From 5224b143067f36b81c2cede6b3e23ff30a0778cb Mon Sep 17 00:00:00 2001 From: joerger Date: Wed, 15 Mar 2023 18:25:06 -0700 Subject: [PATCH 1/2] Use Mlockall for Headless login. --- lib/utils/mlock/mlock_common.go | 22 ++++++++++++++++++++++ lib/utils/mlock/mlock_linux.go | 27 +++++++++++++++++++++++++++ lib/utils/mlock/mlock_unsupported.go | 28 ++++++++++++++++++++++++++++ tool/tsh/tsh.go | 11 +++++++++++ 4 files changed, 88 insertions(+) create mode 100644 lib/utils/mlock/mlock_common.go create mode 100644 lib/utils/mlock/mlock_linux.go create mode 100644 lib/utils/mlock/mlock_unsupported.go diff --git a/lib/utils/mlock/mlock_common.go b/lib/utils/mlock/mlock_common.go new file mode 100644 index 0000000000000..0fdf134d63d4e --- /dev/null +++ b/lib/utils/mlock/mlock_common.go @@ -0,0 +1,22 @@ +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package mlock + +// LockMemory locks the process memory to prevent secrets from being exposed in a swap. +func LockMemory() error { + return lockMemory() +} diff --git a/lib/utils/mlock/mlock_linux.go b/lib/utils/mlock/mlock_linux.go new file mode 100644 index 0000000000000..f911e43442cf7 --- /dev/null +++ b/lib/utils/mlock/mlock_linux.go @@ -0,0 +1,27 @@ +//go:build linux + +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package mlock + +import ( + "golang.org/x/sys/unix" +) + +func lockMemory() error { + return unix.Mlockall(unix.MCL_CURRENT | unix.MCL_FUTURE) +} diff --git a/lib/utils/mlock/mlock_unsupported.go b/lib/utils/mlock/mlock_unsupported.go new file mode 100644 index 0000000000000..74b73b3c5ed6b --- /dev/null +++ b/lib/utils/mlock/mlock_unsupported.go @@ -0,0 +1,28 @@ +//go:build !linux + +/* +Copyright 2023 Gravitational, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package mlock + +import ( + "github.com/gravitational/trace" +) + +func lockMemory() error { + // Mlockall is only available on linux. + return trace.NotImplemented("not implemented") +} diff --git a/tool/tsh/tsh.go b/tool/tsh/tsh.go index 25b1792c3b0c8..4cf06b9eba82f 100644 --- a/tool/tsh/tsh.go +++ b/tool/tsh/tsh.go @@ -78,6 +78,7 @@ import ( "github.com/gravitational/teleport/lib/sshutils/x11" "github.com/gravitational/teleport/lib/tlsca" "github.com/gravitational/teleport/lib/utils" + "github.com/gravitational/teleport/lib/utils/mlock" "github.com/gravitational/teleport/lib/utils/prompt" "github.com/gravitational/teleport/tool/common" ) @@ -3289,6 +3290,16 @@ func makeClientForProxy(cf *CLIConf, proxy string, useProfileLogin bool) (*clien cf.AuthConnector = constants.HeadlessConnector } + if cf.AuthConnector == constants.HeadlessConnector { + // Lock the process memory to prevent rsa keys and certificates from being exposed in a swap. + if err := mlock.LockMemory(); err != nil { + if trace.IsNotImplemented(err) { + return nil, trace.BadParameter("headless login is not supported on non-linux operating systems") + } + return nil, trace.Wrap(err, "failed to lock system memory for headless login") + } + } + c.ClientStore, err = initClientStore(cf, proxy) if err != nil { return nil, trace.Wrap(err) From b5f36a1d8a051aabf79459def278eff83c7222a1 Mon Sep 17 00:00:00 2001 From: joerger Date: Thu, 16 Mar 2023 18:39:18 -0700 Subject: [PATCH 2/2] Skip memory lock on unsupported OSs. Resolve comments --- lib/utils/mlock/mlock_common.go | 22 ---------------------- lib/utils/mlock/mlock_linux.go | 6 +++--- lib/utils/mlock/mlock_unsupported.go | 11 ++++------- tool/tsh/tsh.go | 3 --- 4 files changed, 7 insertions(+), 35 deletions(-) delete mode 100644 lib/utils/mlock/mlock_common.go diff --git a/lib/utils/mlock/mlock_common.go b/lib/utils/mlock/mlock_common.go deleted file mode 100644 index 0fdf134d63d4e..0000000000000 --- a/lib/utils/mlock/mlock_common.go +++ /dev/null @@ -1,22 +0,0 @@ -/* -Copyright 2023 Gravitational, Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package mlock - -// LockMemory locks the process memory to prevent secrets from being exposed in a swap. -func LockMemory() error { - return lockMemory() -} diff --git a/lib/utils/mlock/mlock_linux.go b/lib/utils/mlock/mlock_linux.go index f911e43442cf7..ecdd6bd40c1e5 100644 --- a/lib/utils/mlock/mlock_linux.go +++ b/lib/utils/mlock/mlock_linux.go @@ -1,5 +1,3 @@ -//go:build linux - /* Copyright 2023 Gravitational, Inc. @@ -22,6 +20,8 @@ import ( "golang.org/x/sys/unix" ) -func lockMemory() error { +// LockMemory locks the process memory to prevent secrets from being exposed in a swap. +// This is a noop on unsupported systems (non-linux). +func LockMemory() error { return unix.Mlockall(unix.MCL_CURRENT | unix.MCL_FUTURE) } diff --git a/lib/utils/mlock/mlock_unsupported.go b/lib/utils/mlock/mlock_unsupported.go index 74b73b3c5ed6b..092bd83152a43 100644 --- a/lib/utils/mlock/mlock_unsupported.go +++ b/lib/utils/mlock/mlock_unsupported.go @@ -18,11 +18,8 @@ limitations under the License. package mlock -import ( - "github.com/gravitational/trace" -) - -func lockMemory() error { - // Mlockall is only available on linux. - return trace.NotImplemented("not implemented") +// LockMemory locks the process memory to prevent secrets from being exposed in a swap. +// This is a noop on unsupported systems (non-linux). +func LockMemory() error { + return nil } diff --git a/tool/tsh/tsh.go b/tool/tsh/tsh.go index 4cf06b9eba82f..95b8759c27ac8 100644 --- a/tool/tsh/tsh.go +++ b/tool/tsh/tsh.go @@ -3293,9 +3293,6 @@ func makeClientForProxy(cf *CLIConf, proxy string, useProfileLogin bool) (*clien if cf.AuthConnector == constants.HeadlessConnector { // Lock the process memory to prevent rsa keys and certificates from being exposed in a swap. if err := mlock.LockMemory(); err != nil { - if trace.IsNotImplemented(err) { - return nil, trace.BadParameter("headless login is not supported on non-linux operating systems") - } return nil, trace.Wrap(err, "failed to lock system memory for headless login") } }