ProHoster > Blog > Utongi > Bhuku "BPF yeLinux Monitoring"

Bhuku "BPF yeLinux Monitoring"

Bhuku "BPF yeLinux Monitoring"Mhoroi, vagari veKhabro! Iyo BPF chaiyo muchina ndechimwe chezvinhu zvakakosha zveLinux kernel. Kushandiswa kwayo kwakakodzera kunobvumira mainjiniya ehurongwa kuwana zvikanganiso uye kugadzirisa kunyangwe matambudziko akaomarara. Iwe unozodzidza kunyora zvirongwa zvinotarisisa uye kugadzirisa maitiro ekernel, maitiro ekushandisa zvakachengeteka kodhi yekutarisa zviitiko mukernel, uye zvimwe zvakawanda. David Calavera naLorenzo Fontana vachakubatsira iwe kuvhura simba reBPF. Wedzera ruzivo rwako rwekuita optimization, networking, chengetedzo. -Shandisa BPF kutarisa uye kugadzirisa maitiro eLinux kernel. -Baya kodhi kuti utarise zvakachengeteka zviitiko zve kernel pasina kudzoreredza kernel kana kutangazve sisitimu. -Shandisa zviri nyore kodhi mienzaniso muC, Go kana Python. - Tora kutonga nekuve neiyo BPF chirongwa chehupenyu.

Linux Kernel Chengetedzo, Zvimiro Zvayo uye Seccomp

BPF inopa nzira ine simba yekuwedzera kernel pasina kupa kugadzikana, kuchengetedzeka, kana kumhanya. Nechikonzero ichi, ivo vanogadzira kernel vakafunga kuti ringave zano rakanaka kushandisa hunyanzvi hwayo kuvandudza nzira yekuzviparadzanisa nevamwe muSeccomp nekuita Seccomp mafirita anotsigirwa nezvirongwa zveBPF, inozivikanwawo seSeccomp BPF. Muchitsauko chino tichatsanangura kuti Seccomp chii uye kuti inoshandiswa sei. Ipapo iwe unozodzidza kunyora Seccomp mafirita uchishandisa BPF zvirongwa. Mushure meizvozvo, isu tichatarisa akavakirwa-mukati BPF hoko akasanganisirwa mukernel yeLinux kuchengetedza modules.

Linux Security Modules (LSM) igadziriro inopa seti yemabasa anogona kushandiswa kuita akasiyana siyana ekuchengetedza mamodhi nenzira yakamisikidzwa. LSM inogona kushandiswa zvakananga mu kernel sosi yemuti, senge Apparmor, SELinux uye Tomoyo.

Ngatitangei nekukurukura kugona kweLinux.

Zviratidzo

Izvo zvakakosha zvekugona kweLinux ndezvekuti iwe unofanirwa kupa isina rusarura maitiro mvumo yekuita rimwe basa, asi pasina kushandisa suid nekuda kwechinangwa ichocho, kana neimwe nzira ita kuti maitiro ave neropafadzo, kuderedza mukana wekurwisa uye kubvumira maitiro kuita mamwe mabasa. Semuyenzaniso, kana chikumbiro chako chichida kuvhura chiteshi, toti makumi masere, pachinzvimbo chekumhanyisa maitiro semudzi, unogona kungoipa iyo CAP_NET_BIND_SERVICE kugona.

Funga nezveGo chirongwa chinonzi main.go:

package main
import (
            "net/http"
            "log"
)
func main() {
     log.Fatalf("%v", http.ListenAndServe(":80", nil))
}

Iyi purogiramu inoshandisa HTTP sevha pachiteshi 80 (iyi inzvimbo ine rombo rakanaka). Kazhinji tinoimhanyisa pakarepo mushure mekubatanidza:

$ go build -o capabilities main.go
$ ./capabilities

Nekudaro, sezvo isu tisiri kupa midzi ropafadzo, iyi kodhi inokanda mhosho pakusunga chiteshi:

2019/04/25 23:17:06 listen tcp :80: bind: permission denied
exit status 1

capsh (shell maneja) chishandiso chinomhanyisa goko rine seti chaiyo yekugona.

