tetragon: harden actions a bit #3279
Conversation
olsajiri
added
the
release-note/minor
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
3 times, most recently
from
7b664dd to
ab3513b
Compare
pkg/sensors/base/base.go
Outdated
| threads := readFileDefault("/proc/sys/kernel/threads-max", 32768) | ||
| ExecveMap.SetMaxEntries(int(threads)) |
There was a problem hiding this comment.
Why do we need this? It seems it will make the size of the execve_map even larger as threads-max is often well above 32K. This will take significant space while running threads-max threads is pretty rare nop?
There was a problem hiding this comment.
I tried this as mitigation for https://github.com/isovalent/security/issues/88 .. I think we need some combination of this change (with some reasonable size for execve_map) and other ways mentioned in the issue
There was a problem hiding this comment.
ah I see, maybe this is one of the cases where NO_PREALLOC could help so that we can dynamically size to a very large map. But I could see how this can lead to memory issues in the future. That's not an easy problem :/
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
2 times, most recently
from
c64e7e4 to
fcfa0a9
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
pkg/option/flags.go
Outdated
| @@ -416,4 +419,6 @@ func AddFlags(flags *pflag.FlagSet) { | |||
| flags.Int(KeyEventCacheRetryDelay, defaults.DefaultEventCacheRetryDelay, "Delay in seconds between event cache retries") | |||
|
|
|||
| flags.Bool(KeyCompatibilitySyscall64SizeType, false, "syscall64 type will produce output of type size (compatibility flag, will be removed in v1.4)") | |||
|
|
|||
| flags.String(KeyExecveMapEntries, "", "Set entries for execve_map table (default 32768)") | |||
There was a problem hiding this comment.
Can we have the default from the actual default value here? If we ever change it, the change should be reflected in help.
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
7 times, most recently
from
db51eba to
44fdaa4
Compare
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
from
44fdaa4 to
6922611
Compare
olsajiri
changed the title
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
5 times, most recently
from
b8b9d4e to
bafb514
Compare
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
3 times, most recently
from
6132585 to
f6e5835
Compare
|
note the checkpatch fails on container_of macro which is false alarm |
| e->common.flags |= MSG_COMMON_FLAG_RETURN; | ||
| e->common.flags = MSG_COMMON_FLAG_RETURN; |
There was a problem hiding this comment.
not sure to follow why we want this change?
There was a problem hiding this comment.
setting flags early in the processing so in following changes the filter tail call can change it (which is executed before current flags setup code) (from commit changelog)
There was a problem hiding this comment.
hum for that specific line we need to initialize the flags for return kprobe, I guess it could have probably went to separate patch
| #ifdef __LARGE_BPF_PROG | ||
| FUNC_INLINE struct execve_map_value * | ||
| event_find_curr_probe(struct msg_generic_kprobe *msg) | ||
| { | ||
| struct task_struct *task = (struct task_struct *)get_current_task(); | ||
| struct execve_map_value *curr; | ||
|
|
||
| curr = &msg->curr; | ||
| curr->key.pid = BPF_CORE_READ(task, tgid); | ||
| curr->key.ktime = ktime_get_ns(); | ||
| curr->nspid = get_task_pid_vnr_by_task(task); | ||
|
|
||
| get_current_subj_caps(&curr->caps, task); | ||
| get_namespaces(&curr->ns, task); | ||
| set_in_init_tree(curr, NULL); | ||
|
|
||
| read_exe((struct task_struct *)get_current_task(), &msg->exe); | ||
| return curr; | ||
| } | ||
| #else | ||
| FUNC_INLINE struct execve_map_value * | ||
| event_find_curr_probe(struct msg_generic_kprobe *msg) | ||
| { | ||
| return NULL; | ||
| } | ||
| #endif |
There was a problem hiding this comment.
what's the benefit of doing this instead of writing the function unconditionally and making the calling conditional to LARGE PROGS? Wouldn't that be more explicit that non large prog do not support that?
There was a problem hiding this comment.
well I think it's logically isolated piece of code which should be in function and is different for __LARGE_BPF_PROG define, so it makes sense to me to do the above
also I think it's better/readable/more manageble than having ifdefs inside the code
| if (!enter) { | ||
| enter = event_find_curr_probe(msg); | ||
| if (!enter) | ||
| return PFILTER_CURR_NOT_FOUND; |
There was a problem hiding this comment.
is it okay that this function always return PFILTER_CURR_NOT_FOUND on !__LARGE_BPF_PROG kernels? I guess this related to my other comment, there's something I don't understand I think
There was a problem hiding this comment.
hum, not sure I understand, even current code returns PFILTER_CURR_NOT_FOUND
| t.Skip("sigkill requires at least 5.3.0 version") | ||
| } | ||
|
|
||
| // makeSpecFile creates a new spec file bsed on the template, and the provided arguments |
There was a problem hiding this comment.
nit: we don't really care but since I saw it, little typo here bsed to based
|
|
||
| option.Config.ExecveMapEntries = 1 | ||
| testSigkill(t, makeSpecFile, checker) | ||
| option.Config.ExecveMapEntries = 0 |
There was a problem hiding this comment.
IIUC option.Config is global, so we need to reset option.Config.ExecveMapEntries so other tests will get default value
Adding new 'unknown' value for flags field in the message Process. It will be used in following changes for process without details. Signed-off-by: Jiri Olsa <[email protected]>
Moving d_path into bpf_d_path.h header so it can be easily used in following changes from other places. Signed-off-by: Jiri Olsa <[email protected]>
Moving read_exe into process.h header so it can be easily used in following changes from other places. Signed-off-by: Jiri Olsa <[email protected]>
Setting flags early in the processing so in following changes the filter tail call can change it (which is executed before current flags setup code). Signed-off-by: Jiri Olsa <[email protected]>
Adding new filter logic that triggers when process is not found in execve_map (likely due to exhausted capacity). In this case we currently exit the bpf program and that might leave some crucial actions not executed (like sigkill). We add new event_find_curr_probe call to gather process info in filter context and use it to execute filters. The resulting kprobe event will have minimal process data with 'unknown' flags field. Signed-off-by: Jiri Olsa <[email protected]>
Adding test for unknown process kprobe kill. Signed-off-by: Jiri Olsa <[email protected]>
Adding test for unknown process tracepoint kill. Signed-off-by: Jiri Olsa <[email protected]>
olsajiri
force-pushed
the
pr/olsajiri/harden
branch
from
f6e5835 to
18aac9b
Compare
Adding new filter logic that triggers when process is not found in
execve_map (likely due to exhausted capacity).
In this case we currently exit the bpf program and that might leave
some crucial actions not executed (like sigkill).
We add new event_find_curr_probe call to gather process info in filter
context and use it to execute filters. The resulting kprobe event will
have minimal process data with 'unknown' flags field.