fe5e2cf3c6
SPIRE WorkloadAttestor that reads governance env vars from /proc/{pid}/environ
(walking up the process tree to find gsh) and emits gsap: selectors on workload
SVIDs. Maps BASCULE_* vars set by bascule-shell and future GSH_* vars to the
11-selector vocabulary defined in gsap-types/src/selectors.rs.
- pkg/gsap/selectors.go: shared Go constants mirroring Rust vocabulary
- cmd/gsap-attestor/: plugin implementation with /proc reading, process tree
walking, capability ceiling translation, and fail-open for non-governed processes
- 28 tests covering selector extraction, proc parsing, tree walking, and depth limits
- Makefile, Dockerfile, deploy config updated
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
52 lines
1.6 KiB
Go
52 lines
1.6 KiB
Go
// Package gsap defines the SPIRE selector vocabulary for GSAP-attested workloads.
|
|
//
|
|
// The constants mirror the Rust definitions in gsap-types/src/selectors.rs.
|
|
// Selectors are formatted as "gsap:key:value" and reported by the gsap-attestor
|
|
// WorkloadAttestor plugin.
|
|
package gsap
|
|
|
|
const SelectorType = "gsap"
|
|
|
|
const (
|
|
SelectorContextID = "context_id"
|
|
SelectorCapabilityMask = "capability_mask"
|
|
SelectorCorpusCID = "corpus_cid"
|
|
SelectorParametersCID = "parameters_cid"
|
|
SelectorAccordTemplate = "accord_template"
|
|
SelectorPlaybook = "playbook"
|
|
SelectorPrincipalDID = "principal_did"
|
|
SelectorDriverID = "driver_id"
|
|
SelectorSessionMode = "session_mode"
|
|
SelectorShellClass = "shell_class"
|
|
SelectorPostureLevel = "posture_level"
|
|
)
|
|
|
|
var AllSelectorKeys = []string{
|
|
SelectorContextID,
|
|
SelectorCapabilityMask,
|
|
SelectorCorpusCID,
|
|
SelectorParametersCID,
|
|
SelectorAccordTemplate,
|
|
SelectorPlaybook,
|
|
SelectorPrincipalDID,
|
|
SelectorDriverID,
|
|
SelectorSessionMode,
|
|
SelectorShellClass,
|
|
SelectorPostureLevel,
|
|
}
|
|
|
|
// FormatSelector builds a SPIRE selector string "gsap:key:value".
|
|
func FormatSelector(key, value string) string {
|
|
return SelectorType + ":" + key + ":" + value
|
|
}
|
|
|
|
// CapabilityCeilingToHex translates BASCULE_CAPABILITY_CEILING name strings
|
|
// to the hex mask used by GSAP selectors. Ceiling semantics are cumulative:
|
|
// CAP_MUTATE means "up to and including MUTATE" = READ|PROPOSE|MUTATE = 0x07.
|
|
var CapabilityCeilingToHex = map[string]string{
|
|
"CAP_NONE": "0x00",
|
|
"CAP_READ": "0x01",
|
|
"CAP_PROPOSE": "0x03",
|
|
"CAP_MUTATE": "0x07",
|
|
"CAP_GOVERN": "0x0f",
|
|
}
|