🥇Buku la "BPF for Linux Monitoring" | Pulogalamu ya ProHoster

Moni, okhala ku Khabro! Makina enieni a BPF ndi chimodzi mwazinthu zofunika kwambiri pa Linux kernel. Kugwiritsa ntchito kwake moyenera kudzalola akatswiri opanga makina kuti apeze zolakwika ndikuthetsa mavuto ovuta kwambiri. Muphunzira kulemba mapulogalamu omwe amawunika ndikusintha machitidwe a kernel, momwe mungakhazikitsire kachidindo mosamala kuti muwone zomwe zikuchitika mu kernel, ndi zina zambiri. David Calavera ndi Lorenzo Fontana adzakuthandizani kuti mutsegule mphamvu za BPF. Wonjezerani chidziwitso chanu pakukhathamiritsa kwa magwiridwe antchito, maukonde, chitetezo. - Gwiritsani ntchito BPF kuyang'anira ndikusintha machitidwe a Linux kernel. - Bayikirani kachidindo kuti muwunikire zochitika za kernel popanda kubweza kernel kapena kuyambitsanso makinawo. - Gwiritsani ntchito zitsanzo zamakhodi osavuta mu C, Go kapena Python. - Yang'anirani kukhala ndi moyo wa pulogalamu ya BPF.

Linux Kernel Security, Zomwe Zake ndi Seccomp

BPF imapereka njira yamphamvu yowonjezeretsa kernel popanda kupereka kukhazikika, chitetezo, kapena liwiro. Pazifukwa izi, opanga kernel adaganiza kuti chingakhale lingaliro labwino kugwiritsa ntchito kusinthasintha kwake kuti apititse patsogolo kudzipatula ku Seccomp pokhazikitsa zosefera za Seccomp zothandizidwa ndi mapulogalamu a BPF, omwe amadziwikanso kuti Seccomp BPF. M'mutu uno tifotokoza za Seccomp ndi momwe amagwiritsidwira ntchito. Kenako muphunzira kulemba zosefera za Seccomp pogwiritsa ntchito mapulogalamu a BPF. Pambuyo pake, tiwona mbewa za BPF zomangidwa zomwe zikuphatikizidwa mu kernel ya ma module achitetezo a Linux.

Linux Security Modules (LSM) ndi chimango chomwe chimapereka ntchito zingapo zomwe zingagwiritsidwe ntchito kukhazikitsa mitundu yosiyanasiyana yachitetezo moyenera. LSM ikhoza kugwiritsidwa ntchito mwachindunji mumtengo wa kernel source, monga Apparmor, SELinux ndi Tomoyo.

Tiyeni tiyambe ndi kukambirana za kuthekera kwa Linux.

Zida

Chofunikira cha kuthekera kwa Linux ndikuti muyenera kupatsa chilolezo chopanda mwayi kuti mugwire ntchito inayake, koma osagwiritsa ntchito suid pazifukwa izi, kapena kupanga njirayo kukhala yamwayi, kuchepetsa kuthekera kwa kuukira ndikulola kuti ntchitoyi igwire ntchito zina. Mwachitsanzo, ngati pulogalamu yanu ikufunika kutsegula doko lamwayi, nenani 80, m'malo mongoyendetsa ngati mizu, mutha kuyipatsa CAP_NET_BIND_SERVICE kuthekera.

Ganizirani za pulogalamu ya Go yotchedwa main.go:

package main
import (
            "net/http"
            "log"
)
func main() {
     log.Fatalf("%v", http.ListenAndServe(":80", nil))
}

Pulogalamuyi imagwiritsa ntchito seva ya HTTP padoko 80 (ili ndi doko lamwayi). Nthawi zambiri timayendetsa pambuyo pophatikiza:

$ go build -o capabilities main.go
$ ./capabilities

Komabe, popeza sitikupereka mwayi wokhala ndi mizu, nambala iyi iponya cholakwika pomanga doko:

2019/04/25 23:17:06 listen tcp :80: bind: permission denied
exit status 1

capsh (shell manager) ndi chida chomwe chimayendetsa chipolopolo chokhala ndi luso lapadera.

