haproxytech
diff --git a/‎build/Dockerfile‎
Lines changed: 18 additions & 8 deletions b/‎build/Dockerfile‎
Lines changed: 18 additions & 8 deletions
diff --git a/‎build/Dockerfile.dev‎
Lines changed: 18 additions & 4 deletions b/‎build/Dockerfile.dev‎
Lines changed: 18 additions & 4 deletions
diff --git a/‎fs/etc/s6-overlay/s6-rc.d/aux-cfg/type‎
Lines changed: 0 additions & 1 deletion b/‎fs/etc/s6-overlay/s6-rc.d/aux-cfg/type‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎fs/etc/s6-overlay/s6-rc.d/aux-cfg/up‎
Lines changed: 0 additions & 1 deletion b/‎fs/etc/s6-overlay/s6-rc.d/aux-cfg/up‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎fs/etc/s6-overlay/s6-rc.d/haproxy/dependencies.d/aux-cfg‎ b/‎fs/etc/s6-overlay/s6-rc.d/haproxy/dependencies.d/aux-cfg‎
diff --git a/‎fs/etc/s6-overlay/s6-rc.d/haproxy/run‎
Lines changed: 1 addition & 1 deletion b/‎fs/etc/s6-overlay/s6-rc.d/haproxy/run‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎fs/etc/s6-overlay/s6-rc.d/kubernetes-controller/dependencies.d/aux-cfg‎ b/‎fs/etc/s6-overlay/s6-rc.d/kubernetes-controller/dependencies.d/aux-cfg‎
diff --git a/‎fs/etc/s6-overlay/scripts/01-aux-cfg‎
Lines changed: 0 additions & 7 deletions b/‎fs/etc/s6-overlay/scripts/01-aux-cfg‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎hug/protection/block_secrets.c‎
Lines changed: 137 additions & 0 deletions b/‎hug/protection/block_secrets.c‎
Lines changed: 137 additions & 0 deletions
diff --git a/‎hug/protection/haproxy_wrapper.c‎
Lines changed: 49 additions & 0 deletions b/‎hug/protection/haproxy_wrapper.c‎
Lines changed: 49 additions & 0 deletions
@@ -28,6 +28,15 @@ RUN mkdir -p /var/run/vars && \
         -tags="$BUILD_TAGS" \
         -o fs/kubernetes-controller ./cmd/controller
 
+FROM haproxytech/haproxy-alpine:3.2 AS builder-c
+RUN apk add --no-cache build-base gcc musl-dev
+WORKDIR /src
+
+COPY hug/protection/block_secrets.c .
+COPY hug/protection/haproxy_wrapper.c .
+RUN gcc -O3 -Wall -flto -fPIC -shared -s -o libblock_secrets.so block_secrets.c -ldl
+RUN gcc -O3 -Wall -g -s -o haproxy_wrapper haproxy_wrapper.c
+
 FROM haproxytech/haproxy-alpine:3.2
 
 ARG TARGETPLATFORM
@@ -39,19 +48,20 @@ ENV S6_USER=haproxy
 ENV S6_GROUP=haproxy
 
 COPY /fs /
-
-RUN mkdir -p /usr/local/hug/aux && \
-    chgrp -R haproxy /usr/local/hug && \
-    chmod -R ug+rwx /usr/local/hug
+COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
+COPY --from=builder-c /src/haproxy_wrapper /usr/local/sbin/haproxy_wrapper
 
 RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi /etc/haproxy/dataplaneapi.yml && \
     rm -f /usr/local/bin/dataplaneapi-v2 /usr/bin/dataplaneapi-v2 && \
     rm -f /etc/haproxy/haproxy.cfg && \
-    mkdir -p /usr/local/hug && \
-    chgrp -R haproxy /usr/local/hug /run /var && \
-    chmod -R ug+rwx /usr/local/hug /run /var && \
-    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy && \
+    mkdir -p /usr/local/hug/aux && \
+    chgrp -R haproxy /usr/local/hug && \
+    chmod -R ug+rwx /usr/local/hug && \
+    chown -R "${S6_USER}:${S6_GROUP}" /usr/local/etc/haproxy /run /var && \
+    chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
+    chmod u+rx /usr/local/sbin/haproxy_wrapper && \
+    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy_wrapper && \
     case "${TARGETPLATFORM}" in \
         "linux/arm64")      S6_ARCH=aarch64      ;; \
         "linux/amd64")      S6_ARCH=x86_64       ;; \
 
@@ -12,6 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+FROM haproxytech/haproxy-alpine:3.2 AS builder-c
+RUN apk add --no-cache build-base gcc musl-dev
+WORKDIR /src
+
+COPY hug/protection/block_secrets.c .
+COPY hug/protection/haproxy_wrapper.c .
+RUN gcc -O3 -Wall -flto -fPIC -shared -s -o libblock_secrets.so block_secrets.c -ldl
+RUN gcc -O3 -Wall -g -s -o haproxy_wrapper haproxy_wrapper.c
+
 FROM haproxytech/haproxy-alpine:3.2
 
 ARG TARGETPLATFORM
@@ -23,6 +32,8 @@ ENV S6_USER=haproxy
 ENV S6_GROUP=haproxy
 
 COPY /fs /
+COPY --from=builder-c /src/libblock_secrets.so /usr/local/lib/libblock_secrets.so
+COPY --from=builder-c /src/haproxy_wrapper /usr/local/sbin/haproxy_wrapper
 
 RUN mkdir -p /usr/local/hug/aux && \
     chgrp -R haproxy /usr/local/hug && \
@@ -32,10 +43,13 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi /etc/haproxy/dataplaneapi.yml && \
     rm -f /usr/local/bin/dataplaneapi-v2 /usr/bin/dataplaneapi-v2 && \
     rm -f /etc/haproxy/haproxy.cfg && \
-    mkdir -p /usr/local/hug && \
-    chgrp -R haproxy /usr/local/hug /run /var && \
-    chmod -R ug+rwx /usr/local/hug /run /var && \
-    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy && \
+    mkdir -p /usr/local/hug/aux && \
+    chgrp -R haproxy /usr/local/hug && \
+    chmod -R ug+rwx /usr/local/hug && \
+    chown -R "${S6_USER}:${S6_GROUP}" /usr/local/etc/haproxy /run /var && \
+    chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
+    chmod u+rx /usr/local/sbin/haproxy_wrapper && \
+    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy_wrapper && \
     case "${TARGETPLATFORM}" in \
         "linux/arm64")      S6_ARCH=aarch64      ;; \
         "linux/amd64")      S6_ARCH=x86_64       ;; \
 
@@ -24,4 +24,4 @@ fi
 echo "Memory limit for HAProxy: ${MEMLIMIT}MiB"
 
 # if master socket is changed, that needs to be aligned in pkg/haproxy/process/interface.go
-exec /usr/local/sbin/haproxy -W -db -m "${MEMLIMIT}" -S /var/run/haproxy-master.sock,level,admin -f /usr/local/hug/haproxy.cfg -f /usr/local/hug/aux
+exec /usr/local/sbin/haproxy_wrapper -W -db -m "${MEMLIMIT}" -S /var/run/haproxy-master.sock,level,admin -f /usr/local/hug/haproxy.cfg -f /usr/local/hug/aux
@@ -0,0 +1,137 @@
+/* Copyright 2025 HAProxy Technologies LLC                                    */
+/*                                                                            */
+/* Licensed under the Apache License, Version 2.0 (the "License");            */
+/* you may not use this file except in compliance with the License.           */
+/* You may obtain a copy of the License at                                    */
+/*                                                                            */
+/*    http://www.apache.org/licenses/LICENSE-2.0                              */
+/*                                                                            */
+/* Unless required by applicable law or agreed to in writing, software        */
+/* distributed under the License is distributed on an "AS IS" BASIS,          */
+/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
+/* See the License for the specific language governing permissions and        */
+/* limitations under the License.                                             */
+
+#include <dlfcn.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define PATH_MAX 4096
+#define BLOCKED_PATH "/var/run/secrets/kubernetes.io/"
+
+static char canonical_blocked[PATH_MAX] = {0};
+static size_t canonical_blocked_len = 0;
+
+__attribute__((constructor)) static void init_blocked_path() {
+  if (!realpath(BLOCKED_PATH, canonical_blocked)) {
+    strncpy(canonical_blocked, BLOCKED_PATH, PATH_MAX - 1);
+    canonical_blocked[PATH_MAX - 1] = '\0';
+  }
+  canonical_blocked_len = strlen(canonical_blocked);
+}
+
+__attribute__((always_inline)) inline static int
+is_blocked(const char *pathname) {
+  char resolved[PATH_MAX];
+  const char *target = pathname;
+
+  if (realpath(pathname, resolved)) {
+    target = resolved;
+  }
+
+  return strncmp(target, canonical_blocked, canonical_blocked_len) == 0;
+}
+
+static int (*real_open)(const char *, int, ...) = NULL;
+static int (*real_open64)(const char *, int, ...) = NULL;
+static FILE *(*real_fopen)(const char *, const char *) = NULL;
+static FILE *(*real_fopen64)(const char *, const char *) = NULL;
+static FILE *(*real_freopen)(const char *, const char *, FILE *) = NULL;
+static FILE *(*real_freopen64)(const char *, const char *, FILE *) = NULL;
+
+__attribute__((constructor)) static void init_hooks() {
+  real_open = dlsym(RTLD_NEXT, "open");
+  real_open64 = dlsym(RTLD_NEXT, "open64");
+  real_fopen = dlsym(RTLD_NEXT, "fopen");
+  real_fopen64 = dlsym(RTLD_NEXT, "fopen64");
+  real_freopen = dlsym(RTLD_NEXT, "freopen");
+  real_freopen64 = dlsym(RTLD_NEXT, "freopen64");
+}
+
+int open(const char *pathname, int flags, ...) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return -1;
+  }
+
+  va_list args;
+  va_start(args, flags);
+  int fd;
+  if (flags & O_CREAT) {
+    mode_t mode = (mode_t)va_arg(args, int);
+    fd = real_open(pathname, flags, mode);
+  } else {
+    fd = real_open(pathname, flags);
+  }
+  va_end(args);
+  return fd;
+}
+
+int open64(const char *pathname, int flags, ...) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return -1;
+  }
+
+  va_list args;
+  va_start(args, flags);
+  int fd;
+  if (flags & O_CREAT) {
+    mode_t mode = (mode_t)va_arg(args, int);
+    fd = real_open64(pathname, flags, mode);
+  } else {
+    fd = real_open64(pathname, flags);
+  }
+  va_end(args);
+  return fd;
+}
+
+FILE *fopen(const char *pathname, const char *mode) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return NULL;
+  }
+  return real_fopen(pathname, mode);
+}
+
+FILE *fopen64(const char *pathname, const char *mode) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return NULL;
+  }
+  return real_fopen64(pathname, mode);
+}
+
+FILE *freopen(const char *pathname, const char *mode, FILE *stream) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return NULL;
+  }
+  return real_freopen(pathname, mode, stream);
+}
+
+FILE *freopen64(const char *pathname, const char *mode, FILE *stream) {
+  if (is_blocked(pathname)) {
+    errno = EACCES;
+    return NULL;
+  }
+  return real_freopen64(pathname, mode, stream);
+}
@@ -0,0 +1,49 @@
+/* Copyright 2025 HAProxy Technologies LLC                                    */
+/*                                                                            */
+/* Licensed under the Apache License, Version 2.0 (the "License");            */
+/* you may not use this file except in compliance with the License.           */
+/* You may obtain a copy of the License at                                    */
+/*                                                                            */
+/*    http://www.apache.org/licenses/LICENSE-2.0                              */
+/*                                                                            */
+/* Unless required by applicable law or agreed to in writing, software        */
+/* distributed under the License is distributed on an "AS IS" BASIS,          */
+/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   */
+/* See the License for the specific language governing permissions and        */
+/* limitations under the License.                                             */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#define LIB_PATH "LD_PRELOAD=/usr/local/lib/libblock_secrets.so"
+#define TARGET_PATH "/usr/local/sbin/haproxy"
+
+int main(int argc, char *argv[], char *envp[]) {
+    char **newargv = malloc((argc + 1) * sizeof(char *));
+    if (!newargv) {
+        perror("malloc");
+        return 1;
+    }
+    newargv[0] = (char *)TARGET_PATH;
+    for (int i = 1; i < argc; i++) {
+        newargv[i] = argv[i];
+    }
+    newargv[argc] = NULL;
+
+    int envc = 0;
+    while (environ[envc]) envc++;
+
+    char **new_envp = malloc((envc + 2) * sizeof(char *));
+    for (int i = 0; i < envc; i++) {
+        new_envp[i] = environ[i];
+    }
+    new_envp[envc] = LIB_PATH;
+    new_envp[envc + 1] = NULL;
+
+    execve(TARGET_PATH, newargv, new_envp);
+
+    perror("execve");
+    return 1;
+}