-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IMA hashes in LSM events #2818
IMA hashes in LSM events #2818
Conversation
15d918b
to
758ec7e
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
3ec1c3d
to
7525121
Compare
f9e5ac0
to
20a3c09
Compare
b84e2bd
to
ef33031
Compare
@kkourt , hi! May I ask you for a code review? Next Monday, on Tetragon community meeting I'll show a demo. I want to talk about some design decisions I made. Also I'm going to speak about problems that I overcame and those are still exists. |
Hello :) Thanks for the heads up! Will try and have a look before the community meeting. Looking forward to the demo! |
2ef75a3
to
58c2771
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @anfedotoff! I had a first look. Please find some comments below.
I refreshed on LSM programs and I think we can do this differently so LSM programs are attached through trampolines on specific bpf_lsm_XXX and trampoline allows to attach and invoke multiple bpf programs to so I think we could have the sleepable lsm hooks invoked first to get the
to ensure the generic lsm is invoked AFTER lsm.s/XXX hook we can rely I guess there might be some hiccups when you'll implement that WDYT? |
Thanks for making it clear! We have a default ima_policy=tcb:
In particular, this ima_policy will measure hashes when files owned by root are opened for reading. So, in solution that you proposed will call bpf_ima_file_hash on every hook. The question is what helper will return, if ima_policy is not satisfied? If error, than it is OK, I think. But if it calculates hash despite the ima_policy it is not OK. I think, I can check this. To sum up, I think, you solution is a nice compromise if ima_policy is taking to account during |
It works! No race condition! ✨ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice! left some comment, thanks
5f9d458
to
3e75f2f
Compare
3e75f2f
to
fbd9190
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
leeks great, thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, this looks good to me overall!
I have some requests for changes. Please let me know if they do not make sense to you. I have not followed the discussion with Jiri. Can you please add a summary of the discussion in the PR header. Having a discussion of what the previous approach was, why it did not work, and what this PR does that works would be very helpful!
Thanks!
Sure! I updated the PR description. I hope, now it became more clear about what we've done to avoid the race condition. |
fbd9190
to
6bbc92e
Compare
Great Thanks! Can you please split the change that changes the return value into a separate commit with a short explanation of why it OK to do as discussed in another comment? Other than that, LGTM! |
6bbc92e
to
8d197b8
Compare
Before: if event is to be posted tail call from generic_action occurs. Otherwise function returns 0. Now: Previous logic is saved. But now the value (true/false) is returned from generic_action in case tail call is failed. Signed-off-by: Andrei Fedotov <[email protected]>
Due to restrictions of bpf sleepable programs (no tailcalls, no perf buffer and per_cpu maps, etc.), we need to split generic LSM sensor into three parts (collections) and load them in this order: - bpf_generic_output sends event using perf buffer - bpf_generic_lsm_ima_* calculates hash using IMA helpers - bpf_generic_lsm_core does everything else Signed-off-by: Andrei Fedotov <[email protected]>
8d197b8
to
d5c5ec2
Compare
Adding support for IMA hash collection in Post Action. Adding IMA hashes in LSM events. Hash is represented by a string algorithm:value. Support loading lsm.s/generic_lsm_ima_* programs. Signed-off-by: Andrei Fedotov <[email protected]>
The output looks similar to this: 🔒 LSM user-nix /usr/bin/zsh bprm_check_security /usr/bin/git sha256:29aa689f38158d2e8941fa54e436f0260890af31cecad1e8799e5c2df7bc1ecc 🔒 LSM user-nix /usr/bin/zsh bprm_check_security /usr/bin/ls sha256:8696974df4fc39af88ee23e307139afc533064f976da82172de823c3ad66f444 🔒 LSM user-nix /usr/bin/zsh bprm_check_security /usr/bin/wc sha256:5a91d203948e44a538e8e5179e712f37fa3264593748e5ce0f888b600447d004 Signed-off-by: Andrei Fedotov <[email protected]>
Adding test for ImaHash Post action. Signed-off-by: Andrei Fedotov <[email protected]>
Add imaHash post action to lsm_bprm_check.yaml Signed-off-by: Andrei Fedotov <[email protected]>
Signed-off-by: Andrei Fedotov <[email protected]>
d5c5ec2
to
3ee96a1
Compare
@kkourt, can you look one more time plz)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many thanks!
All tests ✅, merging! Thanks! |
Adding support for collecting file hashes calculated by Linux integrity subsystem (IMA). IMA hashes will be contained in LSM events. To make it work you need to:
Limitations of bpf_ima helpers (from #2409):
38: (85) call bpf_ima_file_hash#193 R1 type=scalar expected=ptr_, trusted_ptr.
Approach from #2409 is meant to overcome limitations above has a race condition. User mode handler can receive LSM event before IMA hash is stored to the separate map.
This approach was redesigned to get rid of race condition. The idea is follows. We split LSM generic sensor into three parts, which are loaded using bpf trampolines feature.
Using this scheme we can avoid race condition.
Note: if we don't need to collect IMA hash, step 2 is skipped.