Pankhaniyi, monga tafotokozera kale, m'malo mopereka ufulu wa mizu yonse, mutha kuloleza mwayi womanga doko popereka cap_net_bind_service kuthekera pamodzi ndi china chilichonse chomwe chili kale mu pulogalamuyi. Kuti tichite izi, titha kuyika pulogalamu yathu mu capsh:

# capsh --caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' 
   --keep=1 --user="nobody" 
   --addamb=cap_net_bind_service -- -c "./capabilities"

Tiyeni timvetsetse gulu ili pang'ono.

kapu - gwiritsani ntchito kapu ngati chipolopolo.
-caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' - popeza tikufunika kusintha wogwiritsa ntchito (sitikufuna kuthamanga ngati mizu), tidzatchula cap_net_bind_service ndi kuthekera kosintha ID ya wogwiritsa ntchito. mizu kwa aliyense, ndiye cap_setuid ndi cap_setgid.
-keep = 1 - tikufuna kusunga zomwe zidakhazikitsidwa posintha kuchokera ku akaunti ya mizu.
-wogwiritsa = "palibe" - wogwiritsa ntchito pulogalamuyo sadzakhala aliyense.
-addamb=cap_net_bind_service - khazikitsani kuyeretsedwa kwa mphamvu zofananira mutasintha kuchoka pamizu.
-c "./capabilities" - ingoyendetsani pulogalamuyo.

Maluso olumikizidwa ndi luso lapadera lomwe limatengera mapulogalamu a ana pomwe pulogalamu yamakono ikuwagwiritsa ntchito execve(). Maluso okhawo omwe amaloledwa kulumikizidwa, kapena mwa kuyankhula kwina, monga kuthekera kwa chilengedwe, angatengedwe cholowa.

Mwinamwake mukudabwa kuti + eip amatanthauza chiyani mutatchulanso kuthekera kwa --caps. Mbendera izi zimagwiritsidwa ntchito kutsimikizira kuti:

-ayenera kutsegulidwa (p);

- zilipo kuti zigwiritsidwe ntchito (e);

-angathe kutengera njira za ana (i).

Popeza tikufuna kugwiritsa ntchito cap_net_bind_service, tiyenera kuchita izi ndi mbendera ya e. Kenako tidzayamba chipolopolo mu lamulo. Izi zidzayendetsa mphamvu za binary ndipo tiyenera kuzilemba ndi i mbendera. Pomaliza, tikufuna kuti mawonekedwewo ayambitsidwe (tinachita izi popanda kusintha UID) ndi p. Zikuwoneka ngati cap_net_bind_service+eip.

Mutha kuwona zotsatira pogwiritsa ntchito ss. Tiyeni tifupikitse zotulukazo pang'ono kuti zigwirizane ndi tsambalo, koma ziwonetsa doko logwirizana ndi ID ya ogwiritsa ntchito kupatula 0, pakadali pano 65:

# ss -tulpn -e -H | cut -d' ' -f17-
128 *:80 *:*
users:(("capabilities",pid=30040,fd=3)) uid:65534 ino:11311579 sk:2c v6only:0

Mu chitsanzo ichi tidagwiritsa ntchito capsh, koma mutha kulemba chipolopolo pogwiritsa ntchito libcap. Kuti mudziwe zambiri, onani man 3 libcap.

Polemba mapulogalamu, nthawi zambiri wopanga sadziwiratu zonse zomwe pulogalamuyo imafunikira panthawi yake; Kuphatikiza apo, mawonekedwewa amatha kusintha m'mitundu yatsopano.

Kuti timvetse bwino luso la pulogalamu yathu, titha kutenga chida cha BCC, chomwe chimayika kprobe ya cap_capable kernel function:

/usr/share/bcc/tools/capable
TIME      UID  PID   TID   COMM               CAP    NAME           AUDIT
10:12:53 0 424     424     systemd-udevd 12 CAP_NET_ADMIN         1
10:12:57 0 1103   1101   timesync        25 CAP_SYS_TIME         1
10:12:57 0 19545 19545 capabilities       10 CAP_NET_BIND_SERVICE 1

Titha kukwaniritsa zomwezo pogwiritsa ntchito bpftrace ndi kprobe ya liner imodzi mu cap_capable kernel function:

bpftrace -e 
   'kprobe:cap_capable {
      time("%H:%M:%S ");
      printf("%-6d %-6d %-16s %-4d %dn", uid, pid, comm, arg2, arg3);
    }' 
    | grep -i capabilities

Izi zitulutsa china chonga chotsatira ngati kuthekera kwa pulogalamu yathu kuthandizidwa pambuyo pa kprobe:

12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 10 1

Ndime yachisanu ndi luso lomwe ndondomekoyo ikufunika, ndipo popeza izi zikuphatikizapo zochitika zosawerengeka, tikuwona macheke onse osawerengera ndipo pamapeto pake kuthekera kofunikira ndi mbendera yowerengera (yomaliza pazotuluka) kukhazikitsidwa ku 1. Kutha. imodzi yomwe tikusangalatsidwa nayo ndi CAP_NET_BIND_SERVICE, imatanthauzidwa ngati yosasinthika mu code source source mufayilo kuphatikiza/uapi/linux/ability.h yokhala ndi chizindikiritso 10:

/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10<source lang="go">

Maluso nthawi zambiri amathandizidwa panthawi yothamanga kwa zotengera monga runC kapena Docker kuti ziwalole kuti aziyenda mopanda mwayi, koma amangololedwa kuthekera kofunikira kugwiritsa ntchito mapulogalamu ambiri. Ntchito ikafuna maluso ena, Docker amatha kuwapatsa pogwiritsa ntchito --cap-add:

docker run -it --rm --cap-add=NET_ADMIN ubuntu ip link add dummy0 type dummy

Lamuloli lipatsa chidebecho kuthekera kwa CAP_NET_ADMIN, kulola kuti ikonze ulalo wa netiweki kuti iwonjezere mawonekedwe a dummy0.

Gawo lotsatira likuwonetsa momwe tingagwiritsire ntchito zinthu monga kusefa, koma kugwiritsa ntchito njira ina yomwe imatilola kugwiritsa ntchito mwadongosolo zosefera zathu.

Seccomp

Seccomp imayimira Secure Computing ndipo ndi gawo lachitetezo lomwe limakhazikitsidwa mu Linux kernel yomwe imalola otukula kusefa mafoni ena. Ngakhale Seccomp ikufanana ndi kuthekera kwa Linux, kuthekera kwake kuyendetsa mafoni ena kumapangitsa kuti ikhale yosinthika kwambiri poyerekeza ndi iwo.

Mawonekedwe a Seccomp ndi Linux sizogwirizana ndipo nthawi zambiri amagwiritsidwa ntchito limodzi kuti apindule ndi njira zonse ziwiri. Mwachitsanzo, mungafune kupatsa CAP_NET_ADMIN kuthekera koma osalola kuti ivomereze kulumikizana ndi socket, kutsekereza kuvomereza ndi kuvomereza mafoni amtundu wa4.

Njira yosefera ya Seccomp imachokera ku zosefera za BPF zomwe zimagwira ntchito mu SECCOM_MODE_FILTER, ndipo kusefa kuyitanira kwadongosolo kumachitika chimodzimodzi ndi mapaketi.

Zosefera za Seccomp zimayikidwa pogwiritsa ntchito prctl kudzera mu PR_SET_SECCOMP. Zosefera izi zimatenga mawonekedwe a pulogalamu ya BPF yomwe imachitidwa pa paketi iliyonse ya Seccomp yoimiridwa ndi seccomp_data structure. Kapangidwe kameneka kamakhala ndi kamangidwe kameneka, cholozera ku malangizo a purosesa pa nthawi yoyimba foni, komanso mikangano isanu ndi umodzi yoyimba foni, yofotokozedwa ngati uint64.

Izi ndi zomwe seccomp_data kapangidwe kake kamawonekera kuchokera ku kernel source code mu linux/seccomp.h file:

struct seccomp_data {
int nr;
      __u32 arch;
      __u64 instruction_pointer;
      __u64 args[6];
};

Monga mukuwonera kuchokera pamapangidwe awa, titha kusefa ndi kuyimbira kwadongosolo, mikangano yake, kapena kuphatikiza zonse ziwiri.

Mukalandira paketi iliyonse ya Seccomp, fyulutayo iyenera kuchitapo kanthu kuti ipange chisankho chomaliza ndikuwuza kernel zoyenera kuchita. Lingaliro lomaliza limafotokozedwa ndi chimodzi mwazobwezera (ma code code).

- SECCOMP_RET_KILL_PROCESS - imapha njira yonseyo mutangosefa foni yomwe siyikuchitidwa chifukwa cha izi.

- SECCOMP_RET_KILL_THREAD - imathetsa ulusi wapano atangosefa kuyimba kwadongosolo komwe sikunayimbidwe chifukwa cha izi.

- SECCOMP_RET_KILL - dzina lodziwika bwino la SECCOMP_RET_KILL_THREAD, latsala kuti zigwirizane ndi kumbuyo.

- SECCOMP_RET_TRAP - kuyimba kwadongosolo ndikoletsedwa, ndipo chizindikiro cha SIGSYS (Bad System Call) chimatumizidwa ku ntchito yomwe imayitcha.

- SECCOMP_RET_ERRNO - Kuyimba kwadongosolo sikumachitidwa, ndipo gawo la mtengo wobwerera wa SECCOMP_RET_DATA limaperekedwa kumalo ogwiritsira ntchito ngati mtengo wa errno. Kutengera chomwe chayambitsa cholakwikacho, ma errno values osiyanasiyana amabwezedwa. Mndandanda wa manambala olakwika waperekedwa mu gawo lotsatira.

- SECCOMP_RET_TRACE - Amagwiritsidwa ntchito podziwitsa ptrace tracer pogwiritsa ntchito - PTRACE_O_TRACESECCOMP kuyimba foni ikayimbidwa kuti awone ndikuwongolera zomwe zikuchitika. Ngati chotsatira sichikulumikizidwa, cholakwika chimabwezedwa, errno imayikidwa ku -ENOSYS, ndipo kuyimba kwadongosolo sikumachitidwa.

- SECCOMP_RET_LOG - kuyimba foni kumathetsedwa ndikulowetsedwa.

- SECCOMP_RET_ALLOW - kuyimba foni kumaloledwa.

ptrace ndi kuyitanira kwadongosolo kukhazikitsa njira zotsatirira munjira yotchedwa tracee, ndikutha kuyang'anira ndikuwongolera momwe ntchitoyi ikuyendera. Dongosolo lotsata limatha kukhudza magwiridwe antchito ndikusintha kaundula wa kukumbukira kwa tracee. M'mawu a Seccomp, ptrace imagwiritsidwa ntchito ikayambitsidwa ndi nambala ya SECCOMP_RET_TRACE, kotero kuti tracer imatha kuletsa kuyimba kwadongosolo kuti zisachitike ndikukhazikitsa malingaliro ake.

Seccomp zolakwika

Nthawi ndi nthawi, mukugwira ntchito ndi Seccomp, mudzakumana ndi zolakwika zosiyanasiyana, zomwe zimadziwika ndi mtengo wobwerera wamtundu wa SECCOMP_RET_ERRNO. Kuti munene cholakwika, kuyimba kwa seccomp kudzabweranso -1 m'malo mwa 0.

Zolakwa zotsatirazi ndizotheka:

- EACCESS - Woyimbayo saloledwa kuyimba foni. Izi zimachitika kawirikawiri chifukwa ilibe mwayi wa CAP_SYS_ADMIN kapena no_new_privs sichimakhazikitsidwa pogwiritsa ntchito prctl (tikambirana pambuyo pake);

- EFAULT - zotsutsana zomwe zadutsa (args mu seccomp_data structure) zilibe adiresi yovomerezeka;

- EINVAL - pakhoza kukhala zifukwa zinayi apa:

-ntchito yomwe yapemphedwa siyikudziwika kapena siyikuthandizidwa ndi kernel pamasinthidwe apano;

-zizindikiro zomwe zatchulidwazi sizothandiza pa ntchito yomwe yapemphedwa;

-ntchito imaphatikizapo BPF_ABS, koma pali mavuto omwe atchulidwa, omwe angapitirire kukula kwa seccomp_data structure;

- chiwerengero cha malangizo anadutsa fyuluta kuposa pazipita;

- ENOMEM - osakumbukira mokwanira kuti achite pulogalamuyi;

- EOPNOTSUPP - opareshoniyo yawonetsa kuti ndi SECCOMP_GET_ACTION_AVAIL zomwe zachitikazo zinalipo, koma kernel siyigwirizana ndi kubwereranso pazokangana;

- ESRCH - vuto linachitika pamene synchronizing mtsinje wina;

- ENOSYS - Palibe chotsatira chomwe chimalumikizidwa ndi SECCOM_RET_TRACE.

prctl ndi kuyimba kwadongosolo komwe kumalola pulogalamu yamalo ogwiritsa ntchito kuwongolera (kukhazikitsa ndi kupeza) mbali zina za ndondomeko, monga kutha kwa nthawi, mayina a ulusi, njira yotetezeka yowerengera (Seccomp), mwayi, zochitika za Perf, ndi zina zotero.

Seccomp ingawoneke ngati ukadaulo wa sandbox kwa inu, koma sichoncho. Seccomp ndi chida chomwe chimalola ogwiritsa ntchito kupanga makina a sandbox. Tsopano tiyeni tiwone momwe mapulogalamu olumikizirana amapangidwira pogwiritsa ntchito fyuluta yotchedwa mwachindunji ndi foni ya Seccomp system.

BPF Seccomp Fyuluta Chitsanzo

Apa tikuwonetsa momwe tingaphatikizire zomwe takambirana kale, zomwe ndi:

- tidzalemba pulogalamu ya Seccomp BPF, yomwe idzagwiritsidwe ntchito ngati fyuluta yokhala ndi zizindikiro zosiyana zobwerera malinga ndi zisankho zomwe zapangidwa;

- Kwezani fyuluta pogwiritsa ntchito prctl.

Choyamba muyenera mitu kuchokera ku laibulale yokhazikika ndi Linux kernel:

#include <errno.h>
#include <linux/audit.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <unistd.h>

Tisanayese chitsanzo ichi, tiyenera kuwonetsetsa kuti kernel yaphatikizidwa ndi CONFIG_SECCOMP ndi CONFIG_SECCOMP_FILTER yokhazikitsidwa kuti y. Pa makina ogwira ntchito, mutha kuwona izi motere:

cat /proc/config.gz| zcat | grep -i CONFIG_SECCOMP

Ma code ena onse ndi magawo awiri install_filter ntchito. Gawo loyamba lili ndi mndandanda wathu wa malangizo osefa a BPF:

static int install_filter(int nr, int arch, int error) {
  struct sock_filter filter[] = {
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3),
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (error & SECCOMP_RET_DATA)),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
  };

Malangizowa akhazikitsidwa pogwiritsa ntchito ma macros a BPF_STMT ndi BPF_JUMP ofotokozedwa mufayilo ya linux/filter.h.
Tiyeni tidutse malangizo.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, arch)))) - makinawa amanyamula ndikuunjikana kuchokera ku BPF_LD m'mawu akuti BPF_W, data ya paketi ili pamalo okhazikika BPF_ABS.

- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3) - imayang'ana pogwiritsa ntchito BPF_JEQ ngati mtengo wa zomangamanga mu accumulator wokhazikika wa BPF_K ndi wofanana ndi arch. Ngati ndi choncho, kulumpha pa offset 0 kupita ku malangizo otsatira, apo ayi kulumpha pa offset 3 (pankhaniyi) kutaya cholakwika chifukwa arch sagwirizana.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, nr)))) - Imanyamula ndikuunjikana kuchokera ku BPF_LD m'mawu akuti BPF_W, omwe ndi nambala yoyimba foni yomwe ili mugawo lokhazikika la BPF_ABS.

- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1) - ikuyerekeza nambala yoyimba dongosolo ndi mtengo wa nr variable. Ngati ali ofanana, pitilirani ku malangizo otsatirawa ndikuyimitsa kuyimba foni, mwina kulola kuyimba foni ndi SECCOMP_RET_ALLOW.

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (zolakwika & SECCOMP_RET_DATA)) - imathetsa pulogalamuyi ndi BPF_RET ndipo chifukwa chake imatulutsa cholakwika SECCOMP_RET_ERRNO ndi nambala yochokera ku zolakwika zosiyanasiyana.

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) - imathetsa pulogalamuyo ndi BPF_RET ndikulola kuyimba foni kuchitidwa pogwiritsa ntchito SECCOMP_RET_ALLOW.

SECCAMP NDI CBPF
Mutha kudabwa chifukwa chake mndandanda wa malangizo umagwiritsidwa ntchito m'malo mwa chinthu chopangidwa ndi ELF kapena pulogalamu ya C ya JIT.

Pali zifukwa ziwiri.

• Choyamba, Seccomp imagwiritsa ntchito cBPF (classic BPF) osati eBPF, kutanthauza kuti ilibe zolembera, koma ndi accumulator yokha yosungira zotsatira zomaliza, monga momwe tikuwonera mu chitsanzo.

• Chachiwiri, Seccomp amavomereza cholozera ku mndandanda wa malangizo a BPF mwachindunji osati china chilichonse. Ma macros omwe tawagwiritsa ntchito amangothandiza kulongosola malangizowa m'njira yothandiza pamapulogalamu.

Ngati mukufuna thandizo lochulukirapo kumvetsetsa msonkhanowu, lingalirani pseudocode yomwe imachita zomwezo:

if (arch != AUDIT_ARCH_X86_64) {
    return SECCOMP_RET_ALLOW;
}
if (nr == __NR_write) {
    return SECCOMP_RET_ERRNO;
}
return SECCOMP_RET_ALLOW;

Pambuyo pofotokozera kachidindo ka fyuluta mu socket_filter structure, muyenera kufotokozera sock_fprog yomwe ili ndi code ndi kutalika kwake kwa fyuluta. Dongosolo la datali likufunika ngati mkangano wolengeza kuti ndondomekoyi idzachitike mtsogolo:

struct sock_fprog prog = {
   .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
   .filter = filter,
};

Pali chinthu chimodzi chokha chomwe chatsala kuti mugwiritse ntchito install_filter - tsegulani pulogalamuyo! Kuti tichite izi, timagwiritsa ntchito prctl, kutenga PR_SET_SECCOMP ngati njira yolowera makompyuta otetezeka. Kenako timauza mawonekedwewo kuti akweze fyulutayo pogwiritsa ntchito SECCOMP_MODE_FILTER, yomwe ili mumtundu wamtundu wa sock_fprog:

  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
    perror("prctl(PR_SET_SECCOMP)");
    return 1;
  }
  return 0;
}

Pomaliza, titha kugwiritsa ntchito install_filter yathu, koma izi zisanachitike tiyenera kugwiritsa ntchito prctl kukhazikitsa PR_SET_NO_NEW_PRIVS pakugwiritsa ntchito panopo ndipo potero tipewe momwe njira za ana zimalandirira mwayi wochulukirapo kuposa makolo awo. Ndi izi, titha kuyimba mafoni a prctl mu ntchito ya install_filter popanda kukhala ndi mizu.

Tsopano titha kuyitcha install_filter ntchito. Tiyeni tiletse mafoni onse olembera okhudzana ndi zomangamanga za X86-64 ndikungopereka chilolezo chomwe chimalepheretsa kuyesa konse. Pambuyo kukhazikitsa fyuluta, timapitiriza kuchita pogwiritsa ntchito mkangano woyamba:

int main(int argc, char const *argv[]) {
  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
   perror("prctl(NO_NEW_PRIVS)");
   return 1;
  }
   install_filter(__NR_write, AUDIT_ARCH_X86_64, EPERM);
  return system(argv[1]);
 }

Tiyeni tiyambe. Kuti tipange pulogalamu yathu titha kugwiritsa ntchito clang kapena gcc, mwanjira iliyonse ndikungopanga fayilo ya main.c popanda zosankha zapadera:

clang main.c -o filter-write

Monga tanenera, taletsa zonse zomwe zili mu pulogalamuyi. Kuti muyese izi muyenera pulogalamu yomwe imatulutsa china chake - ls ikuwoneka ngati munthu wabwino. Umu ndi momwe amachitira nthawi zambiri:

ls -la
total 36
drwxr-xr-x 2 fntlnz users 4096 Apr 28 21:09 .
drwxr-xr-x 4 fntlnz users 4096 Apr 26 13:01 ..
-rwxr-xr-x 1 fntlnz users 16800 Apr 28 21:09 filter-write
-rw-r--r-- 1 fntlnz users 19 Apr 28 21:09 .gitignore
-rw-r--r-- 1 fntlnz users 1282 Apr 28 21:08 main.c

Zodabwitsa! Izi ndi zomwe kugwiritsa ntchito pulogalamu yathu ya wrapper kumawoneka ngati: Timangodutsa pulogalamu yomwe tikufuna kuyesa ngati mkangano woyamba:

./filter-write "ls -la"

Ikachitidwa, pulogalamuyi imatulutsa zotulutsa zopanda kanthu. Komabe, titha kugwiritsa ntchito strace kuti tiwone zomwe zikuchitika:

strace -f ./filter-write "ls -la"

Zotsatira za ntchitoyi ndizofupikitsidwa kwambiri, koma gawo lofananira likuwonetsa kuti zolemba zatsekedwa ndi zolakwika za EPERM - zomwezo zomwe tidazikonza. Izi zikutanthauza kuti pulogalamuyi situlutsa kalikonse chifukwa siyingathe kupeza kuyimba kwadongosolo:

[pid 25099] write(2, "ls: ", 4) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "write error", 11) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "n", 1) = -1 EPERM (Operation not permitted)

Tsopano mukumvetsa momwe Seccomp BPF imagwirira ntchito ndipo muli ndi lingaliro labwino la zomwe mungachite nayo. Koma kodi simungakonde kuchita zomwezo ndi eBPF m'malo mwa cBPF kugwiritsa ntchito mphamvu zake zonse?

Poganizira za mapulogalamu a eBPF, anthu ambiri amaganiza kuti amangowalemba ndikuwapatsa mwayi wotsogolera. Ngakhale kuti mawuwa ndi oona, kernel imagwiritsa ntchito njira zingapo zotetezera zinthu za eBPF pamagulu osiyanasiyana. Njirazi zimatchedwa misampha ya BPF LSM.

Zithunzi za BPF LSM

Kupereka kuwunika kodziyimira pawokha kwa zochitika zamakina, LSM imagwiritsa ntchito lingaliro la misampha. Kuyimba mbewa kumafanana mwaukadaulo ndi kuyimba kwadongosolo, koma ndikodziyimira pawokha komanso kuphatikizidwa ndi zomangamanga. LSM imapereka lingaliro latsopano momwe wosanjikiza wosanjikiza umathandizira kupeŵa mavuto omwe amakumana nawo polimbana ndi mafoni amtundu pamapangidwe osiyanasiyana.

Panthawi yolemba, kernel ili ndi mbedza zisanu ndi ziwiri zomwe zimagwirizanitsidwa ndi mapulogalamu a BPF, ndipo SELinux ndi LSM yokhayo yomwe imawagwiritsa ntchito.

Khodi yoyambira misampha ili mumtengo wa kernel mufayiloyo kuphatikiza/linux/security.h:

extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
extern int security_bpf_prog(struct bpf_prog *prog);
extern int security_bpf_map_alloc(struct bpf_map *map);
extern void security_bpf_map_free(struct bpf_map *map);
extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
extern void security_bpf_prog_free(struct bpf_prog_aux *aux);

Aliyense wa iwo adzayitanidwa pamagawo osiyanasiyana a kuphedwa:

- security_bpf - imayang'ana koyamba mafoni amtundu wa BPF;

- security_bpf_map - imayang'ana pamene kernel ibweza fayilo yofotokozera mapu;

- security_bpf_prog - imayang'ana pamene kernel ibweza fayilo yofotokozera pulogalamu ya eBPF;

- security_bpf_map_alloc - imayang'ana ngati gawo lachitetezo mkati mwa mamapu a BPF lakhazikitsidwa;

- security_bpf_map_free - imayang'ana ngati gawo lachitetezo lachotsedwa mkati mwa mamapu a BPF;

- security_bpf_prog_alloc - imayang'ana ngati gawo lachitetezo lakhazikitsidwa mkati mwa mapulogalamu a BPF;

- security_bpf_prog_free - imayang'ana ngati gawo lachitetezo lachotsedwa mkati mwa mapulogalamu a BPF.

Tsopano, powona zonsezi, tikumvetsetsa: lingaliro lakumbuyo kwa LSM BPF interceptors ndikuti amatha kupereka chitetezo ku chinthu chilichonse cha eBPF, kuwonetsetsa kuti okhawo omwe ali ndi mwayi woyenerera amatha kuchita ntchito pamakhadi ndi mapulogalamu.

Chidule

Chitetezo sichinthu chomwe mungachigwiritse ntchito molingana ndi chilichonse chomwe mukufuna kuteteza. Ndikofunika kuti muthe kuteteza machitidwe pamagulu osiyanasiyana komanso m'njira zosiyanasiyana. Khulupirirani kapena ayi, njira yabwino yopezera dongosolo ndikukonzekera magawo osiyanasiyana a chitetezo kuchokera ku maudindo osiyanasiyana, kotero kuti kuchepetsa chitetezo cha mlingo umodzi sikulola kupeza dongosolo lonse. Madivelopa apakatikati achita ntchito yabwino yotipatsa magawo osiyanasiyana ndi ma touchpoints. Tikukhulupirira kuti takupatsani kumvetsetsa bwino za zigawo ndi momwe mungagwiritsire ntchito mapulogalamu a BPF kuti mugwire nawo ntchito.

Za olemba

David Calavera ndi CTO ku Netlify. Anagwira ntchito yothandizira Docker ndipo adathandizira pakupanga zida za Runc, Go ndi BCC, komanso ntchito zina zotseguka. Wodziwika chifukwa cha ntchito yake pama projekiti a Docker komanso chitukuko cha Docker plugin ecosystem. David amakonda kwambiri ma graph amoto ndipo nthawi zonse amayang'ana kuti akwaniritse bwino ntchito yake.

Lorenzo Fontana amagwira ntchito pagulu lotseguka ku Sysdig, komwe amayang'ana kwambiri Falco, pulojekiti ya Cloud Native Computing Foundation yomwe imapereka chitetezo cha nthawi yogwiritsira ntchito chidebe ndikuzindikira molakwika kudzera pa kernel module ndi eBPF. Amakonda kwambiri machitidwe ogawidwa, mapulogalamu otanthauzira maukonde, Linux kernel, ndi kusanthula magwiridwe antchito.

» Zambiri za bukuli zitha kupezeka pa tsamba la osindikiza
» Zamkatimu
» Chidule

Kwa Khabrozhiteley 25% kuchotsera pogwiritsa ntchito kuponi - Linux

Pakulipira kwa pepala la bukhuli, buku lamagetsi lidzatumizidwa ndi imelo.

Source: www.habr.com

Buku "BPF for Linux Monitoring"