Add the ability to filter network access. (#245)

* Add iptables rule for blocking traffic to 169.254.169.254.

* Load iptable rules when initing the sandbox to limit network access.

Author: calebbrown

cmd/analyze/Dockerfile

@@ -27,6 +27,7 @@ RUN curl -fsSL https://gvisor.dev/archive.key | apt-key add - && \
 COPY --from=build /src/analyze /usr/local/bin/analyze
 COPY --from=build /src/worker /usr/local/bin/worker
 COPY --from=build /src/tools/gvisor/runsc_compat.sh /usr/local/bin/runsc_compat.sh
+COPY --from=build /src/tools/firewall/iptables.rules /usr/local/etc/iptables.rules
 RUN chmod 755 /usr/local/bin/runsc_compat.sh
 
 ARG SANDBOX_IMAGE_TAG

internal/sandbox/sandbox.go

@@ -16,6 +16,8 @@ import (
 const (
 	podmanBin       = "podman"
 	runtimeBin      = "/usr/local/bin/runsc_compat.sh"
+	iptablesLoadBin = "/usr/sbin/iptables-restore"
+	iptablesRules   = "/usr/local/etc/iptables.rules"
 	rootDir         = "/var/run/runsc"
 	straceFile      = "runsc.log.boot"
 	hostname        = "box"
@@ -165,6 +167,11 @@ func removeAllLogs() error {
 	return nil
 }
 
+func loadIptablesRules() error {
+	cmd := exec.Command(iptablesLoadBin, iptablesRules)
+	return cmd.Run()
+}
+
 func podman(args ...string) *exec.Cmd {
 	args = append([]string{
 		"--cgroup-manager=cgroupfs",
@@ -263,6 +270,10 @@ func (s *podmanSandbox) init() error {
 	if s.container != "" {
 		return nil
 	}
+	// Load iptables rules to further isolate the sandbox
+	if err := loadIptablesRules(); err != nil {
+		return fmt.Errorf("failed restoring iptables rules: %w", err)
+	}
 	// Delete existing logs (if any).
 	if err := removeAllLogs(); err != nil {
 		return fmt.Errorf("failed removing all logs: %w", err)

tools/firewall/iptables.rules

@@ -0,0 +1,6 @@
+# Create the chain used by podman networking for user-defined rules
+*filter
+:CNI-ADMIN - [0:0]
+# Block access to metadata.google.internal/AWS metadata
+-A CNI-ADMIN -d 169.254.169.254/32 -j DROP
+COMMIT