Skip to content

[cmd/opampsupervisor] Specify requirements and mechanism for filesystem restrictions #24310

Description

@evan-bradley

Component(s)

cmd/opampsupervisor

Is your feature request related to a problem? Please describe.

Remote configuration of the Collector has the potential to be an avenue for malicious actors to exfiltrate information from a system using the Collector. We need to ensure users are equipped with the tools necessary to mitigate this risk.

Describe the solution you'd like

One question we will want to answer is what is in scope for these protections:

  • Receiver targets?
  • Source/target files on the filesystem?
  • Export destinations?

For controlling filesystem access, one solution could be to specify in the Supervisor config (which cannot be remotely updated through OpAMP) which directories are permitted. Directories used in the Collector's config would then be validated against this list. The behavior the Supervisor takes if a directory fails validation still needs to be determined.

# Optional directories that are allowed to be read/written by the
# Collector.
# If unspecified then NO access to the filesystem is allowed.
access_dirs:
  read:
    allow: [/var/log]
    deny: [/var/log/secret_logs]
  write:
    allow: [/var/otelcol]

Other alternatives to controlling filesystem access:

  1. Using native operating system process namespacing tools, such as cgroups on Linux.
  2. Leveraging the operating system's capabilities to do this by leveraging existing users who have been set up by other systems with the desired filesystem permissions and validate those permissions against the configuration here.

Describe alternatives you've considered

No response

Additional context

See the discussion on the Google Doc here: https://docs.google.com/document/d/1KtH5atZQUs9Achbce6LiOaJxLbksNJenvgvyKLsJrkc/edit?pli=1&disco=AAAAkWOtq4M

Metadata

Metadata

Assignees

No one assigned

    Labels

    cmd/opampsupervisordiscussion neededCommunity discussion neededenhancementNew feature or requestnever staleIssues marked with this label will be never staled and automatically removed

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions