Sannu, mazauna Khabro! Injin kama-da-wane na BPF yana ɗaya daga cikin mahimman abubuwan kernel na Linux. Yin amfani da shi da kyau zai ba da damar injiniyoyin tsarin su nemo kurakurai da magance matsalolin da suka fi rikitarwa. Za ku koyi yadda ake rubuta shirye-shiryen da ke saka idanu da kuma gyara halayen kwaya, yadda ake aiwatar da lambobi cikin aminci don saka idanu kan abubuwan da ke faruwa a cikin kwaya, da ƙari mai yawa. David Calavera da Lorenzo Fontana zasu taimaka muku buše ikon BPF. Fadada ilimin ku na inganta aiki, sadarwar sadarwa, tsaro. - Yi amfani da BPF don saka idanu da gyara halayen kernel na Linux. - Alurar lamba don saka idanu akan abubuwan da ke faruwa na kwaya ba tare da sake tattara kwaya ko sake kunna tsarin ba. - Yi amfani da misalan lambobi masu dacewa a cikin C, Go ko Python. - Ɗauki iko ta hanyar mallakar tsarin rayuwa na shirin BPF.
Tsaro na Kernel Linux, Siffofin sa da Seccomp
BPF yana ba da hanya mai ƙarfi don tsawaita kwaya ba tare da sadaukar da kwanciyar hankali, tsaro, ko sauri ba. Don wannan dalili, masu haɓaka kernel suna tunanin zai zama kyakkyawan ra'ayi don amfani da iyawar sa don haɓaka keɓantawar tsari a cikin Seccomp ta aiwatar da matattarar Seccomp da ke samun goyan bayan shirye-shiryen BPF, wanda kuma aka sani da Seccomp BPF. A cikin wannan babi za mu yi bayanin menene Seccomp da yadda ake amfani da shi. Sa'an nan za ku koyi yadda ake rubuta Seccomp filters ta amfani da shirye-shiryen BPF. Bayan haka, za mu kalli ginanniyar ƙugiya ta BPF waɗanda aka haɗa a cikin kernel don samfuran tsaro na Linux.
Modules Tsaro na Linux (LSM) tsari ne wanda ke ba da saitin ayyuka waɗanda za a iya amfani da su don aiwatar da nau'ikan tsaro iri-iri a daidaitaccen tsari. Ana iya amfani da LSM kai tsaye a cikin bishiyar kernel, kamar Apparmor, SELinux da Tomoyo.
Bari mu fara da tattaunawa akan iyawar Linux.
Ayyukan
Ma'anar iyawar Linux shine cewa kuna buƙatar ba da izinin tsari mara amfani don yin wani aiki, amma ba tare da yin amfani da suid don wannan dalili ba, ko kuma ba da damar aiwatar da tsarin, rage yuwuwar kai hari da ba da damar aiwatar da aiwatar da wasu ayyuka. Misali, idan aikace-aikacen ku yana buƙatar buɗe tashar jiragen ruwa mai gata, ce 80, maimakon aiwatar da tsarin azaman tushen, zaku iya ba ta damar CAP_NET_BIND_SERVICE kawai.
Yi la'akari da shirin Go mai suna main.go:
package main
import (
"net/http"
"log"
)
func main() {
log.Fatalf("%v", http.ListenAndServe(":80", nil))
}Wannan shirin yana hidimar uwar garken HTTP akan tashar jiragen ruwa 80 (wannan tashar tashar gata ce). Yawancin lokaci muna gudanar da shi nan da nan bayan an haɗa shi:
$ go build -o capabilities main.go
$ ./capabilitiesKoyaya, tunda ba mu ba da gata na tushen ba, wannan lambar za ta jefa kuskure yayin ɗaure tashar jiragen ruwa:
2019/04/25 23:17:06 listen tcp :80: bind: permission denied
exit status 1capsh (mai sarrafa harsashi) kayan aiki ne wanda ke tafiyar da harsashi tare da takamaiman saiti na iya aiki.
A wannan yanayin, kamar yadda aka riga aka ambata, maimakon ba da cikakken haƙƙin tushen, za ku iya ba da damar haɗin tashar tashar jiragen ruwa mai gata ta hanyar samar da damar cap_net_bind_service tare da duk abin da ke cikin shirin. Don yin wannan, za mu iya haɗa shirin mu a cikin capsh:
# capsh --caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep'
--keep=1 --user="nobody"
--addamb=cap_net_bind_service -- -c "./capabilities"Bari mu fahimci wannan tawagar kadan kadan.
- capsh - amfani da hula a matsayin harsashi.
- —caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' - tunda muna buƙatar canza mai amfani (ba ma son yin aiki azaman tushen), zamu ƙayyade cap_net_bind_service da ikon canza ID na mai amfani a zahiri daga tushen ba kowa, wato cap_setuid da cap_setgid.
- -keep=1 - muna so mu ci gaba da shigar da damar lokacin da ake sauyawa daga tushen asusun.
- —user=“nobody” — mai amfani na ƙarshe da ke tafiyar da shirin ba zai zama kowa ba.
- -addamb=cap_net_bind_service - saita share abubuwan da ke da alaƙa bayan canzawa daga yanayin tushen.
- -c "./ capabilities" - kawai gudanar da shirin.
Abubuwan da aka haɗa su ne nau'i na musamman na iyawa waɗanda shirye-shiryen yara suka gaji lokacin da shirin na yanzu ya aiwatar da su ta amfani da execve(). Iyawar da aka yarda a haɗa su kawai, ko a wasu kalmomi, a matsayin ikon muhalli, za a iya gado.
Wataƙila kuna mamakin abin da +eip ke nufi bayan tantance iyawa a cikin zaɓin --caps. Ana amfani da waɗannan tutoci don tantance ƙarfin:
-dole ne a kunna (p);
- akwai don amfani (e);
-ana iya gado ta hanyar tsarin yara (i).
Tunda muna son amfani da cap_net_bind_service, muna buƙatar yin wannan tare da e tuta. Sa'an nan za mu fara harsashi a cikin umurnin. Wannan zai gudanar da ikon binary kuma muna buƙatar yi masa alama tare da i flag. A ƙarshe, muna son a kunna fasalin (mun yi wannan ba tare da canza UID ba) tare da p. Yana kama da cap_net_bind_service+eip.
Kuna iya duba sakamakon ta amfani da ss. Bari mu ɗan rage fitarwa don dacewa da shafin, amma zai nuna tashar tashar jiragen ruwa da ke da alaƙa da ID ɗin mai amfani banda 0, a cikin wannan yanayin 65:
# ss -tulpn -e -H | cut -d' ' -f17-
128 *:80 *:*
users:(("capabilities",pid=30040,fd=3)) uid:65534 ino:11311579 sk:2c v6only:0A cikin wannan misalin mun yi amfani da capsh, amma zaka iya rubuta harsashi ta amfani da libcap. Don ƙarin bayani, duba man 3 libcap.
Lokacin rubuta shirye-shirye, sau da yawa mai haɓakawa ba ya san gaba da duk abubuwan da shirin ke buƙata a lokacin gudu; Bugu da ƙari, waɗannan fasalulluka na iya canzawa a sabbin sigogin.
Don ƙarin fahimtar iyawar shirinmu, za mu iya ɗaukar kayan aiki mai ƙarfi na BCC, wanda ke saita kprobe don aikin kernel cap_capable:
/usr/share/bcc/tools/capable
TIME UID PID TID COMM CAP NAME AUDIT
10:12:53 0 424 424 systemd-udevd 12 CAP_NET_ADMIN 1
10:12:57 0 1103 1101 timesync 25 CAP_SYS_TIME 1
10:12:57 0 19545 19545 capabilities 10 CAP_NET_BIND_SERVICE 1Za mu iya cimma abu ɗaya ta amfani da bpftrace tare da kprobe mai layi ɗaya a cikin aikin kernel cap_capable:
bpftrace -e
'kprobe:cap_capable {
time("%H:%M:%S ");
printf("%-6d %-6d %-16s %-4d %dn", uid, pid, comm, arg2, arg3);
}'
| grep -i capabilitiesWannan zai fitar da wani abu kamar haka idan an kunna damar shirinmu bayan kprobe:
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 10 1Rukunin na biyar shine ikon da tsarin ke buƙata, kuma tunda wannan fitarwa ya haɗa da abubuwan da ba a tantancewa ba, muna ganin duk abubuwan da ba a bincika ba kuma a ƙarshe ikon da ake buƙata tare da tutar tantancewa (na ƙarshe a cikin fitarwa) saita zuwa 1. Capability. wanda muke sha'awar shine CAP_NET_BIND_SERVICE, an ayyana shi azaman dindindin a cikin lambar tushe na kernel a cikin fayil ɗin sun haɗa da/uapi/linux/ability.h tare da mai ganowa 10:
/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10<source lang="go">Ana ba da damar sau da yawa a lokacin aiki don kwantena kamar runC ko Docker don ba su damar yin aiki cikin yanayin da ba su da gata, amma ana ba su damar damar da ake buƙata don gudanar da yawancin aikace-aikacen. Lokacin da aikace-aikacen yana buƙatar wasu iyakoki, Docker na iya samar da su ta amfani da --cap-add:
docker run -it --rm --cap-add=NET_ADMIN ubuntu ip link add dummy0 type dummyWannan umarnin zai ba kwantena ikon CAP_NET_ADMIN, ba shi damar saita hanyar haɗin yanar gizo don ƙara ƙirar dummy0.
Sashe na gaba yana nuna yadda ake amfani da fasali kamar tacewa, amma ta amfani da wata dabara ta daban wacce ke ba mu damar aiwatar da namu tacewa cikin tsari.
Seccomp
Seccomp yana tsaye don Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwaƙwalwa na Ƙaƙwalwa na Ƙaƙwalwa na Ƙaƙwalwa na Ƙadda ) da aka yi a cikin Linux kernel wanda ke ba masu haɓaka damar tace wasu kira na tsarin. Kodayake Seccomp yana da kwatankwacin iyawa ga Linux, ikonsa na sarrafa wasu kiran tsarin yana sa ya fi sauƙi idan aka kwatanta da su.
Abubuwan Seccomp da Linux ba su keɓanta juna ba kuma galibi ana amfani da su tare don fa'ida daga hanyoyin biyu. Misali, kuna iya ba da tsari ikon CAP_NET_ADMIN amma kar ku ƙyale shi ya karɓi haɗin kai, toshe karɓa da karɓar kiran tsarin4.
Hanyar tacewa ta Seccomp ta dogara ne akan matattarar BPF da ke aiki a cikin yanayin SECCOMP_MODE_FILTER, kuma ana yin tace kiran tsarin kamar yadda na fakiti.
Ana loda matattara ta hanyar amfani da prctl ta hanyar PR_SET_SECOMP. Waɗannan masu tacewa suna ɗaukar sigar shirin BPF wanda aka aiwatar don kowane fakitin Seccomp wanda tsarin seccomp_data ke wakilta. Wannan tsarin yana ƙunshe da tsarin gine-gine, mai nuni ga umarnin sarrafawa a lokacin kiran tsarin, da matsakaicin muhawarar kiran tsarin guda shida, wanda aka bayyana azaman uint64.
Wannan shine yadda tsarin seccomp_data yayi kama da lambar tushe na kernel a cikin fayil ɗin linux/seccomp.h:
struct seccomp_data {
int nr;
__u32 arch;
__u64 instruction_pointer;
__u64 args[6];
};Kamar yadda kake gani daga wannan tsarin, zamu iya tace ta hanyar kiran tsarin, hujjojinsa, ko haɗin duka biyun.
Bayan karɓar kowane fakitin Seccomp, tace dole ne ta yi aiki don yanke shawara ta ƙarshe kuma ta gaya wa kernel abin da zai yi na gaba. An bayyana yanke shawara ta ƙarshe ta ɗayan ƙimar dawowa (lambobin matsayi).
- SECCOMP_RET_KILL_PROCESS - yana kashe duk tsarin nan da nan bayan tace kiran tsarin da ba a aiwatar da shi ba saboda wannan.
- SECCOMP_RET_KILL_THREAD - yana ƙare zaren yanzu nan da nan bayan tace kiran tsarin da ba a aiwatar da shi ba saboda wannan.
- SECCOMP_RET_KILL - wanda aka fi sani da SECCOMP_RET_KILL_THREAD, hagu don dacewa da baya.
- SECCOMP_RET_TRAP - an haramta kiran tsarin, kuma ana aika siginar SIGSYS (Bad System Call) zuwa aikin da ya kira shi.
- SECCOMP_RET_ERRNO - Ba a aiwatar da kiran tsarin ba, kuma wani ɓangare na ƙimar dawowar tacewa SECCOMP_RET_DATA an wuce zuwa sararin mai amfani azaman ƙimar kuskure. Dangane da abin da ya haifar da kuskuren, ana dawo da ƙimar kuskure daban-daban. Ana ba da jerin lambobin kuskure a sashe na gaba.
- SECCOMP_RET_TRACE - Ana amfani da shi don sanar da mai gano saƙo ta hanyar amfani da - PTRACE_O_TRACESECOMP don shiga tsakani lokacin da aka yi kiran tsarin don gani da sarrafa wannan tsari. Idan ba a haɗa mai ganowa ba, an dawo da kuskure, an saita errno zuwa -ENOSYS, kuma ba a aiwatar da kiran tsarin ba.
- SECCOMP_RET_LOG - an warware kiran tsarin kuma an shiga.
- SECCOMP_RET_ALLOW - ana ba da izinin kiran tsarin kawai.
ptrace kira tsarin ne don aiwatar da hanyoyin ganowa a cikin wani tsari da ake kira tracee, tare da ikon sa ido da sarrafa yadda ake aiwatar da aikin. Shirin burbushin zai iya tasiri sosai wajen aiwatarwa da kuma gyara rijistar ƙwaƙwalwar ajiyar sa. A cikin mahallin Seccomp, ana amfani da ptrace lokacin da lambar matsayi ta SECCOMP_RET_TRACE ta jawo, don haka mai binciken zai iya hana tsarin kiran aiwatarwa da aiwatar da nasa dabaru.
Kuskuren Seccomp
Daga lokaci zuwa lokaci, yayin aiki tare da Seccomp, zaku ci karo da kurakurai daban-daban, waɗanda aka gano ta hanyar ƙimar dawowar nau'in SECCOMP_RET_ERRNO. Don ba da rahoton kuskure, tsarin tsarin seccomp zai dawo -1 maimakon 0.
Akwai yiwuwar kurakurai masu zuwa:
- KYAUTA - Ba a yarda mai kira ya yi kiran tsarin ba. Wannan yawanci yana faruwa saboda ba shi da gata na CAP_SYS_ADMIN ko kuma ba a saita_new_privs ta amfani da prctl (zamu yi magana game da wannan daga baya);
- EFAULT - muhawarar da aka wuce (args a cikin tsarin seccomp_data) ba su da ingantaccen adireshin;
- EINVAL - akwai dalilai guda hudu a nan:
-Ba a san aikin da ake nema ba ko kuma kernel ba shi da goyan baya a cikin tsarin na yanzu;
- ƙayyadaddun tutoci ba su da inganci don aikin da ake buƙata;
-aiki ya haɗa da BPF_ABS, amma akwai matsaloli tare da ƙayyadaddun biya, wanda zai iya wuce girman tsarin seccomp_data;
-yawan umarnin da aka wuce zuwa tacewa ya wuce iyakar;
- ENOMEM - rashin isasshen ƙwaƙwalwar ajiya don aiwatar da shirin;
- EOPNOTSUPP - aikin ya nuna cewa tare da SECCOMP_GET_ACTION_AVAIL aikin yana samuwa, amma kernel baya goyan bayan dawowa cikin muhawara;
- ESRCH - matsala ta faru lokacin aiki tare da wani rafi;
- ENOSYS - Babu wani mai gano abin da ke haɗe zuwa aikin SECCOMP_RET_TRACE.
prctl kira ne na tsarin da ke ba da damar shirin mai amfani-sarari don sarrafa (saita da samun) takamaiman al'amuran tsari, kamar haɓakar byte, sunayen zaren, yanayin ƙididdigewa (Seccomp), gata, abubuwan Perf, da sauransu.
Seccomp na iya zama kamar fasahar sandbox a gare ku, amma ba haka ba. Seccomp kayan aiki ne wanda ke ba masu amfani damar haɓaka injin akwatin sandbox. Yanzu bari mu kalli yadda ake ƙirƙirar shirye-shiryen hulɗar mai amfani ta amfani da matatar da ake kira kai tsaye ta tsarin tsarin Seccomp.
Misalin Tace Seccomp BPF
Anan zamu nuna yadda ake hada ayyukan biyu da aka tattauna a baya, wato:
- za mu rubuta shirin Seccomp BPF, wanda za a yi amfani da shi azaman tacewa tare da lambobin dawowa daban-daban dangane da shawarar da aka yanke;
- loda tace ta amfani da prctl.
Da farko kuna buƙatar masu kai daga daidaitaccen ɗakin karatu da kuma kernel na Linux:
#include <errno.h>
#include <linux/audit.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <unistd.h>Kafin ƙoƙarin wannan misalin, dole ne mu tabbatar da cewa an haɗa kernel tare da CONFIG_SECOMP da CONFIG_SECOMP_FILTER saita zuwa y. A kan na'ura mai aiki zaka iya duba wannan kamar haka:
cat /proc/config.gz| zcat | grep -i CONFIG_SECCOMP
Sauran lambar aikin kashi biyu ne install_filter. Kashi na farko ya ƙunshi jerin umarnin tacewa na BPF:
static int install_filter(int nr, int arch, int error) {
struct sock_filter filter[] = {
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3),
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1),
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (error & SECCOMP_RET_DATA)),
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
};
An saita umarnin ta amfani da BPF_STMT da BPF_JUMP macros da aka ayyana a cikin fayil ɗin linux/filter.h.
Bari mu shiga cikin umarnin.
- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, arch))) - tsarin yana ɗaukar nauyi kuma yana tarawa daga BPF_LD a cikin sigar kalmar BPF_W, bayanan fakiti suna a daidaitattun BPF_ABS.
- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, baka, 0, 3) - bincika ta amfani da BPF_JEQ ko darajar gine-gine a cikin BPF_K accumulator akai-akai daidai yake da baka. Idan haka ne, tsalle a kashe 0 zuwa umarni na gaba, in ba haka ba yayi tsalle a kashe 3 (a wannan yanayin) don jefa kuskure saboda baka bai dace ba.
- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, nr))) - Loads da kuma tarawa daga BPF_LD a cikin sigar kalmar BPF_W, wanda shine lambar kiran tsarin da ke ƙunshe a ƙayyadadden biya na BPF_ABS.
- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1) - kwatankwacin lambar kiran tsarin da darajar madaidaicin nr. Idan sun yi daidai, matsawa zuwa umarni na gaba kuma ya hana tsarin kiran tsarin, in ba haka ba yana ba da damar tsarin kira tare da SECOMP_RET_ALLOW.
- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (kuskure & SECCOMP_RET_DATA)) - yana ƙare shirin tare da BPF_RET kuma a sakamakon haka yana haifar da kuskure SECCOMP_RET_ERRNO tare da lamba daga madaidaicin kuskure.
- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) - yana ƙare shirin tare da BPF_RET kuma yana ba da damar aiwatar da kiran tsarin ta amfani da SECCOMP_RET_ALLOW.
SECCOMP NE CBPF
Kuna iya yin mamakin dalilin da yasa ake amfani da jerin umarni maimakon abin ELF da aka haɗa ko shirin C na JIT.Akwai dalilai guda biyu na wannan.
• Da farko, Seccomp yana amfani da cBPF (BPF na gargajiya) kuma ba eBPF ba, wanda ke nufin: ba shi da rajista, amma kawai mai tarawa don adana sakamakon lissafin ƙarshe, kamar yadda ake iya gani a misali.
• Na biyu, Seccomp yana karɓar mai nuni zuwa tsararrun umarnin BPF kai tsaye ba wani abu ba. Macros da muka yi amfani da su kawai suna taimakawa tantance waɗannan umarni ta hanyar abokantaka na shirye-shirye.
Idan kuna buƙatar ƙarin taimako don fahimtar wannan taron, yi la'akari da pseudocode wanda ke yin abu ɗaya:
if (arch != AUDIT_ARCH_X86_64) {
return SECCOMP_RET_ALLOW;
}
if (nr == __NR_write) {
return SECCOMP_RET_ERRNO;
}
return SECCOMP_RET_ALLOW;Bayan ayyana lambar tacewa a cikin tsarin socket_filter, kuna buƙatar ayyana sock_fprog mai ɗauke da lambar da tsayin ƙididdiga na tace. Ana buƙatar wannan tsarin bayanan azaman hujja don ayyana tsarin zai gudana daga baya:
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
.filter = filter,
};Akwai abu ɗaya kawai da za a yi a cikin aikin install_filter - loda shirin da kansa! Don yin wannan, muna amfani da prctl, ɗaukar PR_SET_SECOMP azaman zaɓi don shigar da amintaccen yanayin lissafi. Sannan mu gaya wa yanayin don loda matatar ta amfani da SECCOMP_MODE_FILTER, wanda ke ƙunshe a cikin madaidaicin nau'in sock_fprog:
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
perror("prctl(PR_SET_SECCOMP)");
return 1;
}
return 0;
}A ƙarshe, za mu iya amfani da aikin mu install_filter, amma kafin haka muna buƙatar amfani da prctl don saita PR_SET_NO_NEW_PRIVS don aiwatar da aiwatarwa na yanzu kuma ta haka ne mu guje wa yanayin da matakan yara ke samun gata fiye da iyayensu. Tare da wannan, zamu iya yin kira na prctl masu zuwa a cikin aikin install_filter ba tare da samun haƙƙin tushen ba.
Yanzu za mu iya kiran aikin install_filter. Bari mu toshe duk kiran tsarin da ke da alaƙa da gine-ginen X86-64 kuma mu ba da izini kawai wanda ke toshe duk ƙoƙarin. Bayan shigar da tacewa, muna ci gaba da aiwatarwa ta amfani da hujja ta farko:
int main(int argc, char const *argv[]) {
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl(NO_NEW_PRIVS)");
return 1;
}
install_filter(__NR_write, AUDIT_ARCH_X86_64, EPERM);
return system(argv[1]);
}Mu fara. Don haɗa shirin namu za mu iya amfani da ko dai clang ko gcc, ko dai ta hanya tana haɗa babban fayil ɗin main.c ba tare da zaɓi na musamman ba:
clang main.c -o filter-writeKamar yadda muka gani, mun toshe duk abubuwan da ke cikin shirin. Don gwada wannan kuna buƙatar shirin da ke fitar da wani abu - ls yana kama da ɗan takara mai kyau. Ga yadda ta saba:
ls -la
total 36
drwxr-xr-x 2 fntlnz users 4096 Apr 28 21:09 .
drwxr-xr-x 4 fntlnz users 4096 Apr 26 13:01 ..
-rwxr-xr-x 1 fntlnz users 16800 Apr 28 21:09 filter-write
-rw-r--r-- 1 fntlnz users 19 Apr 28 21:09 .gitignore
-rw-r--r-- 1 fntlnz users 1282 Apr 28 21:08 main.c
Abin al'ajabi! Ga yadda amfani da shirin mu na kunsa yayi kama: Mun wuce shirin da muke son gwadawa azaman hujja ta farko:
./filter-write "ls -la"Lokacin da aka kashe, wannan shirin yana samar da fitarwa gaba ɗaya. Koyaya, zamu iya amfani da strace don ganin abin da ke faruwa:
strace -f ./filter-write "ls -la"Sakamakon aikin yana raguwa sosai, amma sashin da ya dace ya nuna cewa an katange rikodin tare da kuskuren EPERM - wanda muka tsara. Wannan yana nufin cewa shirin ba ya fitar da komai saboda ba zai iya samun damar kiran tsarin rubutawa:
[pid 25099] write(2, "ls: ", 4) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "write error", 11) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "n", 1) = -1 EPERM (Operation not permitted)Yanzu kun fahimci yadda Seccomp BPF ke aiki kuma kuna da kyakkyawan ra'ayin abin da zaku iya yi da shi. Amma ba za ku so ku cimma abu ɗaya tare da eBPF maimakon cBPF don amfani da cikakken ƙarfinsa ba?
Lokacin tunani game da shirye-shiryen eBPF, yawancin mutane suna tunanin cewa kawai suna rubuta su kuma suna loda su da gatan gudanarwa. Duk da yake wannan magana gabaɗaya gaskiya ce, kernel ɗin yana aiwatar da tsarin tsari don kare abubuwan eBPF a matakai daban-daban. Waɗannan hanyoyin ana kiran su tarkon BPF LSM.
Abubuwan da aka bayar na BPF LSM
Don samar da tsarin kulawa mai zaman kansa na tsarin abubuwan da suka faru na tsarin, LSM yana aiwatar da manufar tarko. Kiran ƙugiya yana kama da tsarin kira a fasaha, amma tsarin mai zaman kansa ne kuma haɗe shi tare da abubuwan more rayuwa. LSM yana ba da sabon ra'ayi wanda Layer abstraction zai iya taimakawa wajen guje wa matsalolin da aka fuskanta lokacin da ake hulɗa da kiran tsarin akan gine-gine daban-daban.
A lokacin rubutawa, kernel yana da ƙugiya bakwai masu alaƙa da shirye-shiryen BPF, kuma SELinux shine kawai ginannen LSM wanda ke aiwatar da su.
Lambar tushe don tarko tana cikin bishiyar kernel a cikin fayil ɗin sun haɗa da/linux/security.h:
extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
extern int security_bpf_prog(struct bpf_prog *prog);
extern int security_bpf_map_alloc(struct bpf_map *map);
extern void security_bpf_map_free(struct bpf_map *map);
extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
extern void security_bpf_prog_free(struct bpf_prog_aux *aux);Kowannen su za a kira shi a matakai daban-daban na kisa:
-security_bpf - yana yin binciken farko na kiran tsarin BPF;
-security_bpf_map - yana bincika lokacin da kernel ya dawo da bayanin fayil don taswirar;
-security_bpf_prog - yana bincika lokacin da kernel ya dawo da bayanin fayil don shirin eBPF;
-security_bpf_map_alloc - yana duba ko an fara fara aikin filin tsaro a cikin taswirorin BPF;
-security_bpf_map_free - yana bincika ko an share filin tsaro a cikin taswirar BPF;
-security_bpf_prog_alloc - yana bincika ko an fara filin tsaro a cikin shirye-shiryen BPF;
-security_bpf_prog_free - yana bincika ko an share filin tsaro a cikin shirye-shiryen BPF.
Yanzu, ganin duk waɗannan, mun fahimci: ra'ayin da ke bayan LSM BPF interceptors shine cewa za su iya ba da kariya ga kowane abu na eBPF, tabbatar da cewa kawai waɗanda ke da gata mai dacewa za su iya yin aiki akan katunan da shirye-shirye.
Takaitaccen
Tsaro ba wani abu ba ne da za ku iya aiwatarwa ta hanya ɗaya-daidai ga duk abin da kuke son karewa. Yana da mahimmanci don samun damar kare tsarin a matakai daban-daban kuma ta hanyoyi daban-daban. Ku yi imani da shi ko a'a, hanya mafi kyau don tabbatar da tsarin ita ce tsara matakan kariya daban-daban daga wurare daban-daban, ta yadda rage matakan tsaro guda ɗaya ba zai ba da damar shiga tsarin gaba ɗaya ba. Masu haɓakawa na ainihi sun yi babban aiki na ba mu saitin yadudduka daban-daban da wuraren taɓawa. Muna fatan mun ba ku kyakkyawar fahimtar menene yadudduka da yadda ake amfani da shirye-shiryen BPF don aiki tare da su.
Game da marubuta
David Calavera shine CTO a Netlify. Ya yi aiki a cikin goyon bayan Docker kuma ya ba da gudummawa ga ci gaba da kayan aikin Runc, Go da BCC, da sauran ayyukan budewa. An san shi don aikinsa akan ayyukan Docker da haɓaka yanayin yanayin Docker plugin. Dauda yana da sha'awar zanen harshen wuta kuma koyaushe yana neman haɓaka aiki.
Lorenzo Fontana yana aiki akan ƙungiyar buɗe tushen a Sysdig, inda ya fi mai da hankali kan Falco, wani shiri na Gidauniyar Ƙididdigar Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙadda ) ne wanda ke ba da tsaro na lokaci-lokaci da gano abubuwan da ba su da kyau ta hanyar kernel module da eBPF. Yana da sha'awar tsarin rarrabawa, ƙayyadaddun hanyoyin sadarwar software, kernel Linux, da kuma nazarin aiki.
» Ana iya samun ƙarin bayani game da littafin a
»
»
Don Khabrozhiteley 25% rangwame ta amfani da coupon - Linux
Bayan biyan nau'in takarda na littafin, za a aika da littafin lantarki ta imel.
source: www.habr.com