Merge pull request #320 from keirthana/update-security-docs

Rearrange security content

Author: morphis

conf.py

@@ -207,12 +207,12 @@
     'tutorial/getting-started-dashboard': '../create-test-virtual-device',
     'tutorial/getting-started': '../create-test-virtual-device',
     'tutorial/creating-addon': '../../howto/addons/create-addon',
-    'explanation/cryptography/crypto_ams': '../../security/crypto_ams',
-    'explanation/cryptography/crypto_anbox_runtime': '../../security/crypto_anbox_runtime',
-    'explanation/cryptography/crypto_charms': '../../security/crypto_charms',
-    'explanation/cryptography/crypto_dashboard': '../../security/crypto_dashboard',
-    'explanation/cryptography/crypto_stream_agent': '../../security/crypto_stream_agent',
-    'explanation/cryptography/crypto_stream_gateway': '../../security/crypto_stream_gateway',
+    'explanation/cryptography/crypto_ams': '../../security/ams',
+    'explanation/cryptography/crypto_anbox_runtime': '../../security/anbox-runtime',
+    'explanation/cryptography/crypto_charms': '../../security/charms',
+    'explanation/cryptography/crypto_dashboard': '../../security/dashboard',
+    'explanation/cryptography/crypto_stream_agent': '../../security/streaming-stack',
+    'explanation/cryptography/crypto_stream_gateway': '../../security/streaming-stack',
     'explanation/anbox-security': '../security/landing',
     'howto/install-appliance/enable-oidc': '../setup-oidc/landing/',
 }

explanation/security/crypto_ams.md explanation/security/ams.mdexplanation/security/crypto_ams.md renamed to explanation/security/ams.md

@@ -1,4 +1,4 @@
-(exp-security-crypto-ams)=
+(exp-security-ams)=
 # AMS
 
 Anbox Management Service (AMS) is using cryptographic technology for:

…anation/security/crypto_anbox_runtime.md explanation/security/anbox-runtime.mdexplanation/security/crypto_anbox_runtime.md renamed to explanation/security/anbox-runtime.md explanation/security/crypto_anbox_runtime.md renamed to explanation/security/anbox-runtime.md

@@ -1,4 +1,4 @@
-(exp-security-crypto-anbox-runtime)=
+(exp-security-anbox-runtime)=
 # Anbox runtime
 
 The Anbox runtime (see {ref}`howto-anbox-runtime`) is using cryptographic technology for:
@@ -15,9 +15,9 @@ When communicating with the HTTPS API of the Anbox Stream Agent, Anbox will eith
 
 ## Token based authentication
 
-Anbox accesses a limited set of API endpoints of the Anbox Management Service (AMS) to submit status information during runtime. Access is authenticated by a scope-limited [JWT](https://jwt.io/) based token. See {ref}`exp-security-crypto-ams` for more details.
+Anbox accesses a limited set of API endpoints of the Anbox Management Service (AMS) to submit status information during runtime. Access is authenticated by a scope-limited [JWT](https://jwt.io/) based token. See {ref}`exp-security-ams` for more details.
 
-As part of the WebRTC connection process, Anbox communicates with the HTTP API endpoints provided by the Anbox Stream Agent. Anbox authenticates itself to the agent by presenting a token (see {ref}`exp-security-crypto-stream-agent`) and validates the TLS certificate of the agent by checking its fingerprint. The fingerprint Anbox uses for the validation check is the SHA-256 hash of the complete ASN.1 DER content (certificate, signature algorithm and signature) of the TLS certificate that the agent uses.
+As part of the WebRTC connection process, Anbox communicates with the HTTP API endpoints provided by the Anbox Stream Agent. Anbox authenticates itself to the agent by presenting a token (see {ref}`sec-security-crypto-stream-agent`) and validates the TLS certificate of the agent by checking its fingerprint. The fingerprint Anbox uses for the validation check is the SHA-256 hash of the complete ASN.1 DER content (certificate, signature algorithm and signature) of the TLS certificate that the agent uses.
 
 ## WebRTC
 

explanation/security/android.md

@@ -0,0 +1,25 @@
+# Android
+
+The images that Anbox Cloud provides are based on different Android versions. They are updated with security patches monthly, based on the upstream security tags. You can find detailed information on the security patches that have been included (or considered to be included but found unrelated) in the [Android Security Bulletins](https://source.android.com/docs/security/bulletin). The relevant security bulletin for each Anbox Cloud release is linked in the {ref}`ref-release-notes`.
+
+See [Android Security Features](https://source.android.com/docs/security/features) in the Android documentation for an overview of security-related features that Android provides. Anbox Cloud supports some of these features, but not all of them. Some of the features rely on hardware that is not available in a virtual system, and others interfere with the Ubuntu security features.
+
+The following table shows which Android security features are supported in Anbox Cloud.
+
+| Security feature                           | Supported in Anbox Cloud |
+|--------------------------------------------|:------------------------:|
+| App sandbox                                | ✓                        |
+| App signing                                | ✓                        |
+| Authentication                             | -                        |
+| Biometrics                                 | -                        |
+| Encryption                                 | -                        |
+| Keystore                                   | ✓                        |
+| Security-Enhanced Linux (SELinux)          | -                        |
+| Trusty Trusted Execution Environment (TEE) | -                        |
+| Verified Boot                              | -                        |
+
+### Security-Enhanced Linux (SELinux)
+
+Currently, Anbox Cloud disables SELinux in Android. The reason for this is that SELinux conflicts with AppArmor, which is by default enabled in LXD. Anbox Cloud utilizes the security features provided by LXD and therefore relies on AppArmor instead of SELinux.
+
+In future releases, it might be possible to run AppArmor and SELinux in parallel. In this case, the decision to disable SELinux will be reconsidered.

explanation/security/charms.md

@@ -0,0 +1,29 @@
+(exp-security-charms)=
+# Charms
+
+## Communication
+
+All communication between Juju units and the Juju controller happens over TLS-encrypted websockets. The certificate for the TLS connection to the controller is added as explicitly trusted to each machine as part of the bootstrap process using a combination of cloud-init and SSH.
+
+With this secure channel, Juju charms can communicate with each other using relation data. The data published by one unit is sent to the controller, which then makes it available for all other units on the same relation. The data for each relation is scoped by ID and is only visible to units participating in the specific relation on which it is set.
+
+See [Security with Juju](https://canonical-juju.readthedocs-hosted.com/en/latest/user/explanation/juju-security/) for more information.
+
+
+## Cryptography
+
+The following charms for Anbox Cloud make use of cryptographic technology for creation of TLS certificates:
+
+* [`ams`](https://charmhub.io/ams)
+* [`ams-lxd`](https://charmhub.io/ams-lxd)
+* [`ams-node-controller`](https://charmhub.io/ams-node-controller)
+* [`anbox-stream-gateway`](https://charmhub.io/anbox-stream-gateway)
+* [`anbox-stream-agent`](https://charmhub.io/anbox-stream-agent)
+* [`anbox-cloud-dashboard`](https://charmhub.io/anbox-cloud-dashboard)
+* [`lxd-integrator`](https://charmhub.io/lxd-integrator)
+
+When Anbox Cloud is deployed without the use of an external CA, the charms will generate self-signed certificates using the [cryptography](https://pypi.org/project/cryptography/) Python package. The private key used for signing has a size of 4096 bits.
+
+### Packages used
+
+* [cryptography from PyPI](https://pypi.org/project/cryptography/)

explanation/security/crypto_charms.md

@@ -1,4 +1,4 @@
-(exp-security-crypto-dashboard)=
+(exp-security-dashboard)=
 # Dashboard
 
 The Anbox Cloud Dashboard (dashboard) is using cryptographic technology for:

explanation/security/crypto_stream_agent.md

@@ -0,0 +1,25 @@
+# Instances
+
+Anbox Cloud uses secure and isolated system instances supplied by [LXD](https://ubuntu.com/lxd). LXD provides a high degree of flexibility when setting up instances - you get to decide the level of security for your requirements. See [Security](https://documentation.ubuntu.com/lxd/en/latest/security/) in the LXD documentation for more information about how a LXD setup can be secured.
+
+```{tip}
+Using virtual machines to host Android containers provides better workload isolation. 
+```
+
+## Unprivileged instances
+
+```{note}
+This section is particularly applicable for container based instances because a virtual machine is unprivileged by nature.
+```
+
+Many instance managers use privileged instances, which means that the instances have root privileges on the host system, including access to all devices. This is a security risk, because attackers could gain control over the host system.
+
+Anbox Cloud uses unprivileged LXD instances only, which fully isolates the instances and ensures that they cannot gain root privileges. In addition, the Android container that runs inside the LXD instance also runs as an unprivileged instance. This method isolates the Android container twice, with the result that if the encapsulation of either the LXD instance or the Android container should fail, the system would still be protected.
+
+```{caution}
+While instances are fully isolated, all instances currently use the same GPU resources. As a result, any instance that is launched with GPU support could take all GPU resources in a DDoS-like attack, which would prevent other instances from starting.
+
+Monitoring how the GPU resources are used for different applications and ensuring that you are running trusted workloads can provide insulation against DDoS-like attacks.
+
+See {ref}`sec-gpu-slots` for more information.
+```