additional ability to obfuscate application package names for node apps and using full image IDs when saving images in XRAY to make it more compatible with non-Docker container runtimes

Signed-off-by: Kyle Quest <[email protected]>

Author: kcq

README.md

@@ -547,6 +547,7 @@ In the interactive CLI prompt mode you must specify the target image using the `
 - `--image-build-engine` - Select image build engine: `internal` | `docker` | `none` (`internal` - build the output image without using Docker [default behavior], `docker` - build the output image with Docker, `none` - don't build the output image, allows you to do your own build with the tools you want to use, which you'll be able to do by pointing to the artifact directory where the `files.tar` and `Dockerfile` artifacts are located for the output image)
 - `--image-build-arch` - Select output image build architecture (use the standard container image names for the architectures without the OS part)
 - `--obfuscate-metadata` - Obfuscate the standard system and application metadata to make it more challenging to identify the image components (experimental flag, first version of obfuscation; inspired by the [`Malicious Compliance`](https://kccnceu2023.sched.com/event/1Hybu/malicious-compliance-reflections-on-trusting-container-scanners-ian-coldwater-independent-duffie-cooley-isovalent-brad-geesaman-ghost-security-rory-mccune-datadog) KubeCon EU 2023 talk)
+- `--obfuscate-app-package-names` - Select the obfuscation mode for the application package names. Available modes: `none` | `empty` | `prefix` | `random` (`none` - Do no app package name obfuscation; `empty` - Replace the app package names with empty values; `prefix` - Prefix app package names with a string; `random` - Replace app package names with random values).
 - `--enable-mondel` - Enable monitor data event log for sensor monitors to log/stream the events captured by those monitors (default: false)
 - `--command-params-file` -  JSON file with all command parameters - the JSON file can use a snake case formatted commands example `--docker-config-path` would be `docker_config_path`
 

pkg/app/master/command/build/cli.go

@@ -158,6 +158,7 @@ var BuildFlags = (append([]cli.Flag{
 	cflag(FlagExcludeMounts),
 	//"EXCLUDE" FLAGS - END
 	cflag(FlagObfuscateMetadata),
+	cflag(FlagObfuscateAppPackageNames),
 	command.Cflag(command.FlagContinueAfter),
 	command.Cflag(command.FlagUseLocalMounts),
 	command.Cflag(command.FlagUseSensorVolume),
@@ -739,6 +740,7 @@ var CLI = &cli.Command{
 		rtaSourcePT := ctx.Bool(command.FlagRTASourcePT)
 
 		doObfuscateMetadata := ctx.Bool(FlagObfuscateMetadata)
+		obfuscateAppPackageNames := ctx.String(FlagObfuscateAppPackageNames)
 
 		imageBuildEngine, err := getImageBuildEngine(ctx)
 		if err != nil {
@@ -842,6 +844,7 @@ var CLI = &cli.Command{
 			rtaOnbuildBaseImage,
 			rtaSourcePT,
 			doObfuscateMetadata,
+			obfuscateAppPackageNames,
 			ctx.String(command.FlagSensorIPCEndpoint),
 			ctx.String(command.FlagSensorIPCMode),
 			kubeOpts,

pkg/app/master/command/build/flags.go

@@ -152,7 +152,8 @@ const (
 	FlagCBOCacheFrom        = "cbo-cache-from"
 
 	//Experimenal flags
-	FlagObfuscateMetadata = "obfuscate-metadata"
+	FlagObfuscateMetadata        = "obfuscate-metadata"
+	FlagObfuscateAppPackageNames = "obfuscate-app-package-names"
 )
 
 // Build command flag usage info
@@ -231,7 +232,8 @@ const (
 	FlagCBONetworkUsage          = "Networking mode to use for the RUN instructions at build-time"
 	FlagCBOCacheFromUsage        = "Add an image to the build cache"
 
-	FlagObfuscateMetadataUsage = "Obfuscate the standard system and application metadata to make it more challenging to identify the image components"
+	FlagObfuscateMetadataUsage        = "Obfuscate the standard system and application metadata to make it more challenging to identify the image components"
+	FlagObfuscateAppPackageNamesUsage = "Select app package name obfuscate mode: none | empty | prefix | random"
 )
 
 var Flags = map[string]cli.Flag{
@@ -648,6 +650,12 @@ var Flags = map[string]cli.Flag{
 		Usage:   FlagObfuscateMetadataUsage,
 		EnvVars: []string{"DSLIM_OBFUSCATE_METADATA"},
 	},
+	FlagObfuscateAppPackageNames: &cli.StringFlag{
+		Name:    FlagObfuscateAppPackageNames,
+		Value:   config.OAPNNone,
+		Usage:   FlagObfuscateAppPackageNamesUsage,
+		EnvVars: []string{"DSLIM_OBFUSCATE_APN"},
+	},
 }
 
 func cflag(name string) cli.Flag {

pkg/app/master/command/build/handler.go

@@ -148,6 +148,7 @@ func OnCommand(
 	rtaOnbuildBaseImage bool,
 	rtaSourcePT bool,
 	doObfuscateMetadata bool,
+	obfuscateAppPackageNames string,
 	sensorIPCEndpoint string,
 	sensorIPCMode string,
 	kubeOpts config.KubernetesOptions,
@@ -641,8 +642,9 @@ func OnCommand(
 				includeLastImageLayers, appImageStartInstGroup, appImageStartInst, len(appImageDockerfileInsts))
 
 			includeLayerPaths := map[string]*fsutil.AccessInfo{}
-			imageID := dockerutil.CleanImageID(imageInspector.ImageInfo.ID)
-			iaName := fmt.Sprintf("%s.tar", imageID)
+			//not using dockerutil.CleanImageID() because some container runtime APIs might expect the full image ID with the hash prefix
+			imageID := imageInspector.ImageInfo.ID
+			iaName := fmt.Sprintf("%s.tar", dockerutil.CleanImageID(imageID))
 			iaPath := filepath.Join(localVolumePath, "image", iaName)
 			iaPathReady := fmt.Sprintf("%s.ready", iaPath)
 
@@ -1109,6 +1111,7 @@ func OnCommand(
 		gparams.InContainer,
 		rtaSourcePT,
 		doObfuscateMetadata,
+		obfuscateAppPackageNames,
 		sensorIPCEndpoint,
 		sensorIPCMode,
 		printState,

pkg/app/master/command/build/prompt.go

@@ -1,9 +1,10 @@
 package build
 
 import (
-	"github.com/mintoolkit/mint/pkg/app/master/command"
-
 	"github.com/c-bata/go-prompt"
+
+	"github.com/mintoolkit/mint/pkg/app/master/command"
+	"github.com/mintoolkit/mint/pkg/app/master/config"
 )
 
 var CommandSuggestion = prompt.Suggest{
@@ -163,6 +164,7 @@ var CommandFlagSuggestions = &command.FlagSuggestions{
 		{Text: command.FullFlagName(FlagImageBuildEngine), Description: FlagImageBuildEngineUsage},
 		{Text: command.FullFlagName(FlagImageBuildArch), Description: FlagImageBuildArchUsage},
 		{Text: command.FullFlagName(FlagObfuscateMetadata), Description: FlagObfuscateMetadataUsage},
+		{Text: command.FullFlagName(FlagObfuscateAppPackageNames), Description: FlagObfuscateAppPackageNamesUsage},
 	},
 	Values: map[string]command.CompleteValue{
 		command.FullFlagName(command.FlagCommandParamsFile): command.CompleteFile,
@@ -239,9 +241,21 @@ var CommandFlagSuggestions = &command.FlagSuggestions{
 		command.FullFlagName(FlagImageBuildArch):               CompleteImageBuildArch,
 		command.FullFlagName(FlagAppImageDockerfile):           command.CompleteFile,
 		command.FullFlagName(FlagObfuscateMetadata):            command.CompleteBool,
+		command.FullFlagName(FlagObfuscateAppPackageNames):     CompleteObfuscateAPN,
 	},
 }
 
+var obfuscateAPNValues = []prompt.Suggest{
+	{Text: config.OAPNNone, Description: "Do no app package name obfuscation"},
+	{Text: config.OAPNEmpty, Description: "Replace the app package names with empty values"},
+	{Text: config.OAPNPrefix, Description: "Prefix app package names with a string"},
+	{Text: config.OAPNRandom, Description: "Replace app package names with random values"},
+}
+
+func CompleteObfuscateAPN(ia *command.InteractiveApp, token string, params prompt.Document) []prompt.Suggest {
+	return prompt.FilterHasPrefix(obfuscateAPNValues, token, true)
+}
+
 var imageBuildEngineValues = []prompt.Suggest{
 	{Text: IBENone, Description: "no image build engine (output image is not built)"},
 	{Text: IBEInternal, Description: "internal image build engine"},

pkg/app/master/command/cliflags.go

@@ -4,6 +4,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/mintoolkit/mint/pkg/app/master/config"
 )
 
 /////////////////////////////////////////////////////////
@@ -789,7 +791,7 @@ var CommonFlags = map[string]cli.Flag{
 	},
 	FlagContinueAfter: &cli.StringFlag{
 		Name:    FlagContinueAfter,
-		Value:   "probe",
+		Value:   config.CAMProbe,
 		Usage:   FlagContinueAfterUsage,
 		EnvVars: []string{"DSLIM_CONTINUE_AFTER"},
 	},

pkg/app/master/command/profile/handler.go

@@ -274,6 +274,7 @@ func OnCommand(
 		gparams.InContainer,
 		true,  //rtaSourcePT
 		false, //doObfuscateMetadata
+		"",    //doObfuscateAPN
 		sensorIPCEndpoint,
 		sensorIPCMode,
 		printState,

pkg/app/master/command/xray/handler.go

@@ -346,8 +346,9 @@ func OnCommand(
 	xc.Out.State("image.api.inspection.done")
 	xc.Out.State("image.data.inspection.start")
 
-	imageID := dockerutil.CleanImageID(imageInspector.ImageInfo.ID)
-	iaName := fmt.Sprintf("%s.tar", imageID)
+	//not using dockerutil.CleanImageID() because some container runtime APIs might expect the full image ID with the hash prefix
+	imageID := imageInspector.ImageInfo.ID
+	iaName := fmt.Sprintf("%s.tar", dockerutil.CleanImageID(imageID))
 	iaPath := filepath.Join(localVolumePath, "image", iaName)
 	iaPathReady := fmt.Sprintf("%s.ready", iaPath)
 
@@ -1357,8 +1358,16 @@ func objectHistoryString(history *dockerimage.ObjectHistory) string {
 		return "H=[]"
 	}
 
+	return fmt.Sprintf("H=%s", objectHistoryValue(history))
+}
+
+func objectHistoryValue(history *dockerimage.ObjectHistory) string {
+	if history == nil {
+		return "[]"
+	}
+
 	var builder strings.Builder
-	builder.WriteString("H=[")
+	builder.WriteString("[")
 	if history.Add != nil {
 		builder.WriteString(fmt.Sprintf("A:%d", history.Add.Layer))
 	}
@@ -1386,7 +1395,7 @@ func printObject(xc *app.ExecutionContext, object *dockerimage.ObjectMetadata) {
 	var hashInfo string
 
 	if object.Hash != "" {
-		hashInfo = fmt.Sprintf(" hash=%s", object.Hash)
+		hashInfo = fmt.Sprintf("%s", object.Hash)
 	}
 	ov := ovars{
 		"mode":        object.Mode,
@@ -1395,7 +1404,7 @@ func printObject(xc *app.ExecutionContext, object *dockerimage.ObjectMetadata) {
 		"uid":         object.UID,
 		"gid":         object.GID,
 		"mtime":       object.ModTime.UTC().Format(time.RFC3339),
-		"H":           objectHistoryString(object.History),
+		"H":           objectHistoryValue(object.History),
 		"hash":        hashInfo,
 		"object.name": object.Name,
 	}

pkg/app/master/config/config.go

@@ -145,6 +145,7 @@ type DockerClient struct {
 	Env         map[string]string
 }
 
+// ContinueAfter mode enums
 const (
 	CAMContainerProbe = "container-probe"
 	CAMProbe          = "probe"
@@ -207,3 +208,11 @@ type KubernetesTargetOverride struct {
 func (ko KubernetesOptions) HasTargetSet() bool {
 	return ko.Target.Workload != ""
 }
+
+// ObfuscateAppPackageNames mode enums
+const (
+	OAPNNone   = "none"
+	OAPNEmpty  = "empty"
+	OAPNPrefix = "prefix"
+	OAPNRandom = "random"
+)