nil {
+	if err := v.validateRequiredPlugins(req, plugins); err != nil {
 		log.Errorf(ctx, "rejecting adjustment: %v", err)
 		return err
 	}
 
 	return nil
 }
 
-func (v *DefaultValidator) validateOCIHooks(req *api.ValidateContainerAdjustmentRequest) error {
+func (v *DefaultValidator) validateOCIHooks(req *api.ValidateContainerAdjustmentRequest, plugins map[string]*api.PluginInstance) error {
 	if req.Adjust == nil {
 		return nil
 	}
 
-	if !v.cfg.RejectOCIHookAdjustment {
+	owners, claimed := req.Owners.HooksOwner(req.Container.Id)
+	if !claimed {
 		return nil
 	}
 
-	owners, claimed := req.Owners.HooksOwner(req.Container.Id)
-	if !claimed {
+	defaults := v.cfg.Config
+	rejected := []string{}
+
+	for _, p := range strings.Split(owners, ",") {
+		if instance, ok := plugins[p]; ok {
+			cfg := v.cfg.GetConfig(instance.GetRole())
+			if cfg.DenyOCIHookInjection(defaults) {
+				rejected = append(rejected, p)
+			}
+		}
+	}
+
+	if len(rejected) == 0 {
 		return nil
 	}
 
 	offender := ""
 
-	if !strings.Contains(owners, ",") {
-		offender = fmt.Sprintf("plugin %q", owners)
+	if len(rejected) == 1 {
+		offender = fmt.Sprintf("plugin %q", rejected[0])
 	} else {
-		offender = fmt.Sprintf("plugins %q", owners)
+		offender = fmt.Sprintf("plugins %q", strings.Join(rejected, ","))
 	}
 
 	return fmt.Errorf("%w: %s attempted restricted OCI hook injection", ErrValidation, offender)
 }
 
-func (v *DefaultValidator) validateSeccompPolicy(req *api.ValidateContainerAdjustmentRequest) error {
+func (v *DefaultValidator) validateSeccompPolicy(req *api.ValidateContainerAdjustmentRequest, plugins map[string]*api.PluginInstance) error {
 	if req.Adjust == nil {
 		return nil
 	}
@@ -145,22 +166,31 @@ func (v *DefaultValidator) validateSeccompPolicy(req *api.ValidateContainerAdjus
 		return nil
 	}
 
+	var (
+		cfg      *Config
+		defaults = v.cfg.Config
+	)
+
+	if instance, ok := plugins[owner]; ok {
+		cfg = v.cfg.GetConfig(instance.GetRole())
+	}
+
 	profile := req.Container.GetLinux().GetSeccompProfile()
 	switch {
 	case profile == nil || profile.GetProfileType() == api.SecurityProfile_UNCONFINED:
-		if v.cfg.RejectUnconfinedSeccompAdjustment {
+		if cfg.DenyUnconfinedSeccompAdjustment(defaults) {
 			return fmt.Errorf("%w: plugin %s attempted restricted "+
 				" unconfined seccomp policy adjustment", ErrValidation, owner)
 		}
 
 	case profile.GetProfileType() == api.SecurityProfile_RUNTIME_DEFAULT:
-		if v.cfg.RejectRuntimeDefaultSeccompAdjustment {
+		if cfg.DenyRuntimeDefaultSeccompAdjustment(defaults) {
 			return fmt.Errorf("%w: plugin %s attempted restricted "+
 				"runtime default seccomp policy adjustment", ErrValidation, owner)
 		}
 
 	case profile.GetProfileType() == api.SecurityProfile_LOCALHOST:
-		if v.cfg.RejectCustomSeccompAdjustment {
+		if cfg.DenyCustomSeccompAdjustment(defaults) {
 			return fmt.Errorf("%w: plugin %s attempted restricted "+
 				" custom seccomp policy adjustment", ErrValidation, owner)
 		}
@@ -169,7 +199,7 @@ func (v *DefaultValidator) validateSeccompPolicy(req *api.ValidateContainerAdjus
 	return nil
 }
 
-func (v *DefaultValidator) validateRequiredPlugins(req *api.ValidateContainerAdjustmentRequest) error {
+func (v *DefaultValidator) validateRequiredPlugins(req *api.ValidateContainerAdjustmentRequest, plugins map[string]*api.PluginInstance) error {
 	var (
 		container = req.GetContainer().GetName()
 		required  = slices.Clone(v.cfg.RequiredPlugins)
@@ -200,7 +230,6 @@ func (v *DefaultValidator) validateRequiredPlugins(req *api.ValidateContainerAdj
 		return nil
 	}
 
-	plugins := req.GetPluginMap()
 	missing := []string{}
 
 	for _, r := range required {
@@ -223,3 +252,56 @@ func (v *DefaultValidator) validateRequiredPlugins(req *api.ValidateContainerAdj
 
 	return fmt.Errorf("%w: %s not present", ErrValidation, offender)
 }
+
+// GetConfig returns overrides for the named role if it exists in the
+// configuration.
+func (cfg *DefaultConfig) GetConfig(role string) *Config {
+	if cfg == nil || cfg.Overrides == nil {
+		return nil
+	}
+	return cfg.Overrides[role]
+}
+
+// DenyOCIHookInjection checks whether OCI hook injection should be denied
+// based on the configuration, using an optional fallbak configuration if
+// this one is nil or omits configuration.
+func (cfg *Config) DenyOCIHookInjection(fallback *Config) bool {
+	if cfg != nil && cfg.RejectOCIHookAdjustment != nil {
+		return *cfg.RejectOCIHookAdjustment
+	}
+
+	return fallback != nil && fallback.DenyOCIHookInjection(nil)
+}
+
+// DenyUnconfinedSeccompAdjustment checks whether adjustment of an unconfined
+// seccomp policy should be denied based on the configuration, using an optional
+// fallback configuration if this one is nil or omits configuration.
+func (cfg *Config) DenyUnconfinedSeccompAdjustment(fallback *Config) bool {
+	if cfg != nil && cfg.RejectUnconfinedSeccompAdjustment != nil {
+		return *cfg.RejectUnconfinedSeccompAdjustment
+	}
+
+	return fallback != nil && fallback.DenyUnconfinedSeccompAdjustment(nil)
+}
+
+// DenyRuntimeDefaultSeccompAdjustment checks whether adjustment of a runtime
+// default seccomp policy should be denied based on the configuration, using an
+// optional fallback configuration if this one is nil or omits configuration.
+func (cfg *Config) DenyRuntimeDefaultSeccompAdjustment(fallback *Config) bool {
+	if cfg != nil && cfg.RejectRuntimeDefaultSeccompAdjustment != nil {
+		return *cfg.RejectRuntimeDefaultSeccompAdjustment
+	}
+
+	return fallback != nil && fallback.DenyRuntimeDefaultSeccompAdjustment(nil)
+}
+
+// DenyCustomSeccompAdjustment checks whether adjustment of a custom (localhost)
+// seccomp policy should be denied based on the configuration, using an optional
+// fallback configuration if this one is nil or omits configuration.
+func (cfg *Config) DenyCustomSeccompAdjustment(fallback *Config) bool {
+	if cfg != nil && cfg.RejectCustomSeccompAdjustment != nil {
+		return *cfg.RejectCustomSeccompAdjustment
+	}
+
+	return fallback != nil && fallback.DenyCustomSeccompAdjustment(nil)
+}