ProHoster > Блог > Maamulka > Buugga "BPF ee Kormeerka" Linux»

Buugga "BPF ee Kormeerka" Linux»

Buugga "BPF ee Kormeerka" Linux»Salaan, dadka deegaanka Habro! Mashiinka casriga ah ee BPF waa mid ka mid ah qaybaha ugu muhiimsan ee kernel-ka. LinuxIsticmaalkeeda saxda ah wuxuu u sahlayaa injineerada nidaamyada inay helaan cayayaanka oo ay xalliyaan xitaa dhibaatooyinka ugu adag. Waxaad baran doontaa sida loo abuuro barnaamijyo la socda oo wax ka beddela dhaqanka kernel-ka, si ammaan ah loogu shubo kood si loo daawado dhacdooyinka kernel-ka, iyo waxyaabo kaloo badan. David Calavera iyo Lorenzo Fontana waxay kaa caawin doonaan inaad ogaato awoodda BPF. Ballaariyo aqoontaada ku saabsan hagaajinta waxqabadka, isku xirka, iyo amniga. — Isticmaal BPF si aad ula socoto oo aad wax uga beddesho dhaqanka kernel-ka. Linux— Hirgeli kood si aad si ammaan ah ula socoto dhacdooyinka kernel-ka adigoon dib u soo ururin kernel-ka ama dib u bilaabin nidaamka. — Isticmaal tusaalooyinka koodhka ee ku habboon C, Go, ama Python. — Xakamee xakamaynta adigoo maamulaya wareegga nolosha barnaamijka BPF.

Amniga xudunta Linux, awooddeeda iyo Secomp

BPF waxay bixisaa hab awood leh oo lagu dheereeyo kernel-ka iyada oo aan la dhimin xasilloonida, amniga, ama xawaaraha. Sababtan awgeed, horumariyayaasha kernel-ka waxay u maleeyeen inay fikrad wanaagsan tahay in la isticmaalo kala duwanaanshaheeda si loo hagaajiyo kala soocidda habka ee Seccomp iyadoo la hirgelinayo shaandhooyinka Seccomp oo ay taageerayaan barnaamijyada BPF, oo sidoo kale loo yaqaan Seccomp BPF. Cutubkan, waxaan ku sharxi doonaa waxa Seccomp yahay iyo sida loo isticmaalo. Kadib, waxaad baran doontaa sida loo qoro shaandhooyinka Seccomp iyadoo la adeegsanayo barnaamijyada BPF. Intaa ka dib, waxaan eegi doonnaa jillaabyada BPF ee ku dhex jira ee laga heli karo kernel-ka modules-ka amniga. Linux.

Qaybaha amniga Linux (LSM) waa qaab-dhismeed bixiya hawlo kala duwan oo loo isticmaali karo hirgelinta heerarka kala duwan ee noocyada amniga. LSM waxaa si toos ah loogu isticmaali karaa geedka isha kernel-ka, sida Apparmor, SELinux iyo Tomoyo.

Aan ku bilowno ka hadalka fursadaha Linux.

Qaababka

Nuxurka fursadaha Linux Fikraddu waa in la siiyo ogolaansho habraac aan mudnayn si loo qabto hawl gaar ah iyada oo aan loo isticmaalin suid ujeeddadaas, ama si kale looga dhigo habka mid mudnaan leh, yareynta dusha sare ee weerarka iyo hubinta in habku uu qaban karo hawlo gaar ah. Tusaale ahaan, haddii codsigaagu u baahan yahay inuu furo deked mudnaan leh, tusaale ahaan 80, halkii uu ka maamuli lahaa habka asalka ah, waxaad si fudud u siin kartaa awoodda CAP_NET_BIND_SERVICE.

Tixgeli barnaamijka Go ee loogu magac daray main.go:

package main
import (
            "net/http"
            "log"
)
func main() {
     log.Fatalf("%v", http.ListenAndServe(":80", nil))
}

Barnaamijkani wuxuu u adeegaa server HTTP ah oo ku yaal dekedda 80 (tani waa deked mudnaan leh). Caadi ahaan waxaanu wadnaa isla markiiba ka dib marka la sameeyo:

$ go build -o capabilities main.go
$ ./capabilities

Si kastaba ha ahaatee, maadaama aynaan siinaynin mudnaanta xididka, koodhkani wuxuu tuurayaa qalad marka la xirayo dekedda:

2019/04/25 23:17:06 listen tcp :80: bind: permission denied
exit status 1

capsh (maareeyaha qolofka) waa qalab ku shaqeeya qolof leh awood gaar ah.

Xaaladdan oo kale, sida aan horayba u soo sheegnay, halkii aad siin lahayd xuquuqaha xididka buuxa, waxaad awood u yeelan kartaa xiritaanka mudnaanta leh adoo siinaya awoodda adeegga cap_net_bind_iyo wax kasta oo horeyba ugu jiray barnaamijka. Si tan loo sameeyo, waxaan ku soo lifaaqi karnaa barnaamijkayaga qaab kaabsh ah:

# capsh --caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' 
   --keep=1 --user="nobody" 
   --addamb=cap_net_bind_service -- -c "./capabilities"

Aynu fahanno kooxdan in yar.

  • Kaabsh - u isticmaal dabool sida qolof ahaan.
  • —caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' -maadaama aan u baahanahay in aan badalno isticmaalaha (ma doonayno in aan u wada shaqayno sidii xidid), waxa aanu qeexi doonaa cap_net_bind_service iyo awooda lagu badalo aqoonsiga isticmaalaha xidid cidna, kuwaas oo ah cap_setuid iyo cap_setgid.
  • -keep=1 - waxaan rabnaa in aan sii wadno awoodaha rakiban marka laga wareejinayo koontada xididka.
  • —user=“nobody” — isticmaalaha ugu dambeeya ee socodsiiya barnaamijka qofna ma noqon doono.
  • —addamb=cap_net_bind_service — deji nadiifinta awoodaha la xidhiidha ka dib markii laga beddelo habka xididka.
  • -c "./capabilities" - kaliya socodsii barnaamijka.

Awoodaha isku xidhan waa nooc gaar ah oo awoodaha ah oo laga dhaxlo barnaamijyada caruurtu marka barnaamijka hadda uu ku fuliyo iyaga oo isticmaalaya execve(). Kaliya awoodaha loo oggol yahay in lagu xiriiriyo, ama si kale haddii loo dhigo, awoodaha deegaanka, ayaa la dhaxli karaa.

Waxaa laga yaabaa inaad la yaabban tahay waxa +eip ka dhigan yahay ka dib markaad qeexdo kartida ikhtiyaarka --caps. Calamadan waxa loo isticmaalaa in lagu go'aamiyo in awooda:

-waa in la hawlgeliyay (p);

-loo heli karo isticmaalka (e);

-waxa laga dhaxli karaa hab-socodka ilmaha (i).

Maadaama aan rabno inaan isticmaalno adeegga cap_net_bind_, waxaan u baahanahay inaan tan ku sameyno calanka e. Kadibna waxaan ku bilaabi doonaa qolofka amarka. Tani waxay maamuli doontaa binary awoodaha waxaanan u baahanahay inaan ku calaamadeyno calanka i. Ugu dambeyntii, waxaan rabnaa in sifada la damiyo (waxaan sameynay tan annagoo aan bedelin UID) iyadoo la adeegsanayo p. Waxay u egtahay cap_net_bind_service+eip.

Waxaad ku hubin kartaa natiijada adigoo isticmaalaya ss. Aynu soo yara gaabinno wax soo saarka si ay ugu habboonaato bogga, laakiin waxay tusi doontaa dekedda la xidhiidha iyo aqoonsiga isticmaalaha ee aan ahayn 0, kiiskan 65:

# ss -tulpn -e -H | cut -d' ' -f17-
128 *:80 *:*
users:(("capabilities",pid=30040,fd=3)) uid:65534 ino:11311579 sk:2c v6only:0

Tusaalahan waxaan isticmaalnay dabool, laakiin waxaad qori kartaa qolof adigoo isticmaalaya libcap. Wixii macluumaad dheeraad ah, eeg man 3 libcap.

Marka la qorayo barnaamijyada, inta badan horumariyuhu hore uma oga dhammaan sifooyinka uu barnaamijku u baahan yahay wakhtiga uu socdo; Waxaa intaa dheer, sifooyinkan ayaa laga yaabaa inay isbeddelaan noocyo cusub.

Si aad si fiican u fahamto awoodaha barnaamijkeena, waxaan qaadan karnaa qalabka awooda BCC, kaas oo dejinaya kprobe ee shaqada kernel cap_awood:

/usr/share/bcc/tools/capable
TIME      UID  PID   TID   COMM               CAP    NAME           AUDIT
10:12:53 0 424     424     systemd-udevd 12 CAP_NET_ADMIN         1
10:12:57 0 1103   1101   timesync        25 CAP_SYS_TIME         1
10:12:57 0 19545 19545 capabilities       10 CAP_NET_BIND_SERVICE 1

Waxaan ku gaari karnaa wax la mid ah annaga oo adeegsanayna bpftrace oo wata kprobe hal-liner ah oo ku jira shaqada kernel cap_awood:

bpftrace -e 
   'kprobe:cap_capable {
      time("%H:%M:%S ");
      printf("%-6d %-6d %-16s %-4d %dn", uid, pid, comm, arg2, arg3);
    }' 
    | grep -i capabilities

Tani waxay soo saari doontaa wax la mid ah kuwan soo socda haddii awoodaha barnaamijkayaga la furo ka dib kprobe:

12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 10 1

Tiirka shanaad waa awoodaha uu geeddi-socodku u baahan yahay, maadaama wax-soo-saarkani ay ku jiraan dhacdooyin aan hanti-dhawr ahayn, waxaanu aragnaa dhammaan hubinta aan hanti-dhawrka ahayn iyo ugu dambayntii awoodda loo baahan yahay oo leh calanka hanti-dhawrka (ugu dambeeya wax-soo-saarka) oo dhigaya 1. Awoodda. Midka aan xiisayno waa CAP_NET_BIND_SERVICE, waxaa lagu qeexaa sida joogtada ah ee koodhka isha kernel ee faylka ku jira waxaa ka mid ah/uapi/linux/ability.h oo wata aqoonsiga 10:

/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10<source lang="go">

Awoodaha ayaa inta badan loo oggolaado wakhtiga runtime ee weelasha sida runC ama Docker si loogu oggolaado inay ku shaqeeyaan qaab aan mudnaanta lahayn, laakiin waxaa loo oggol yahay oo kaliya awoodaha loo baahan yahay in lagu socodsiiyo codsiyada badankooda. Marka codsigu u baahan yahay awoodo gaar ah, Docker ayaa ku siin kara iyaga oo isticmaalaya --cap-add:

docker run -it --rm --cap-add=NET_ADMIN ubuntu ip link add dummy0 type dummy

Amarkani wuxuu siin doonaa weelka awooda CAP_NET_ADMIN, taasoo u ogolaanaysa inuu habeeyo isku xirka shabakada si uu ugu daro interface dummy0.

Qaybta soo socota waxay muujinaysaa sida loo isticmaalo sifooyinka sida shaandhaynta, laakiin isticmaalka farsamo ka duwan oo noo ogolaanaya inaan barnaamij ahaan u hirgelinno filtarradayada.

Seccomp

Seccomp waxay u taagan tahay Secure Computing, oo ah lakab amni oo lagu hirgeliyay kernel-ka. Linux, kaas oo u oggolaanaya horumariyayaasha inay sifeeyaan wicitaanada nidaamka gaarka ah. In kasta oo Seccomp uu la mid yahay awoodaha. Linux, awooddeeda ay ku maareyn karto wicitaanada nidaamka gaarka ah waxay ka dhigaysaa mid aad u dabacsan marka loo eego iyaga.

Seccomp iyo awooddeeda Linux Awoodahani ma aha kuwo isku mid ah; badanaa waxaa loo isticmaalaa si looga faa'iidaysto labada hab. Tusaale ahaan, waxaa laga yaabaa inaad rabto inaad siiso habka awoodda CAP_NET_ADMIN laakiin ka hortagto inay aqbasho isku xirka godka adigoo xannibaya wicitaanada nidaamka ee aqbala oo aqbala.

Habka shaandhaynta Seccomp wuxuu ku salaysan yahay filtarrada BPF ee ku shaqeeya qaabka SECOMP_MODE_FILTER, iyo shaandhaynta nidaamka wicitaanka waxaa loo sameeyaa si la mid ah xirmooyinka.

filtarrada Seccomp waxaa lagu raray iyadoo la isticmaalayo prctl iyada oo la adeegsanayo PR_SET_SECOMP. Shaandheeyayaashani waxay qaataan qaab barnaamijka BPF kaas oo lagu fuliyo baakidh kasta oo Seccomp ah oo uu matalayo qaab-dhismeedka seccomp_data. Qaab dhismeedkani waxa uu ka kooban yahay qaab-dhismeedka tixraaca, tilmaanta hab-raacyada hab-socodka wakhtiga wicitaanka nidaamka, iyo ugu badnaan lix hab oo doodo wac ah, oo lagu sheegay uint64.

Tani waa waxa qaabka seccomp_data uu u eg yahay koodhka isha kernel ee faylka linux/seccomp.h:

struct seccomp_data {
int nr;
      __u32 arch;
      __u64 instruction_pointer;
      __u64 args[6];
};

Sida aad ka arki karto qaabkan, waxaan ku shaandheyn karnaa nidaamka wicitaanka, doodihiisa, ama labadaba labadaba.

Ka dib markii la helo baakidh kasta oo Seccomp ah, shaandhuhu waa inuu sameeyaa habayn si uu u gaadho go'aanka kama dambaysta ah oo uu u sheego kernel waxa la samaynayo xiga. Go'aanka kama dambaysta ah waxaa lagu muujiyay mid ka mid ah qiyamka soo celinta (code codes).

- SECCOMP_RET_KILL_PROCESS - waxay dilaan nidaamka oo dhan isla markaaba ka dib marka la shaandheeyo nidaamka wicitaanka ee aan la fulin tan awgeed.

- SECCOMP_RET_KILL_THREAD - waxay joojisaa dunta hadda socota isla markaaba ka dib markay shaandhayso wicitaanka nidaamka ee aan la fulin tan awgeed.

- SECCOMP_RET_KILL - oo loo yaqaan SECCOMP_RET_KILL_THREAD, bidix u waafaqid gadaal.

- SECCOMP_RET_TRAP - wicitaanka nidaamka waa mamnuuc, iyo SIGSYS (Wicitaan Nadaamka Xun) waxaa loo diraa hawsha wacaysa.

- SECCOMP_RET_ERRNO - Wicista nidaamka lama fulin, oo qayb ka mid ah SECOMP_RET_DATA shaandhaynta qiimaha soo celinta ayaa loo gudbiyaa booska isticmaalaha sida qiimaha khaladka ah. Iyadoo ku xiran sababta qaladka, qiyamka khaladaadka kala duwan ayaa la soo celiyaa. Liiska lambarrada khaladaadka ayaa lagu bixiyay qaybta xigta.

- SECCOMP_RET_TRACE - Waxaa loo isticmaalaa in lagu ogeysiiyo baafinta raadiyaha iyadoo la adeegsanayo - PTRACE_O_TRACESECOMP si loo dhexgalo marka nidaamka wicitaanka la fuliyo si loo arko loona xakameeyo habkaas. Haddii raadiyaha aan la xirin, qalad waa la soo celinayaa, errno ayaa loo dejiyay -ENOSYS, iyo wicitaanka nidaamka lama fulin.

- SECCOMP_RET_LOG - wicitaanka nidaamka waa la xaliyay oo waa la galiyay.

- SECCOMP_RET_ALLOW - wicitaanka nidaamka si fudud ayaa loo oggol yahay.

ptrace waa wicitaan nadaam si loo hirgaliyo habab baafineed habka loo yaqaan tracee, oo leh awood lagu kormeero laguna xakameeyo fulinta habka. Barnaamijka raadraaca wuxuu si wax ku ool ah u saameyn karaa fulinta wuxuuna wax ka beddelaa diiwaannada xusuusta raadraaca. Marka la eego macnaha guud ee Seccomp, ptrace waxa loo isticmaalaa marka uu kiciyo koodka heerka SECOMP_RET_TRACE, markaa raadiyahu wuxuu ka hortagi karaa wicitaanka nidaamka inuu fuliyo oo uu fuliyo caqligiisa.

Khaladaadka Seccomp

Waqti ka waqti, markaad la shaqeyneyso Seccomp, waxaad la kulmi doontaa khaladaad kala duwan, kuwaas oo lagu aqoonsaday qiimaha soo celinta nooca SECCOMP_RET_ERRNO. Si loo soo sheego khalad, wicitaanka nidaamka seccomp wuxuu soo celin doonaa -1 halkii uu ka ahaan lahaa 0.

Khaladaadka soo socda ayaa suurtagal ah:

- FIICAN - Qofka soo wacaya looma oggola inuu sameeyo wicitaan habaysan. Tani badanaa waxay dhacdaa sababtoo ah ma laha mudnaanta CAP_SYS_ADMIN ama no_new_privs lama dejin iyadoo la isticmaalayo prctl (tan dib ayaan uga hadli doonaa);

- EFAULT - doodaha la gudbiyay (args ee qaabka seccomp_data) ma laha cinwaan sax ah;

- EINVAL - halkan waxaa jiri kara afar sababood:

-Hawlgalka la codsaday lama garanayo ama ma taageerayo kernel-ku qaabaynta hadda;

-calannada la cayimay kuma jiraan hawlgalka la codsaday;

-Howlgalka waxaa ka mid ah BPF_ABS, laakiin waxaa jira dhibaatooyin la xiriira dhimista la cayimay, taas oo ka badan karta cabbirka qaab dhismeedka seccomp_data;

-Tirada tilmaamaha loo gudbiyay shaandhada ayaa ka badan inta ugu badan;

- ENOMEM - kuma filna xusuusta si loo fuliyo barnaamijka;

- EOPNOTSUPP - Hawlgalku wuxuu muujiyay in SECCOMP_GET_ACTION_AVAIL ficilku ahaa mid la heli karo, laakiin kernel-ku ma taageerayo soo noqoshada doodaha;

- ESRCH - dhibaato ayaa dhacday markii la wada shaqaynayey durdur kale;

- ENOSYS - Ma jiro raadiye ku lifaaqan ficilka SECCOMP_RET_TRACE.

prctl waa wicitaanka nidaamka u oggolaanaya barnaamijka goobta-isticmaalka inuu wax ka beddelo (dejiyo oo helo) dhinacyo gaar ah oo habka, sida endianness byte, magacyada dunta, qaabka xisaabinta sugan (Seccomp), mudnaanta, dhacdooyinka Perf, iwm.

Seccomp waxaa laga yaabaa inay kuugula ekaato tignoolajiyada sanduuqa-cammuudda ah, laakiin maaha. Seccomp waa utility u ogolaanaya isticmaalayaasha inay horumariyaan farsamada sandbox. Hadda aan eegno sida barnaamijyada is dhexgalka isticmaalaha loo abuuray iyadoo la adeegsanayo filter si toos ah loogu yeero wicitaanka nidaamka Seccomp.

Tusaalaha Shaandheynta Seccomp BPF

Halkan waxaan ku tusi doonaa sida la isugu daro labada fal ee hore looga hadlay, kuwaas oo kala ah:

- waxaanu qori doonaa barnaamijka Seccomp BPF, kaas oo loo isticmaali doono shaandhayn leh kood soo celineed oo kala duwan taas oo ku xidhan go'aamada la gaadhay;

- ku shub shaandhada adoo isticmaalaya prctl.

Marka hore, waxaad u baahan tahay cinwaanno ka socda maktabadda caadiga ah iyo kernel-ka. Linux:

#include <errno.h>
#include <linux/audit.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <unistd.h>

Kahor intaanan isku dayin tusaalahan, waa inaan hubinaa in kernel-ka lagu soo ururiyay CONFIG_SECOMP iyo CONFIG_SECOMP_FILTER loo dhigay y. Mashiinka shaqeeya waxaad ku hubin kartaa sidan:

cat /proc/config.gz| zcat | grep -i CONFIG_SECCOMP

Inta soo hartay koodka waa laba qaybood oo shaqo install_filter ah. Qaybta hore waxay ka kooban tahay liiskayaga tilmaamaha shaandhaynta BPF:

static int install_filter(int nr, int arch, int error) {
  struct sock_filter filter[] = {
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3),
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (error & SECCOMP_RET_DATA)),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
  };

Tilmaamaha waxaa loo dejiyay iyadoo la isticmaalayo BPF_STMT iyo BPF_JUMP macros-ka lagu qeexay faylka linux/filter.h.
Aan marno tilmaamaha.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(qaab dhismeedka seccomp_data, arch))) - nidaamku waxa uu ku raran yahay oo ka urursadaa BPF_LD qaab kelmadda BPF_W, xogta baakidhku waxa ay ku taal meel go'an BPF_ABS.

- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, qaanso, 0, 3) - waxay hubiyaan iyadoo la isticmaalayo BPF_JEQ in qiimaha nashqada ee BPF_K accumulator joogto ah uu le'eg yahay qaanso. Haddi ay sidaas tahay, ku bood marka offset 0 una gudub tilmaamaha soo socda, haddii kale waxa aad ku booddaa offset 3 (xaaladdan) si aad u tuurto khalad sababtoo ah qaanso isma dhigma.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(qaab dhismeedka seccomp_data, nr))) - Waxa uu ku shubaa oo ka urursadaa BPF_LD qaab kelmadda BPF_W, kaas oo ah nambarka wicista nidaamka ku jira go'an ee BPF_ABS.

- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1) - wuxuu isbarbar dhigayaa lambarka wicitaanka nidaamka iyo qiimaha nr variable. Haddii ay siman yihiin, waxay u gudubtaa tilmaamaha soo socda oo waxay joojisaa wicitaanka nidaamka, haddii kale waxay ogolaataa wicitaanka nidaamka SECOMP_RET_ALLOW.

- BPF_STMT

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) - waxay ku joojisaa barnaamijka BPF_RET waxayna ogolaataa wicitaanka nidaamka in la fuliyo iyadoo la adeegsanayo SECCOMP_RET_ALLOW.

SECOMP waa CBPF
Waxaa laga yaabaa inaad la yaabto sababta liiska tilmaamaha loo isticmaalo halkii laga isticmaali lahaa shay ELF la soo ururiyey ama barnaamijka C ee la soo ururiyey ee JIT.

Waxaa jira laba sababood oo tan.

Marka hore, Seccomp waxay isticmaashaa cBPF (BPF classic) ee ma aha eBPF, taas oo macnaheedu yahay: ma laha diiwaan-gelin, laakiin kaliya ururiye si uu u kaydiyo natiijada xisaabinta ee ugu dambeysa, sida lagu arki karo tusaalaha.

Marka labaad, Seccomp wuxuu aqbalaa tilmaame si toos ah tilmaamaha BPF ee ma aha wax kale. Macros-yada aan isticmaalnay waxay si fudud u caawiyaan in aan tilmaamno hab-saaxiibtinimo barnaamijka.

Haddii aad u baahan tahay caawimo dheeraad ah si aad u fahamto golahan, tixgeli pseudocode-ka kaas oo sameeya isla wax la mid ah:

if (arch != AUDIT_ARCH_X86_64) {
    return SECCOMP_RET_ALLOW;
}
if (nr == __NR_write) {
    return SECCOMP_RET_ERRNO;
}
return SECCOMP_RET_ALLOW;

Ka dib markaad qeexdo lambarka shaandhada ee qaabka socket_filter, waxaad u baahan tahay inaad qeexdo sock_fprog ka kooban koodka iyo dhererka la xisaabiyay ee shaandhada. Qaab dhismeedka xogtan ayaa loo baahan yahay dood ahaan si loogu dhawaaqo habsocodka inuu hadhow socdo:

struct sock_fprog prog = {
   .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
   .filter = filter,
};

Hal shay ayaa hadhay in lagu sameeyo hawsha install_filter - ku shub barnaamijka laftiisa! Si tan loo sameeyo, waxaan isticmaalnaa prctl, anagoo qaadanayna PR_SET_SECOMP sida ikhtiyaarka ah inaan galno habka xisaabinta aaminka ah. Kadibna waxaanu u sheegaynaa qaabka inuu ku shubo shaandhada iyadoo la adeegsanayo SECOMP_MODE_FILTER, kaas oo ka kooban doorsoomaha prog ee nooca sock_fprog:

  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
    perror("prctl(PR_SET_SECCOMP)");
    return 1;
  }
  return 0;
}

Ugu dambeyntii, waxaan isticmaali karnaa hawshayada install_filter, laakiin ka hor waxaan u baahanahay inaan isticmaalno prctl si aan u dejino PR_SET_NO_NEW_PRIVS ee fulinta hadda oo aan ka fogaano xaalada halka hababka ilmahu ay helaan mudnaanta ka badan kan waalidkood. Tan, waxaan samayn karnaa wicitaanada soo socda prctl ee shaqada install_filter iyada oo aan lahayn xuquuqaha xididka.

Hadda waxaan wici karnaa shaqada install_filter. Aynu xannibno dhammaan wicitaannada nidaamka qorista ee la xidhiidha qaab-dhismeedka X86-64 oo si fudud u siino oggolaansho xannibaysa dhammaan isku dayga. Kadib rakibidda filtarka, waxaan sii wadeynaa fulinta annaga oo adeegsanayna doodda koowaad:

int main(int argc, char const *argv[]) {
  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
   perror("prctl(NO_NEW_PRIVS)");
   return 1;
  }
   install_filter(__NR_write, AUDIT_ARCH_X86_64, EPERM);
  return system(argv[1]);
 }

Aan bilowno. Si loo ururiyo barnaamijkayaga waxaan isticmaali karnaa qabiilg ama gcc, si kastaba ha ahaatee waxay kaliya ururinaysaa faylka main.c iyada oo aan lahayn ikhtiyaaro gaar ah:

clang main.c -o filter-write

Sida la xusay, waanu xannibnay dhammaan waxyaabaha ku jira barnaamijka. Si aad tan u tijaabiso waxaad u baahan tahay barnaamij wax soo saara - ls waxay u egtahay musharax wanaagsan. Sidan ayay caadi ahaan u dhaqantaa:

ls -la
total 36
drwxr-xr-x 2 fntlnz users 4096 Apr 28 21:09 .
drwxr-xr-x 4 fntlnz users 4096 Apr 26 13:01 ..
-rwxr-xr-x 1 fntlnz users 16800 Apr 28 21:09 filter-write
-rw-r--r-- 1 fntlnz users 19 Apr 28 21:09 .gitignore
-rw-r--r-- 1 fntlnz users 1282 Apr 28 21:08 main.c

Cajiib! Waa kan sida adeegsiga barnaamijkayaga duubabka u eg: Waxaan si fudud u gudbinaa barnaamijka aan rabno inaan tijaabino doodda koowaad:

./filter-write "ls -la"

Marka la fuliyo, barnaamijkani wuxuu soo saaraa wax soo saar gebi ahaanba madhan. Si kastaba ha ahaatee, waxaan isticmaali karnaa strace si aan u aragno waxa socda:

strace -f ./filter-write "ls -la"

Natiijada shaqada ayaa si weyn loo soo gaabiyay, laakiin qaybta u dhiganta waxay muujinaysaa in diiwaanada lagu xannibay qaladka EPERM - mid la mid ah oo aan habeynay. Tani waxay ka dhigan tahay in barnaamijku aanu waxba soo saarin sababtoo ah ma heli karo nidaamka qorista wicitaanka:

[pid 25099] write(2, "ls: ", 4) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "write error", 11) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "n", 1) = -1 EPERM (Operation not permitted)

Hadda waxaad fahantay sida Seccomp BPF u shaqeyso oo aad fikrad fiican ka leedahay waxaad ku samayn karto. Laakiin miyaadan jeclaan lahayn inaad ku gaadho wax la mid ah eBPF halkii aad ka isticmaali lahayd cBPF si aad uga faa'iidaysato awoodeeda buuxda?

Markaad ka fekereyso barnaamijyada eBPF, dadka badankoodu waxay u maleynayaan inay si fudud u qoraan oo ay ku shubaan mudnaanta maamulka. In kasta oo hadalkani guud ahaan run yahay, kernelku waxa uu fuliyaa habab si loo ilaaliyo walxaha eBPF heerar kala duwan. Hababkan waxa loo yaqaan dabinada BPF LSM.

Dabinnada BPF LSM

Si loo bixiyo kormeerka madax-bannaan ee qaab-dhismeedka ee dhacdooyinka nidaamka, LSM waxay fulisaa fikradda dabinada. Wicitaanka jillaabku wuxuu farsamo ahaan la mid yahay wicitaanka nidaamka, laakiin waa nidaam madaxbannaan oo la dhexgeliyey kaabayaasha. LSM waxay ku siinaysaa fikrad cusub kaas oo lakabka abstraction-ku uu kaa caawin karo ka fogaanshaha dhibaatooyinka la kulma marka wax laga qabanayo wicitaanada nidaamka ee dhismayaasha kala duwan.

Waqtiga qoraalkan, kernel-ku wuxuu lahaa toddobo dabin oo la xiriira barnaamijyada BPF, iyo SELinux - waa LSM-ka kaliya ee ku dhex jira ee hirgeliya.

Koodhka isha ee dabinka wuxuu ku yaalaa geedka kernel-ka ee faylka waxaa ka mid ah/linux/security.h:

extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
extern int security_bpf_prog(struct bpf_prog *prog);
extern int security_bpf_map_alloc(struct bpf_map *map);
extern void security_bpf_map_free(struct bpf_map *map);
extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
extern void security_bpf_prog_free(struct bpf_prog_aux *aux);

Mid kasta oo iyaga ka mid ah waxaa loogu yeeri doonaa heerar kala duwan oo dil ah:

-security_bpf - wuxuu sameeyaa hubinta bilowga ah ee wicitaannada nidaamka BPF ee la fuliyay;

-security_bpf_map - wuxuu hubiyaa marka kernel-ku soo celiyo sharaxaadaha faylka khariidada;

-security_bpf_prog - wuxuu hubiyaa marka kernel-ku soo celiyo sharaxaadaha faylka ee barnaamijka eBPF;

-security_bpf_map_alloc - wuxuu hubiyaa in goobta amniga ee khariidadaha BPF la bilaabay;

-security_bpf_map_free - waxay hubisaa in goobta amniga lagu nadiifiyay khariidadaha BPF gudaheeda;

-security_bpf_prog_alloc - waxay hubisaa in goobta amniga lagu bilaabay gudaha barnaamijyada BPF;

-security_bpf_prog_free - waxay hubisaa in goobta amniga lagu nadiifiyay gudaha barnaamijyada BPF.

Hadda, markaan aragno waxaas oo dhan, waxaan fahamsanahay: fikradda ka dambeysa LSM BPF interceptors waa inay ku siin karaan ilaalinta shay kasta eBPF, hubinta in kaliya kuwa leh mudnaanta ku habboon ay samayn karaan hawlgallada kaararka iyo barnaamijyada.

Soo koobid

Nabadgelyadu maaha wax aad ku fulin karto si hal-beeg-ku-habboon-dhammaan wax kasta oo aad rabto inaad ilaaliso. Waa muhiim in la awoodo in la ilaaliyo nidaamyada heerar kala duwan iyo siyaabo kala duwan. Rumayso ama ha rumaysan, habka ugu wanaagsan ee lagu sugi karo nidaamka waa in la abaabulo heerar kala duwan oo ilaalin ah oo laga soo galo jagooyin kala duwan, si hoos u dhigista amniga hal heer aysan u oggolaan in la galo nidaamka oo dhan. Horumarinta xudunta u ah waxay qabteen shaqo aad u fiican oo na siinaya lakabyo kala duwan iyo meelo taabashada. Waxaan rajeyneynaa inaan ku siinay faham wanaagsan oo ku saabsan waxa lakabyada ay yihiin iyo sida loo isticmaalo barnaamijyada BPF si aad ula shaqeyso.

Ku saabsan qorayaasha

David Calavera waa CTO ee Netfy. Wuxuu ka shaqeeyay taageerada Docker wuxuuna gacan ka geystay horumarinta qalabka Runc, Go iyo BCC, iyo sidoo kale mashaariicda kale ee furan. Loo yaqaan shaqadiisa mashaariicda Docker iyo horumarinta nidaamka deegaanka ee Docker plugin. David aad buu u jecel yahay garaafyada ololka wuxuuna had iyo jeer eegayaa inuu hagaajiyo waxqabadka.

Lorenzo Fontana Wuxuu ka shaqeeyaa kooxda isha furan ee Sysdig, halkaas oo uu inta badan diiradda saaro Falco, oo ah mashruuc Cloud Native Computing Foundation ah oo bixiya amniga waqtiga socodka weelka iyo ogaanshaha cilladaha iyada oo loo marayo module kernel iyo eBPF. Wuxuu aad u xiiseeyaa nidaamyada la qaybiyey, shabakadaha lagu qeexay software-ka, iyo kernel-ka. Linux iyo falanqaynta waxqabadka.

» Faahfaahin dheeraad ah oo ku saabsan buugga waxaad ka heli kartaa at website-ka daabacaha
» Tusmada
» Qoraal

Khabrozhiteley 25% qiimo dhimis iyadoo la isticmaalayo coupon - Linux

Marka la bixiyo nooca warqadda ee buugga, buug elektaroonig ah ayaa lagu soo diri doonaa e-mail.

Source: www.habr.com

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers 🔥 Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster