Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[cmd/opampsupervisor] Specify requirements and mechanism for filesystem restrictions #24310

Open
evan-bradley opened this issue Jul 17, 2023 · 0 comments
Open

[cmd/opampsupervisor] Specify requirements and mechanism for filesystem restrictions #24310

evan-bradley opened this issue Jul 17, 2023 · 0 comments
Labels
cmd/opampsupervisor discussion needed Community discussion needed enhancement New feature or request never stale Issues marked with this label will be never staled and automatically removed

Comments

@evan-bradley
Copy link
Contributor

Component(s)

cmd/opampsupervisor

Is your feature request related to a problem? Please describe.

Remote configuration of the Collector has the potential to be an avenue for malicious actors to exfiltrate information from a system using the Collector. We need to ensure users are equipped with the tools necessary to mitigate this risk.

Describe the solution you'd like

One question we will want to answer is what is in scope for these protections:

  • Receiver targets?
  • Source/target files on the filesystem?
  • Export destinations?

For controlling filesystem access, one solution could be to specify in the Supervisor config (which cannot be remotely updated through OpAMP) which directories are permitted. Directories used in the Collector's config would then be validated against this list. The behavior the Supervisor takes if a directory fails validation still needs to be determined.

# Optional directories that are allowed to be read/written by the
# Collector.
# If unspecified then NO access to the filesystem is allowed.
access_dirs:
  read:
    allow: [/var/log]
    deny: [/var/log/secret_logs]
  write:
    allow: [/var/otelcol]

Other alternatives to controlling filesystem access:

  1. Using native operating system process namespacing tools, such as cgroups on Linux.
  2. Leveraging the operating system's capabilities to do this by leveraging existing users who have been set up by other systems with the desired filesystem permissions and validate those permissions against the configuration here.

Describe alternatives you've considered

No response

Additional context

See the discussion on the Google Doc here: https://docs.google.com/document/d/1KtH5atZQUs9Achbce6LiOaJxLbksNJenvgvyKLsJrkc/edit?pli=1&disco=AAAAkWOtq4M
@evan-bradley evan-bradley added enhancement New feature or request discussion needed Community discussion needed never stale Issues marked with this label will be never staled and automatically removed cmd/opampsupervisor labels Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cmd/opampsupervisor discussion needed Community discussion needed enhancement New feature or request never stale Issues marked with this label will be never staled and automatically removed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@evan-bradley