Mune ino kesi, sezvatotaurwa, pachinzvimbo chekupa yakazara midzi kodzero, unogona kugonesa yakasarudzika chiteshi kusunga nekupa iyo cap_net_bind_service kugona pamwe nezvimwe zvese zvatova muchirongwa. Kuti tiite izvi, tinogona kuvharira chirongwa chedu mucapsh:

# capsh --caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' 
   --keep=1 --user="nobody" 
   --addamb=cap_net_bind_service -- -c "./capabilities"

Ngatinzwisisei chikwata ichi zvishoma.

  • capsh - shandisa capsh sehoko.
  • -caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' - sezvo tichida kushandura mushandisi (hatidi kumhanya semidzi), tichatsanangura cap_net_bind_service uye kugona kunyatso chinja mushandisi ID kubva. mudzi kune munhu, kureva cap_setuid uye cap_setgid.
  • -chengeta = 1 - tinoda kuchengetedza masimba akaiswa kana uchichinja kubva kumudzi account.
  • -mushandisi = "hapana" - mushandisi wekupedzisira arikumhanyisa chirongwa haazove munhu.
  • -addamb=cap_net_bind_service - isa kucheneswa kwemaitiro ane hukama mushure mekuchinja kubva kumidzi modhi.
  • - -c "./capabilities" - ingomhanya purogiramu.

Kugona kwakabatana imhando yakakosha yehunyanzvi inogarwa nhaka nezvirongwa zvevana kana chirongwa chazvino chinovaita vachishandisa execve (). Mano chete anotenderwa kubatanidzwa, kana nemamwe mazwi, sekugona kwezvakatipoteredza, anogona kugarwa nhaka.

Iwe unogona kunge uchinetseka kuti + eip inorevei mushure mekutsanangura kugona mune --caps sarudzo. Iyi mireza inoshandiswa kuona kuti kugona:

-inofanirwa kuitwa (p);

- iripo yekushandisa (e);

-inogona kugarwa nhaka nemaitiro emwana (i).

Sezvo isu tichida kushandisa cap_net_bind_service, tinoda kuita izvi nemureza e. Ipapo isu tichatanga goko mukuraira. Izvi zvinomhanyisa kugona bhinari uye isu tinoda kumaka neiyo i mureza. Chekupedzisira, isu tinoda kuti chimiro chigoneswe (takaita izvi tisina kuchinja UID) nep. Zvinoita senge cap_net_bind_service+eip.

Unogona kutarisa mhedzisiro uchishandisa ss. Ngatipfupise zvakabuda zvishoma kuti zvikwane pane peji, asi zvicharatidza chiteshi chakabatana uye ID yemushandisi kunze kwe0, mune iyi kesi 65:

# ss -tulpn -e -H | cut -d' ' -f17-
128 *:80 *:*
users:(("capabilities",pid=30040,fd=3)) uid:65534 ino:11311579 sk:2c v6only:0

Mumuenzaniso uyu takashandisa capsh, asi unogona kunyora goko uchishandisa libcap. Kuti uwane rumwe ruzivo, ona man 3 libcap.

Paunenge uchinyora zvirongwa, kazhinji mugadziri haazive pachine nguva zvese zvinodiwa nechirongwa panguva yekumhanya; Uyezve, zvinhu izvi zvinogona kuchinja mushanduro itsva.

Kuti tinzwisise zvirinani kugona kwechirongwa chedu, tinogona kutora iyo BCC inokwanisa chishandiso, iyo inoisa iyo kprobe yeiyo cap_capable kernel basa:

/usr/share/bcc/tools/capable
TIME      UID  PID   TID   COMM               CAP    NAME           AUDIT
10:12:53 0 424     424     systemd-udevd 12 CAP_NET_ADMIN         1
10:12:57 0 1103   1101   timesync        25 CAP_SYS_TIME         1
10:12:57 0 19545 19545 capabilities       10 CAP_NET_BIND_SERVICE 1

Isu tinogona kuita chinhu chimwe chete nekushandisa bpftrace ine-liner kprobe mune cap_capable kernel basa:

bpftrace -e 
   'kprobe:cap_capable {
      time("%H:%M:%S ");
      printf("%-6d %-6d %-16s %-4d %dn", uid, pid, comm, arg2, arg3);
    }' 
    | grep -i capabilities

Izvi zvinoburitsa chimwe chinhu senge chinotevera kana kugona kwechirongwa chedu kuchigoneswa mushure me kprobe:

12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 10 1

Chikamu chechishanu ndiko kugona kunodiwa nehurongwa, uye sezvo izvi zvinobuda zvichisanganisira zviitiko zvisiri zvekuongorora, tinoona zvese zvisiri zvekuongorora uye pakupedzisira kugona kunodiwa nemureza wekuongorora (wekupedzisira mukubuda) wakaiswa ku 1. Kugona. imwe yatiri kufarira ndeye CAP_NET_BIND_SERVICE, inotsanangurwa seyakagadzika mu kernel source code mufaira inosanganisira/uapi/linux/ability.h ine identifier 10:

/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10<source lang="go">

Kugona kunowanzo kugoneswa panguva yekumhanya kwemidziyo senge runC kana Docker kuvabvumira kuti vamhanye mune isina kurongeka modhi, asi ivo vanongobvumidzwa kugona kunodiwa kumhanya kwakawanda maapplication. Kana application ichida humwe hunyanzvi, Docker inogona kuvapa vachishandisa --cap-add:

docker run -it --rm --cap-add=NET_ADMIN ubuntu ip link add dummy0 type dummy

Uyu murairo unozopa mudziyo CAP_NET_ADMIN kugona, uchiibvumira kuti igadzirise chinongedzo chetiweki kuti iwedzere dummy0 interface.

Chikamu chinotevera chinoratidza mashandisirwo ezvimiro zvakaita sekusefa, asi tichishandisa imwe nzira inotitendera kuti tiite mafirita edu.

Seccomp

Seccomp inomirira Yakachengeteka Komputa uye ichengetedzo yakamisikidzwa muLinux kernel inobvumira vanogadzira kusefa mamwe mafoni ehurongwa. Kunyangwe Seccomp inofananidzwa mukugona kuLinux, kugona kwayo kubata mamwe mafoni ehurongwa kunoita kuti iwedzere kushanduka kana ichienzaniswa navo.

Seccomp neLinux maficha haana kusarudzika uye anowanzo shandiswa pamwechete kuti ubatsirwe kubva kune ese maitiro. Semuyenzaniso, ungangoda kupa maitirwo eCAP_NET_ADMIN kugona asi usingaibvumire kugamuchira socket connections, ichivharira kugashira uye kugamuchira4 system mafoni.

Iyo Seccomp yekusefa nzira yakavakirwa paBPF mafirita anoshanda muSECCOMP_MODE_FILTER modhi, uye system yekusefa kunoitwa nenzira imwechete neyemapaketi.

Seccomp mafirita anoiswa uchishandisa prctl kuburikidza nePR_SET_SECCOMP oparesheni. Aya mafirita anotora fomu yeBPF chirongwa chinoitwa yega yega Seccomp packet inomiririrwa ne seccomp_data chimiro. Ichi chimiro chine referensi yekuvaka, chinongedzo kune processor mirairo panguva yekufona system, uye inokwana matanhatu system yekufona nharo, inoratidzwa seuint64.

Izvi ndizvo zvinoita seccomp_data chimiro kubva kune kernel source kodhi mulinux/seccomp.h faira:

struct seccomp_data {
int nr;
      __u32 arch;
      __u64 instruction_pointer;
      __u64 args[6];
};

Sezvauri kuona kubva muchimiro ichi, tinogona kusefa nehurongwa hwekufona, nharo dzayo, kana musanganiswa wezvose.

Mushure mekugamuchira yega yega Seccomp pakiti, iyo sefa inofanirwa kuita kugadzirisa kuita sarudzo yekupedzisira uye kuudza kernel zvekuita zvinotevera. Sarudzo yekupedzisira inoratidzwa neimwe yekudzoka kukosha (status kodhi).

- SECCOMP_RET_KILL_PROCESS - inouraya maitiro ese nekukurumidza mushure mekusefa nharembozha isingaitwe nekuda kweizvi.

- SECCOMP_RET_KILL_THREAD - inodzima tambo iripo pakarepo mushure mekusefa nharembozha isingaitwe nekuda kweizvi.

- SECCOMP_RET_KILL - zita reSECCOMP_RET_KILL_THREAD, rakasiiwa kuti rienderane neshure.

- SECCOMP_RET_TRAP - iyo system yekufona inorambidzwa, uye iyo SIGSYS (Bad System Call) chiratidzo inotumirwa kune basa rinoridaidza.

- SECCOMP_RET_ERRNO - Iyo system yekufona haina kuitwa, uye chikamu cheSECCOMP_RET_DATA chekudzorera kukosha kwesefa chinopfuudzwa kune mushandisi nzvimbo seye errno kukosha. Zvichienderana nechikonzero chekukanganisa, akasiyana errno values ​​anodzoserwa. Rondedzero yenhamba dzemhosho inopiwa muchikamu chinotevera.

- SECCOMP_RET_TRACE - Inoshandiswa kuzivisa ptrace tracer uchishandisa - PTRACE_O_TRACESECCOMP kubata kana system call yaitwa kuona nekudzora maitiro iwayo. Kana tracer isina kubatana, kukanganisa kunodzoserwa, errno inoiswa ku -ENOSYS, uye iyo system yekufona haina kuitwa.

- SECCOMP_RET_LOG - iyo system yekufona inogadziriswa uye yakadhindwa.

- SECCOMP_RET_ALLOW - iyo system yekufona inongobvumidzwa.

ptrace inzira yekufona yekushandisa nzira dzekutevera muchirongwa chinonzi tracee, nekugona kutarisa nekudzora maitirwo ekuita. Iyo yekuteedzera chirongwa inogona kunyatso kupesvedzera kuuraya uye kugadzirisa tracee's memory marejista. Muchirevo cheSeccomp, ptrace inoshandiswa kana ichinge yakonzereswa neSECCOMP_RET_TRACE kodhi yemamiriro, saka tracer inogona kudzivirira iyo system yekufona kuita uye kuita kwayo logic.

Seccomp kukanganisa

Nguva nenguva, paunenge uchishanda neSeccomp, uchasangana nezvikanganiso zvakasiyana-siyana, izvo zvinoratidzwa nehuwandu hwekudzoka kwemhando SECCOMP_RET_ERRNO. Kuti utaure chikanganiso, iyo seccomp system yekufona ichadzoka -1 pachinzvimbo che0.

Zvikanganiso zvinotevera zvinogoneka:

- EACCESS - Iye anofona haabvumidzwe kufona system. Izvi zvinowanzoitika nekuti haina CAP_SYS_ADMIN ropafadzo kana no_new_privs haina kusetwa uchishandisa prctl (tichataura nezvazvo gare gare);

- EFAULT - nharo dzakapfuura (args mune seccomp_data chimiro) haina kero inoshanda;

- EINVAL - panogona kuve nezvikonzero zvina pano:

-iyo yakakumbirwa mashandiro haazivikanwe kana kuti haatsigirwe nekernel mune yazvino gadziriso;

-iyo mireza yakataurwa haishande kune yakakumbirwa kushanda;

-kushanda kunosanganisira BPF_ABS, asi kune matambudziko neyakatsanangurwa offset, iyo inogona kudarika saizi ye seccomp_data chimiro;

-nhamba yemirairo yakapfuudzwa kune sefa inodarika iyo yakawanda;

- ENOMEM - kwete ndangariro yakakwana yekuita chirongwa;

- EOPNOTSUPP - oparesheni yakaratidza kuti neSECCOMP_GET_ACTION_AVAIL chiito changa chiripo, asi kernel haitsigire kudzoka mukupokana;

- ESRCH - dambudziko rakaitika pakuenzanisa imwe rwizi;

- ENOSYS - Iko hakuna tracer yakanamatira kune SECCOMP_RET_TRACE chiito.

prctl inharembozha inobvumira mushandisi-nzvimbo chirongwa chekushandisa (seta uye kuwana) zvakati zvinhu zvemaitiro, senge byte endianness, mazita eshinda, yakachengeteka computation mode (Seccomp), ropafadzo, Perf zviitiko, nezvimwe.

Seccomp inogona kuita senge bhokisi rejecha tekinoroji kwauri, asi handizvo. Seccomp chinhu chinoshandiswa chinobvumira vashandisi kugadzira bhokisi rejecha. Zvino ngatitarisei kuti mapurogiramu ekudyidzana anogadzirwa sei uchishandisa sefa inodaidzwa zvakanangana neSeccomp system call.

BPF Seccomp Sefa Muenzaniso

Pano ticharatidza nzira yekubatanidza zviito zviviri zvambotaurwa, zvinoti:

- tichanyora chirongwa cheSeccomp BPF, icho chichashandiswa sesefa ine makodhi akasiyana ekudzoka zvichienderana nezvisarudzo zvakaitwa;

-rodha sefa uchishandisa prctl.

Kutanga iwe unoda misoro kubva kune yakajairwa raibhurari uye iyo Linux kernel:

#include <errno.h>
#include <linux/audit.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <unistd.h>

Tisati taedza muenzaniso uyu, tinofanira kuona kuti kernel yakanyorwa neCONFIG_SECCOMP uye CONFIG_SECCOMP_FILTER yakaiswa kuti y. Pamushini unoshanda unogona kutarisa izvi seizvi:

cat /proc/config.gz| zcat | grep -i CONFIG_SECCOMP

Imwe kodhi ine zvikamu zviviri install_filter basa. Chikamu chekutanga chine runyorwa rwedu rweBPF kusefa mirairo:

static int install_filter(int nr, int arch, int error) {
  struct sock_filter filter[] = {
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3),
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (error & SECCOMP_RET_DATA)),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
  };

Mirayiridzo inoiswa uchishandisa BPF_STMT uye BPF_JUMP macros anotsanangurwa mu linux/filter.h faira.
Ngatiende kuburikidza nemirairo.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, arch))) - iyo sisitimu inotakura uye inounganidza kubva kuBPF_LD muchimiro chezwi rekuti BPF_W, data repacket rinowanikwa pane yakagadziriswa offset BPF_ABS.

- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3) - inotarisa uchishandisa BPF_JEQ kana kukosha kwekuvaka muBPF_K accumulator kugara kwakaenzana nearch. Kana zvirizvo, svetukira pa offset 0 kuenda kune inotevera rairo, zvikasadaro svetuka pa offset 3 (munyaya iyi) kukanda kukanganisa nekuti arch haienderane.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, nr))) - Inotakura uye inoungana kubva kuBPF_LD muchimiro chezwi rokuti BPF_W, inova ndiyo nhamba yekufona system iri mufixed offset yeBPF_ABS.

- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1) - inofananidza nhamba yekufona system nekukosha kwenr variable. Kana dzakaenzana, inoenda kune inotevera rairo uye inodzima iyo system kufona, zvikasadaro inobvumira iyo system kufona neSECCOMP_RET_ALLOW.

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (kukanganisa & SECCOMP_RET_DATA)) - inomisa chirongwa neBPF_RET uye semhedzisiro inoburitsa chikanganiso SECCOMP_RET_ERRNO nenhamba kubva mukukanganisa kusiyanisa.

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) - inomisa chirongwa neBPF_RET uye inobvumira kufona kwehurongwa kuti kuitwe uchishandisa SECCOMP_RET_ALLOW.

SECCAMP IRI CBPF
Iwe unogona kunge uchinetseka kuti sei runyoro rwemirayiridzo ichishandiswa pachinzvimbo chechinhu chakaumbwa cheELF kana chirongwa cheJIT chakagadzirwa.

Pane zvikonzero zviviri zveizvi.

β€’ Chekutanga, Seccomp inoshandisa cBPF (classic BPF) uye kwete eBPF, zvinoreva kuti: haina marejista, asi accumulator chete yekuchengetedza mhinduro yekupedzisira yekuverenga, sezvinoonekwa mumuenzaniso.

β€’ Chechipiri, Seccomp inogamuchira chinongedzo kunhevedzano yemirairo yeBPF zvakananga uye hapana chimwe. Iwo macros atakashandisa anongobatsira kutsanangura mirairo iyi nenzira ine hushamwari.

Kana iwe uchida rumwe rubatsiro kunzwisisa gungano iri, funga nezve pseudocode inoita chinhu chimwe chete:

if (arch != AUDIT_ARCH_X86_64) {
    return SECCOMP_RET_ALLOW;
}
if (nr == __NR_write) {
    return SECCOMP_RET_ERRNO;
}
return SECCOMP_RET_ALLOW;

Mushure mekutsanangura kodhi yekusefa mune socket_filter chimiro, iwe unofanirwa kutsanangura sock_fprog ine kodhi uye yakaverengerwa kureba kwesefa. Ichi chimiro chedata chinodiwa senharo yekuzivisa maitiro ekuita gare gare:

struct sock_fprog prog = {
   .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
   .filter = filter,
};

Pane chinhu chimwe chete chasara kuita muinstall_filter basa - rodha chirongwa pachacho! Kuti tiite izvi, tinoshandisa prctl, tichitora PR_SET_SECCOMP sechisarudzo chekuisa yakachengeteka komputa mode. Ipapo isu tinoudza iyo modhi yekuisa iyo sefa uchishandisa SECCOMP_MODE_FILTER, iyo iri muiyo prog inosiyana yerudzi sock_fprog:

  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
    perror("prctl(PR_SET_SECCOMP)");
    return 1;
  }
  return 0;
}

Chekupedzisira, tinogona kushandisa yedu install_filter function, asi izvozvo zvisati zvaitika tinoda kushandisa prctl kuseta PR_SET_NO_NEW_PRIVS pakuita kwazvino tobva tadzivirira mamiriro ezvinhu ekuti maitirwo emwana anogashira maropafadzo akawanda kupfuura vabereki vavo. Neizvi, tinogona kuita zvinotevera prctl mafoni muinstall_filter basa pasina kuve nemidzi kodzero.

Iye zvino tinogona kudana iyo install_filter basa. Ngativhare ese ekunyora masisitimu mafoni ane chekuita neiyo X86-64 architecture uye tongopa mvumo inovharira zvese kuedza. Mushure mekuisa sefa, tinoenderera mberi nekuita tichishandisa nharo yekutanga:

int main(int argc, char const *argv[]) {
  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
   perror("prctl(NO_NEW_PRIVS)");
   return 1;
  }
   install_filter(__NR_write, AUDIT_ARCH_X86_64, EPERM);
  return system(argv[1]);
 }

Ngatitangei. Kugadzira chirongwa chedu tinogona kushandisa clang kana gcc, chero nzira iri kungogadzira iyo main.c faira pasina yakakosha sarudzo:

clang main.c -o filter-write

Sezvacherechedzwa, takavharira zvese zvinopinda muchirongwa. Kuti uedze izvi unoda chirongwa chinoburitsa chimwe chinhu - ls inoita semumiriri akanaka. Aya ndiwo maitiro aanowanzoita:

ls -la
total 36
drwxr-xr-x 2 fntlnz users 4096 Apr 28 21:09 .
drwxr-xr-x 4 fntlnz users 4096 Apr 26 13:01 ..
-rwxr-xr-x 1 fntlnz users 16800 Apr 28 21:09 filter-write
-rw-r--r-- 1 fntlnz users 19 Apr 28 21:09 .gitignore
-rw-r--r-- 1 fntlnz users 1282 Apr 28 21:08 main.c

Zvinoshamisa! Hezvino izvo kushandisa chirongwa chedu chekuputira chinoita senge: Isu tinongopfuura chirongwa chatinoda kuyedza senharo yekutanga:

./filter-write "ls -la"

Kana yaitwa, chirongwa ichi chinoburitsa zvachose chisina chinhu. Nekudaro, isu tinogona kushandisa strace kuona zviri kuitika:

strace -f ./filter-write "ls -la"

Mhedzisiro yebasa yakapfupikiswa zvakanyanya, asi chikamu chinoenderana nacho chinoratidza kuti zvinyorwa zvakavharwa neEPERM kukanganisa - imwechete yatakagadzira. Izvi zvinoreva kuti chirongwa hachibudise chero chinhu nekuti hachikwanise kuwana iyo yekunyora system call:

[pid 25099] write(2, "ls: ", 4) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "write error", 11) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "n", 1) = -1 EPERM (Operation not permitted)

Iye zvino iwe unonzwisisa kuti Seccomp BPF inoshanda sei uye uine zano rakanaka rezvaungaita nazvo. Asi haungade here kuwana chinhu chimwe chete neBPF pachinzvimbo cheCBPF kushandisa simba rayo rakazara?

Paunenge uchifunga nezvezvirongwa zveBPF, vanhu vazhinji vanofunga kuti vanongozvinyora uye vozvitakura neropafadzo dzemaneja. Kunyange chirevo ichi chiri chokwadi, kernel inoshandisa seti yemaitiro ekuchengetedza eBPF zvinhu pamatanho akasiyana. Matanho aya anonzi BPF LSM traps.

BPF LSM misungo

Kupa architecture-yakazvimirira yekutarisa yezviitiko zvehurongwa, LSM inoshandisa iyo pfungwa yemisungo. Kufona hokoki kwakafanana nehurongwa hwekufona, asi system yakazvimiririra uye yakabatanidzwa neiyo gadziriro. LSM inopa pfungwa nyowani umo yekubvisa layer inogona kubatsira kudzivirira matambudziko anosanganikwa nawo kana uchibata nehurongwa hwekufona pane akasiyana ezvivakwa.

Panguva yekunyora, kernel ine zvikorekedzo zvinomwe zvakabatana neBPF zvirongwa, uye SELinux ndiyo yega yakavakirwa-mukati LSM inoashandisa.

Iyo kodhi kodhi yemusungo iri mu kernel muti mufaira inosanganisira/linux/security.h:

extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
extern int security_bpf_prog(struct bpf_prog *prog);
extern int security_bpf_map_alloc(struct bpf_map *map);
extern void security_bpf_map_free(struct bpf_map *map);
extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
extern void security_bpf_prog_free(struct bpf_prog_aux *aux);

Mumwe nemumwe wavo achadaidzwa pamatanho akasiyana ekuurayiwa:

- chengetedzo_bpf - inoita cheki yekutanga yekuitwa BPF system mafoni;

- security_bpf_map - inotarisa apo kernel inodzorera faira descriptor yemepu;

- security_bpf_prog - inotarisa apo kernel inodzorera faira tsanangudzo yepurogiramu yeBPF;

- security_bpf_map_alloc - inotarisa kana nzvimbo yekuchengetedza mukati meBPF mepu yatangwa;

- security_bpf_map_free - inotarisa kuti nzvimbo yekuchengetedza yakacheneswa mukati memepu dzeBPF;

- security_bpf_prog_alloc - inotarisa kana nzvimbo yekuchengetedza yakatangwa mukati mezvirongwa zveBPF;

- security_bpf_prog_free - inotarisa kana nzvimbo yekuchengetedza yakacheneswa mukati mezvirongwa zveBPF.

Zvino, tichiona zvese izvi, isu tinonzwisisa: iyo pfungwa kuseri kweLSM BPF interceptors ndeyekuti ivo vanogona kupa dziviriro kune yega eBPF chinhu, kuve nechokwadi chekuti avo chete vane ropafadzo dzakakodzera vanogona kuita mashandiro pamakadhi nezvirongwa.

Summary

Chengetedzo hachisi chinhu chaunogona kushandisa mune imwe-saizi-inokodzera-yese nzira kune zvese zvaunoda kuchengetedza. Zvakakosha kukwanisa kuchengetedza zvirongwa pamatanho akasiyana uye nenzira dzakasiyana. Kutenda kana kwete, nzira yakanakisisa yekuchengetedza hurongwa ndeyekuronga maitiro akasiyana-siyana ekudzivirira kubva munzvimbo dzakasiyana-siyana, kuitira kuti kuderedza kuchengetedzeka kweimwe nhanho hakubvumiri kupinda kune yose. Vagadziri vepakati vakaita basa rakakura rekutipa seti yezvikamu zvakasiyana uye ma touchpoints. Tinovimba takupa nzwisiso yakanaka yekuti ma layer chii uye mashandisiro ezvirongwa zveBPF kushanda nawo.

Nezvevanyori

David Calavera ndiye CTO paNetlify. Akashanda mukutsigira kweDocker uye akabatsira mukusimudzira maturusi eRunc, Go uye BCC, pamwe nemamwe mapurojekiti akavhurwa sosi. Anozivikanwa nebasa rake pamapurojekiti eDocker uye kusimudzira kweDocker plugin ecosystem. David anonyanya kufarira magirafu emurazvo uye anogara achitsvaga kukwenenzvera kuita.

Lorenzo Fontana anoshanda pane yakavhurika sosi timu kuSysdig, kwaanonyanya kutarisisa paFalco, Cloud Native Computing Foundation chirongwa chinopa mudziyo wekuchengetedza chengetedzo uye kutarisika kusinganzwisisike kuburikidza nekernel module uye eBPF. Anoda nezve akagoverwa masisitimu, software inotsanangurwa networking, iyo Linux kernel, uye ongororo yekuita.

Β» Mamwe mashoko pamusoro pebhuku anogona kuwanikwa pa muparidzi webhusaiti
Β» Tafura yezvinyorwa
Β» Chidimbu

For Khabrozhiteley 25% dhisikaundi uchishandisa kopani - Linux

Pakubhadharwa kwepepa rebhuku rebhuku, bhuku remagetsi richatumirwa ne-e-mail.

Source: www.habr.com

Voeg