Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LSM sensor #2566

Merged
merged 13 commits into from
Jul 19, 2024
Merged

LSM sensor #2566

merged 13 commits into from
Jul 19, 2024

Conversation

anfedotoff
Copy link
Contributor

@anfedotoff anfedotoff commented Jun 16, 2024

LSM sensor support allows to use LSM BPF programs the way we use BPF programs for kprobes/tracepoints/uprobes.

TracingPolicy example:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "lsm"
spec:
  lsmhooks:
  - hook: "file_open"
    args:
      - index: 0
        type: "file"
    selectors:
    - matchBinaries:
      - operator: "In"
        values:
        - "/usr/bin/cat"

Event example:

{                                                                                                     
  "process_lsm": {                                                                                    
    "process": {                                                                                      
      "exec_id": "dXNlci1uaXg6MTk5MzE1NDk0NTk3MzM6MzIwMTA4",                                  
      "pid": 320108,                                                                                  
      "uid": 1000,                                                                                    
      "cwd": "/home/user/go/src/github.com/cilium/tetragon",                                    
      "binary": "/usr/bin/cat",                                                                       
      "arguments": "/etc/passwd",                                                                     
      "flags": "execve clone",                                                                        
      "start_time": "2024-06-15T18:03:29.742161520Z",                                                                                                                                                       
      "auid": 1000,                                                                                   
      "parent_exec_id": "dXNlci1uaXg6ODg1NjMwMDAwMDAwMDoxNDc4MTI=",                                                                                                                                 
      "refcnt": 1,                                                                                    
      "tid": 320108,                                                                                  
      "user": {                                                                                       
        "name": "user"                                                                          
      }                                                                                               
    },                                                                                                
    "parent": {                                                                                       
      "exec_id": "dXNlci1uaXg6ODg1NjMwMDAwMDAwMDoxNDc4MTI=",                                  
      "pid": 147812,                                                                                  
      "uid": 1000,                                                                                    
      "cwd": "/home/user/go/src/github.com/cilium/tetragon",                                                                                                                                          
      "binary": "/usr/bin/zsh",                                                                                                                                                                             
      "flags": "procFS auid",                                                                         
      "start_time": "2024-06-15T14:37:33.597296165Z",
      "auid": 1000,
      "parent_exec_id": "dXNlci1uaXg6MTM1ODA0MDAwMDAwMDozMTQ2",
      "tid": 147812
    },
    "function_name": "file_open",
    "policy_name": "lsm",
    "args": [
      {
        "file_arg": {
          "path":"/etc/passwd",
          "permission":"-rw-r--r--"
        }
      }
    ],
    "action": "KPROBE_ACTION_POST"
  },
  "node_name": "user-nix",
  "time": "2024-06-15T18:03:29.743030933Z"
}

This is also necessary for #2409.

@anfedotoff anfedotoff requested a review from a team as a code owner June 16, 2024 09:07
@anfedotoff anfedotoff requested a review from kkourt June 16, 2024 09:07
Copy link

netlify bot commented Jun 16, 2024

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 72fc133
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/6694f2df98256300088c6cef
😎 Deploy Preview https://deploy-preview-2566--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@anfedotoff anfedotoff marked this pull request as draft June 16, 2024 09:09
@anfedotoff
Copy link
Contributor Author

There are things to do:

  • Fix tests
  • Add lsm test
  • Decide minimal kernel version for LSM sensor support (LSM BPF is needed 5.7 kernel).
  • Fix some bugs in code and make it more neat.

I managed to load LSM BPF programs, tail calls also work for LSM programs! The most terrifying problems are solved, I think. I managed to catch some Lsm events).

@anfedotoff anfedotoff force-pushed the lsm-sensor branch 7 times, most recently from a9f28bf to 1f5d707 Compare June 26, 2024 12:50
@anfedotoff
Copy link
Contributor Author

anfedotoff commented Jun 26, 2024

For now I managed to fix problem with args resolving. LSM BPF programs get args the way raw tracepoint programs do. So, LSM events now are looking good. It would be nice to start code review.

Some open questions:

  • ./verify/verify.sh . I made a hack for loading generic LSM programs. But I need to install llvm-objcopy in CI
  • Tests. I think we need some tests. Maybe more than one. I'll work on it. Maybe we discuss what kind of tests it's good to have?
  • Enforce mode. If LSM BPF returns the value that is not qual to zero, than operation is not permitted. Maybe we should add an action for that? For example, if policy is violated just return -EPERM, instead of sending SIGKILL.

@kkourt, @olsajiri, @mtardy please could you have a look?

@anfedotoff anfedotoff marked this pull request as ready for review June 26, 2024 13:11
@anfedotoff anfedotoff requested a review from mtardy as a code owner June 26, 2024 13:11
@anfedotoff anfedotoff force-pushed the lsm-sensor branch 2 times, most recently from f17edbc to 03cb7db Compare June 26, 2024 13:48
@anfedotoff anfedotoff changed the title wip: LSM sensor LSM sensor Jun 26, 2024
@anfedotoff anfedotoff force-pushed the lsm-sensor branch 6 times, most recently from 0127073 to 1cc6efb Compare July 2, 2024 11:56
@kkourt kkourt added the release-note/major This PR introduces major new functionality label Jul 3, 2024
Copy link
Contributor

@kkourt kkourt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Overall, this looks good to me! I've left some minor comments.

./verify/verify.sh . I made a hack for loading generic LSM programs. But I need to install llvm-objcopy in CI

Looks good to me. Yap, let's install it. I'm guessing it should be part of our clang container so we can just use that.

Tests. I think we need some tests. Maybe more than one. I'll work on it. Maybe we discuss what kind of tests it's good to have?

That's a good question. I would say start simple, and have one or two tests for the basic functionality (observability and enforcement)

Enforce mode. If LSM BPF returns the value that is not qual to zero, than operation > is not permitted. Maybe we should add an action for that? For example, if policy is > violated just return -EPERM, instead of sending SIGKILL.

Yap, I think that makes sense. We also have an override action that does something similar, but having a separate action for lsm (as you do in your PR) makes sense to me.

bpf/Makefile Show resolved Hide resolved
pkg/sensors/tracing/genericlsm.go Outdated Show resolved Hide resolved
pkg/sensors/tracing/genericlsm.go Outdated Show resolved Hide resolved
pkg/sensors/tracing/genericlsm.go Show resolved Hide resolved
pkg/sensors/tracing/lsm_test.go Outdated Show resolved Hide resolved
@kkourt kkourt requested a review from olsajiri July 3, 2024 10:48
@kkourt
Copy link
Contributor

kkourt commented Jul 3, 2024

@olsajiri I added you to the reviewers. It would be great if you could have a look when you get a chance. Thanks!

@anfedotoff anfedotoff force-pushed the lsm-sensor branch 2 times, most recently from e0f9144 to 98e2cd3 Compare July 4, 2024 19:07
@anfedotoff anfedotoff force-pushed the lsm-sensor branch 2 times, most recently from 30708a5 to 256b762 Compare July 12, 2024 11:15
Kprobes and uprobes have the almost the same code in
generic_kprobe_start_process_filter and
generic_uprobe_start_process_filter it can be generic.

Signed-off-by: Andrei Fedotov <[email protected]>
@anfedotoff
Copy link
Contributor Author

It seems to me, that test are passing and fixed all comments. @olsajiri @kkourt , please, could you have a look one more time:)?

Copy link
Contributor

@olsajiri olsajiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, nice work! thanks

Copy link
Contributor

@kkourt kkourt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@kkourt kkourt requested a review from tixxdz July 13, 2024 08:17
Copy link
Member

@mtardy mtardy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is lovely and nice to review! Thanks!

docs/content/en/docs/concepts/tracing-policy/hooks.md Outdated Show resolved Hide resolved
docs/content/en/docs/concepts/tracing-policy/hooks.md Outdated Show resolved Hide resolved
Adding generic LSM bpf. It follows the kprobe/tracepoint/uprobe
logic also calls same generic functions.

Signed-off-by: Andrei Fedotov <[email protected]>
Set up tailcalls map for generic LSM sensor.

Add LSMOpen function to override attach points collected from
section names.

Signed-off-by: Andrei Fedotov <[email protected]>
Use features.HaveProgramType(ebpf.LSM) and inspect
/sys/kernel/security/lsm file to check LSM availability.

Try to load and attach simple LSM probe.

Signed-off-by: Andrei Fedotov <[email protected]>
Adding LSM message/event definition.

Signed-off-by: Andrei Fedotov <[email protected]>
Adding generic LSM sensor that reads LSM crd config
and setups LSM programs.
The LSM is configured with hook, like:

  spec:
    lsmhooks:
    - hook: "bprm_check_security"

Signed-off-by: Andrei Fedotov <[email protected]>
Adding PROCESS_LSM to exportAllowList event_set values.

Signed-off-by: Andrei Fedotov <[email protected]>
Adding tests for generic LSM sensor - load and
apply tracing policy.

Signed-off-by: Andrei Fedotov <[email protected]>
Adding test to check enforcement for generic LSM sensor.

Signed-off-by: Andrei Fedotov <[email protected]>
Generic LSM BPF needs more complex userspace logic to load,
so ignore it.

Signed-off-by: Andrei Fedotov <[email protected]>
Adding examples of lsm tracing policies to monitor file access and
process execution.

Signed-off-by: Andrei Fedotov <[email protected]>
Adding section about LSM hook points.

Signed-off-by: Andrei Fedotov <[email protected]>
Copy link
Member

@tixxdz tixxdz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't have time to review all, thank you for the nice contributions ;-)

@kkourt
Copy link
Contributor

kkourt commented Jul 19, 2024

Merging this, thanks! Great work!

@kkourt kkourt merged commit fd6ef3d into cilium:main Jul 19, 2024
48 checks passed
michi-covalent added a commit that referenced this pull request Jul 23, 2024
There are some gaps in EventType and GetEventsResponse field numbers
because some fields got removed from these events. Mark these field
numbers as reserved to avoid accidentally re-using them.

Move process_lsm field number from 13 to 28 since the field number 13
has already been used in the past. It's still safe to change the field
number for process_lsm since we haven't released the process_lsm APIs
[^1].

[^1]: #2566

Suggested-by: Lorenz Bauer <[email protected]>
Signed-off-by: Michi Mutsuzaki <[email protected]>
michi-covalent added a commit that referenced this pull request Jul 24, 2024
There are some gaps in EventType and GetEventsResponse field numbers
because some fields got removed from these events. Mark these field
numbers as reserved to avoid accidentally re-using them.

Move process_lsm field number from 13 to 28 since the field number 13
has already been used in the past. It's still safe to change the field
number for process_lsm since we haven't released the process_lsm APIs
[^1].

[^1]: #2566

Suggested-by: Lorenz Bauer <[email protected]>
Signed-off-by: Michi Mutsuzaki <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/major This PR introduces major new functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants