Ogow. turjumiWaxaan kuu soo bandhigeynaa tarjumaadda maqaal uu qoray injineer sare oo amniga codsiga ah oo ka tirsan shirkadda Ingiriiska ee ASOS.com. Isaga, wuxuu ku bilaabay taxane daabacaado ah oo loogu talagalay hagaajinta amniga Kubernetes iyada oo la adeegsanayo seccomp. Haddii akhristayaasha jecel yihiin hordhaca, waan la socon doonaa qoraaga oo aan sii wadi doono qoraalkiisa mustaqbalka ee mawduucan.
Maqaalkani waa kii ugu horreeyay ee taxane ah oo ku saabsan sida loo abuuro profiles seccomp ee ruuxa SecDevOps, iyada oo aan la isticmaalin sixir iyo sixir. Qeybta 1, waxaan ku dabooli doonaa aasaaska iyo faahfaahinta gudaha ee hirgelinta seccomp gudaha Kubernetes.
Nidaamka deegaanka ee Kubernetes wuxuu bixiyaa habab badan oo kala duwan oo lagu sugo laguna go'doomiyo weelasha. Maqaalku wuxuu ku saabsan yahay Habka Xisaabinta Sugan, oo sidoo kale loo yaqaan seccop. Nuxurkeedu waa in la sifeeyo wicitaanada nidaamka ee diyaar u ah fulinta weelasha.
Maxay muhiim u tahay? Weelku waa uun hannaan ku socda mishiin gaar ah. Oo waxay u isticmaashaa kernel-ka sida codsiyada kale. Haddii weelku qaban karaan wicis kasta oo nidaam ah, isla markiiba malware-ku wuu ka faa'iidaysan doonaa kan si uu u dhaafo go'doominta weelka oo uu saameeyo codsiyada kale: macluumaadka dhexda, beddelka nidaamka nidaamka, iwm.
profiles seccomp ayaa qeexaya wicitaanada nidaamka ay tahay in la ogolaado ama la joojiyo. Wakhtiga runtime weelka waxa uu kiciyaa iyaga marka uu bilaabo si kernel-ku ula socdo fulinta. Isticmaalka profiles-yada noocan oo kale ah waxay kuu ogolaaneysaa inaad xaddiddo vector-ka weerarka oo aad yareyso dhaawaca haddii barnaamij kasta oo ku jira weelka (taas oo ah, ku-tiirsanaantaada, ama ku-tiirsanaanta) uu bilaabo inuu sameeyo wax aan loo ogolayn inuu sameeyo.
Helitaanka aasaaska
Qaybta seccomp ee aasaasiga ah waxay ka kooban tahay saddex walxood: defaultAction, architectures (ama archMap) iyo syscalls:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
defaultAction wuxuu go'aamiyaa qaddarka caadiga ah ee wicitaan kasta oo aan lagu sheegin qaybta syscalls. Si aan wax u fududeyno, aan diiradda saarno labada qiyam ee ugu muhiimsan ee la isticmaali doono:
-
SCMP_ACT_ERRNO- wuxuu xannibaa fulinta wicitaanka nidaamka, -
SCMP_ACT_ALLOW- ogolaato.
qaybta architectures naqshadaha bartilmaameedka ah ayaa ku qoran. Tani waa muhiim sababtoo ah shaandhada lafteeda, lagu dabaqay heerka kernel, waxay kuxirantahay aqoonsiga wicitaanka nidaamka, ee maaha magacyadooda lagu qeexay astaanta. Wakhtiga konteenarka waxa uu la mid noqon doonaa aqoonsiga ka hor inta aan la isticmaalin. Fikradda ayaa ah in wicitaanada nidaamka ay yeelan karaan aqoonsiyo kala duwan iyadoo ku xiran qaabdhismeedka nidaamka. Tusaale ahaan, nidaamka call recvfrom (oo loo isticmaalo in macluumaadka laga helo godka) uu leeyahay ID = 64 nidaamka x64 iyo ID = 517 x86. Waxaad ka heli kartaa liiska dhammaan wicitaanada nidaamka ee x86-x64 naqshadaha.
Qaybta syscalls taxayaa dhammaan wicitaannada nidaamka oo qeexaya waxa lagu sameeyo iyaga. Tusaale ahaan, waxaad samayn kartaa liis cadcad adoo dejinaya defaultAction on SCMP_ACT_ERRNO, iyo wac qaybta syscalls u dhiibo SCMP_ACT_ALLOW. Markaa, waxa kaliya oo aad ogolanaysaa wicitaanada lagu sheegay qaybta syscalls, oo mamnuuc dhammaan kuwa kale. Liiska madow waa inaad beddeshaa qiyamka defaultAction iyo ficilada lidka ku ah.
Hadda waa inaan nidhaahnaa dhawr eray oo ku saabsan nuancesyada aan sidaas cad u muuqan. Fadlan la soco in talooyinka hoos ku qoran ay u malaynayaan inaad geynayso khadka codsiyada ganacsiga ee Kubernetes oo aad rabto inay ku shaqeeyaan qaddarka ugu yar ee mudnaanta ee suurtogalka ah.
1. AllowPrivilegeEscalation=been
В securityContext weelka wuxuu leeyahay cabbir AllowPrivilegeEscalation. Hadii lagu rakibo false, weelasha ayaa ku bilaaban doona (on) xoogaa . Macnaha halbeegyadani waa iska caddahay magaca: waxay ka hortagtaa weelka inuu bilaabo habab cusub oo leh mudnaan ka badan kan uu isagu leeyahay.
Saamayn dhinaca kale ah ee doorashadan la dejiyay true (default) waa in wakhtiga uu weelku quseeyo profile-ka seccomp bilawga hawsha bilawga ah. Markaa, dhammaan wicitaannada nidaamka ee looga baahan yahay in lagu socodsiiyo hababka runtime gudaha (tusaale dejinta isticmaale/koox aqoonsi, tuurista awoodaha qaarkood) waa in lagu socodsiiyo astaanta guud.
Ku rid weel wax aan macno lahayn sameeya echo hi, rukhsadaha soo socda ayaa loo baahan doonaa:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"capget",
"capset",
"chdir",
"close",
"execve",
"exit_group",
"fstat",
"fstatfs",
"futex",
"getdents64",
"getppid",
"lstat",
"mprotect",
"nanosleep",
"newfstatat",
"openat",
"prctl",
"read",
"rt_sigaction",
"statfs",
"setgid",
"setgroups",
"setuid",
"stat",
"uname",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
...halkii kuwan:
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"brk",
"close",
"execve",
"exit_group",
"futex",
"mprotect",
"nanosleep",
"stat",
"write"
],
"action": "SCMP_ACT_ALLOW"
}
]
}()
Laakiin mar labaad, maxay tani dhibaato u tahay? Shakhsi ahaan, waan iska ilaalin lahaa in aan liis gareeyo wicitaanada nidaamka soo socda (haddii aysan jirin baahi dhab ah oo iyaga loo qabo): capset, set_tid_address, setgid, setgroups и setuid. Si kastaba ha ahaatee, caqabada dhabta ah ayaa ah adiga oo oggolaada hababka aadan gabi ahaanba xakameyn karin, waxaad ku xiraysaa muuqaalada fulinta weelka runtime. Si kale haddii loo dhigo, hal maalin waxaad ogaan kartaa in ka dib markii la cusboonaysiiyo jawiga wakhtiga weelka (adiga ama, aad u badan tahay, bixiyaha adeegga daruuraha), weelashu si lama filaan ah u joojiyaan socodsiinta.
Talada # 1Ku socodsii weelasha AllowPrivilegeEscaltion=false. Tani waxay yaraynaysaa cabbirka profiles-ka seccomp waxayna ka dhigi doontaa inay dareen yar ka yeeshaan isbeddelada jawiga wakhtiga weelka.
2. Dejinta profiles seccomp heerka weelka
Muuqaalka seccomp waxa lagu dejin karaa heerka boodhka:
annotations:
seccomp.security.alpha.kubernetes.io/pod: "localhost/profile.json"...ama heerka weelka:
annotations:
container.security.alpha.kubernetes.io/<container-name>: "localhost/profile.json"Fadlan la soco in syntax-ka sare uu isbeddeli doono marka Kubernetes seccomp (dhacdadan ayaa la filayaa in la sii daayo xiga ee Kubernetes - 1.18 - qiyaastii. tarjumaad.).
Dad yar ayaa og in Kubernetes uu had iyo jeer lahaa kaas oo sababay in seccomp profiles lagu dabaqo . Deegaanka runtime qayb ahaan ayaa magdhow u ah cilladaan, laakiin weelkani kama baabi'in karo boodhka, maadaama loo isticmaalo in lagu habeeyo kaabayaashooda.
Dhibaatadu waxay tahay in weelkani had iyo jeer ku bilowdo AllowPrivilegeEscalation=true, taasoo horseedaysa dhibaatooyinka lagu sheegay cutubka 1, taasna lama beddeli karo.
Adigoo isticmaalaya profiles seccomp heerka weelka, waxaad ka fogaanaysaa godkan oo waxaad abuuri kartaa profile ku habboon weel gaar ah. Tani waa in la sameeyaa ilaa horumariyayaashu ay hagaajiyaan cayayaanka oo nooca cusub (laga yaabee 1.18?) uu noqdo mid diyaar u ah qof kasta.
Talada # 2Deji profiles seccomp heerka weelka.
Dareen wax ku ool ah, xeerkani wuxuu caadi ahaan u adeegaa sidii jawaab caalami ah oo su'aasha ah: "Waa maxay sababta uu profile-kayga seccomp ula shaqeeyo docker runlaakiin ma shaqeeyo ka dib marka la geeyo kooxda Kubernetes?
3. U isticmaal runtime/default kaliya sidii meesha ugu dambaysa
Kubernetes waxay leedahay laba ikhtiyaar oo loogu talagalay profile-yada la dhisay: runtime/default и docker/default. Labaduba waxa fuliyaa wakhtiga weelka ee ma aha Kubernetes. Sidaa darteed, way kala duwanaan karaan iyadoo ku xidhan jawiga runtime la isticmaalay iyo nooca uu yahay.
Si kale haddii loo dhigo, natiijada isbeddelka runtime-da awgeed, weelku waxa laga yaabaa inuu galo nidaam wicitaan oo kala duwan, kaas oo laga yaabo inuu isticmaalo ama aanu isticmaali karin. Inta badan waxaa la isticmaalaa runtimes . Haddii aad rabto inaad isticmaasho profile-kan, fadlan hubi inuu kugu habboon yahay.
Профиль docker/default waa la jaray ilaa Kubernetes 1.11, markaa iska ilaali isticmaalkeeda.
Fikradayda, profile runtime/default si fiican ugu habboon ujeedada loo abuuray: ka ilaalinta isticmaalayaasha khataraha la xidhiidha fulinta amarka docker run baabuurtooda. Si kastaba ha noqotee, marka ay timaado codsiyada ganacsiga ee ku shaqeeya Kubernetes clusters, waxaan ku dhiiran lahaa inaan ku doodo in astaantan oo kale ay aad u furan tahay iyo horumariyayaashu waa inay diirada saaraan abuurista profiles codsiyadooda (ama noocyada codsiyada).
Talada # 3U samee profiles seccomp codsiyada gaarka ah. Haddii tani aysan suurtogal ahayn, u samee profiles noocyada codsiga, tusaale ahaan, samee profile horumarsan oo ay ku jiraan dhammaan API-yada shabakadda ee codsiga Golang. Kaliya u isticmaal runtime/default sida meesha ugu dambaysa.
Qoraalada mustaqbalka, waxaan ku dabooli doonaa sida loo abuuro profiles-ka SecDevOps-ay u dhiiri galisay, si otomaatig ah uga dhigo, oo ku tijaabi dhuumaha. Si kale haddii loo dhigo, ma lahaan doontid cudurdaar inaadan u cusboonaysiin profile-ka gaarka ah ee codsiga.
4. Aan la xaddidin maaha doorasho.
Laga soo bilaabo waxaa soo baxday in si qalad ah . Taas macnaheedu waa haddii aadan dejin PodSecurityPolicy, kaas oo awood u siin doona kutlada dhexdeeda, dhammaan galbadaha aan profile-ka seccomp aan la qeexin waxay ku shaqayn doonaan seccomp=unconfined.
Ku shaqaynta qaabkan waxay ka dhigan tahay in dahaarka oo dhan uu lumay kaasoo ilaalinaya kooxda. Habkan kuma talinayaan khubarada ammaanku.
Talada # 4: Ma jiro weel ku jira kooxdu waa in aan la gelin seccomp=unconfined, gaar ahaan deegaanka wax soo saarka.
5. "Qaabka hantidhawrka"
Dhibicdani maaha mid u gaar ah Kubernetes, laakiin wali waxay ku dhacdaa qaybta "waxyaabaha la ogaanayo ka hor intaadan bilaabin".
Sida ay dhacdo, abuurista profiles seccomp had iyo jeer waxay ahayd caqabad waxayna si weyn ugu tiirsan tahay tijaabinta iyo khaladka. Xaqiiqdu waxay tahay in isticmaalayaashu aysan si fudud u helin fursad ay ku tijaabiyaan jawiga wax soo saarka iyaga oo aan khatar gelin "hoos u dhigin" codsiga.
Ka dib markii la sii daayay kernel Linux 4.14, waxaa suurtagal ah in lagu socodsiiyo qaybo ka mid ah profile qaab xisaabeedka, duubista macluumaadka ku saabsan dhammaan wicitaannada nidaamka ee syslog, laakiin iyada oo aan la xannibin. Habkan waxaad ku dhaqaajin kartaa adiga oo isticmaalaya cabbirka SCMT_ACT_LOG:
SCMP_ACT_LOG: seccomp ma saamayn doonto dunta samaynaysa nidaamka wicida haddi aanay ku haboonayn xeer kasta oo shaandhada ku jira, laakiin macluumaadka ku saabsan nidaamka wicida waa la gali doonaa.
Waa kuwan xeeladda caadiga ah ee isticmaalka sifadan:
- Oggolow wicitaanada nidaamka loo baahan yahay.
- Jooji wicitaanada nidaamka aad ogtahay inaysan faa'iido yeelan doonin.
- Ku duub macluumaadka ku saabsan dhammaan wicitaannada kale ee log.
Tusaalaha la fududeeyay wuxuu u eg yahay sidan:
{
"defaultAction": "SCMP_ACT_LOG",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"arch_prctl",
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
"add_key",
"keyctl",
"ptrace"
],
"action": "SCMP_ACT_ERRNO"
}
]
}()
Laakin xasuusnoow in aad u baahantahay in aad xidho dhamaan taleefoonada aad ogtahay in aan la isticmaali doonin oo laga yaabo in ay waxyeeleeyaan kooxda Salka wanaagsan ee ururinta liiska waa kan rasmiga ah . Waxay si faahfaahsan u sharraxaysaa wicitaannada nidaamka ee la xannibay profile-ka caadiga ah iyo sababta.
Si kastaba ha ahaatee, waxaa jira hal qabasho. Inkastoo SCMT_ACT_LOG oo ay taageerto kernel Linux tan iyo dhamaadkii 2017, waxay gashay nidaamka deegaanka Kubernetes dhawaanahan. Sidaa darteed, si aad u isticmaasho habkan waxaad u baahan doontaa Linux kernel 4.14 iyo nooca runC oo aan ka hoosayn .
Talada # 5Habka hantidhawrka ee tijaabada wax soo saarka waxaa la abuuri karaa iyadoo la isku darayo liisaska madow iyo caddaanka, iyo dhammaan wixii ka reeban waa la qori karaa.
6. Isticmaal liisaska cadcad
Liistada caddayntu waxay u baahan tahay dadaal dheeraad ah sababtoo ah waa inaad aqoonsataa wicitaan kasta oo codsigu u baahan karo, laakiin habkani wuxuu si weyn u wanaajiyaa amniga:
Waxaa aad loogu talinayaa in la isticmaalo habka liiska cad-cad maadaama ay ka sahlan tahay oo la isku halayn karo. Liistada madow waxay u baahan doontaa in la cusboonaysiiyo mar kasta oo lagu daro nidaamka khatarta ah (ama calan/ikhtiraac khatar ah haddii uu ku jiro liiska madow) Intaa waxaa dheer, waxaa badanaa suurtagal ah in la beddelo matalaadda halbeegga iyada oo aan la beddelin nuxurkeeda oo markaa laga gudbo xannibaadaha liiska madow.
Codsiyada Go, waxaan sameeyay qalab gaar ah oo la socda codsiga oo ururiya dhamaan wicitaanada la sameeyay inta lagu guda jiro fulinta. Tusaale ahaan, codsiga soo socda:
package main
import "fmt"
func main() {
fmt.Println("test")
}
... aan bilowno gosystract sidaas darteed:
go install https://github.com/pjbgf/gosystract
gosystract --template='{{- range . }}{{printf ""%s",n" .Name}}{{- end}}' application-path... waxaana helnaa natiijada soo socota:
"sched_yield",
"futex",
"write",
"mmap",
"exit_group",
"madvise",
"rt_sigprocmask",
"getpid",
"gettid",
"tgkill",
"rt_sigaction",
"read",
"getpgrp",
"arch_prctl",Hadda, tani waa tusaale - tafaasiil dheeraad ah oo ku saabsan qalabka ayaa raaci doona.
Talada # 6Oggolow kaliya wicitaanada aad runtii u baahan tahay oo jooji dhammaan kuwa kale.
7. Dhig aasaaska saxda ah (ama u diyaari habdhaqan lama filaan ah)
Kernelku wuxuu xoojin doonaa astaanta guud iyadoon loo eegin waxaad ku qorto. Xitaa haddii aysan ahayn waxaad rabtay. Tusaale ahaan, haddii aad xannibto gelitaanka wicitaannada sida exit ama exit_group, weelka ma awoodi doono inuu si sax ah u xiro iyo xitaa amar fudud sida echo hi o muddo aan xad lahayn. Natiijo ahaan, waxaad heli doontaa isticmaalka CPU sare ee kooxda:
Xaaladahan oo kale, tasiilaadka ayaa u iman kara samatabbixinta strace - waxay tusi doontaa waxa dhibaatadu noqon karto:
sudo strace -c -p 9331
Hubi in profile-yada ay ka kooban yihiin dhammaan wicitaanada nidaamka ee codsigu u baahan yahay wakhtiga runtime.
Talada # 7Fiiro gaar ah u yeelo faahfaahinta oo hubi in dhammaan wicitaannada nidaamka lagama maarmaanka ah ay yihiin liis cadcad.
Tani waxay soo gabagabaynaysaa qaybta koowaad ee maqaallo taxane ah oo ku saabsan adeegsiga seccomp gudaha Kubernetes ee ruuxa SecDevOps. Qaybaha soo socda waxaan uga hadli doonaa sababta ay tani muhiim u tahay iyo sida loo habeeyo habka.
PS ka turjumaan
Sidoo kale ka akhri boggayaga:
- «";
- «";
- «";
- «".
Source: www.habr.com