Lumelang, baahi ba Khabro! Mochini oa sebele oa BPF ke e 'ngoe ea likarolo tsa bohlokoahali tsa Linux kernel. Tšebeliso ea eona e nepahetseng e tla lumella baenjiniere ba tsamaiso ho fumana liphoso le ho rarolla mathata a rarahaneng ka ho fetisisa. U tla ithuta ho ngola mananeo a behang leihlo le ho fetola boits'oaro ba kernel, mokhoa oa ho kenya ts'ebetsong khoutu ka mokhoa o sireletsehileng ho lekola liketsahalo ho kernel, le tse ling tse ngata. David Calavera le Lorenzo Fontana ba tla u thusa ho notlolla matla a BPF. Eketsa tsebo ea hau ea ho ntlafatsa ts'ebetso, marang-rang, ts'ireletso. - Sebelisa BPF ho beha leihlo le ho fetola boitšoaro ba Linux kernel. - Kenya khoutu ho lekola liketsahalo tsa kernel ka mokhoa o sireletsehileng ntle le ho bokella kernel kapa ho qala sistimi bocha. - Sebelisa mehlala e bonolo ea khoutu ho C, Go kapa Python. - Nka taolo ka ho ba le bophelo ba lenaneo la BPF.
Ts'ireletso ea Linux Kernel, Likarolo tsa eona le Seccomp
BPF e fana ka mokhoa o matla oa ho holisa kernel ntle le ho tela botsitso, polokeho kapa lebelo. Ka lebaka lena, bahlahisi ba kernel ba ile ba nahana hore e ka ba mohopolo o motle ho sebelisa maemo a fapaneng ho ntlafatsa ts'ebetso ea ho itšehla thajana ho Seccomp ka ho kenya tšebetsong li-filters tsa Seccomp tse tšehetsoeng ke mananeo a BPF, a tsejoang hape e le Seccomp BPF. Khaolong ena re tla hlalosa hore na Seccomp ke eng le hore na e sebelisoa joang. Ebe u tla ithuta ho ngola li-filters tsa Seccomp u sebelisa mananeo a BPF. Kamora moo, re tla sheba lihoko tsa BPF tse kentsoeng ka har'a kernel bakeng sa li-module tsa ts'ireletso tsa Linux.
Linux Security Modules (LSM) ke moralo o fanang ka sete ea mesebetsi e ka sebelisoang ho kenya ts'ebetsong mefuta e fapaneng ea ts'ireletso ka mokhoa o tloaelehileng. LSM e ka sebelisoa ka kotloloho sefateng sa mohloli oa kernel, joalo ka Apparmor, SELinux le Tomoyo.
Ha re qale ka ho buisana ka bokhoni ba Linux.
Likarolo
Moko oa bokhoni ba Linux ke hore o hloka ho fana ka tumello ea ts'ebetso e sa tsitsang ea ho etsa mosebetsi o itseng, empa ntle le ho sebelisa ho ipolaea molemong oo, kapa ho etsa hore ts'ebetso e be le tokelo, ho fokotsa monyetla oa tlhaselo le ho lumella ts'ebetso ho etsa mesebetsi e itseng. Mohlala, haeba kopo ea hau e hloka ho bula boema-kepe bo khethehileng, re re 80, ho fapana le ho tsamaisa ts'ebetso joalo ka motso, u ka e fa feela bokhoni ba CAP_NET_BIND_SERVICE.
Nahana ka lenaneo la Go le bitsoang main.go:
package main
import (
"net/http"
"log"
)
func main() {
log.Fatalf("%v", http.ListenAndServe(":80", nil))
}Lenaneo lena le sebeletsa seva sa HTTP ho port 80 (ena ke kou e lehlohonolo). Hangata re e tsamaisa hang ka mor'a ho e kopanya:
$ go build -o capabilities main.go
$ ./capabilitiesLeha ho le joalo, kaha ha re fane ka litokelo tsa motso, khoutu ena e tla etsa phoso ha e tlama boema-kepe:
2019/04/25 23:17:06 listen tcp :80: bind: permission denied
exit status 1capsh (shell manager) ke sesebelisoa se tsamaisang khetla e nang le bokhoni bo itseng.
Tabeng ena, joalo ka ha ho se ho boletsoe, ho e-na le ho fana ka litokelo tse feletseng tsa motso, u ka nolofalletsa ho tlama ha port ka ho fana ka cap_net_bind_service bokhoni hammoho le ntho e 'ngoe le e' ngoe e seng e ntse e le lenaneong. Ho etsa sena, re ka kenyelletsa lenaneo la rona ka capsh:
# capsh --caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep'
--keep=1 --user="nobody"
--addamb=cap_net_bind_service -- -c "./capabilities"Ha re utloisise sehlopha sena hanyane.
- capsh - sebelisa capsh joalo ka khetla.
- —caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' - kaha re hloka ho fetola mosebelisi (ha re batle ho sebetsa joalo ka motso), re tla hlakisa cap_net_bind_service le bokhoni ba ho fetola ID ea mosebelisi. root to nobody, e leng cap_setuid le cap_setgid.
- -keep = 1 - re batla ho boloka bokhoni bo kentsoeng ha u tloha ho akhaonto ea motso.
- - mosebelisi = "ha ho motho" - mosebelisi ea qetellang ea tsamaisang lenaneo e tla be e se motho.
- -addamb=cap_net_bind_service - seta ho hloekisoa ha bokhoni bo amanang ka mor'a ho tloha motsong oa motso.
- - -c "./capabilities" - tsamaisa lenaneo feela.
Bokhoni bo hokahaneng ke mofuta o ikhethileng oa bokhoni bo futsoang ke mananeo a bana ha lenaneo la hajoale le a sebelisa ho sebelisa execve(). Ke bokhoni feela bo lumelletsoeng ho amahanngoa, kapa ka mantsoe a mang, e le bokhoni ba tikoloho, bo ka futsitsoang.
Mohlomong ua ipotsa hore na + eip e bolela eng ka mor'a ho hlalosa bokhoni ba khetho ea --caps. Lifolakha tsena li sebelisetsoa ho fumana hore na bokhoni ba:
-e tlameha ho kenngwa tshebetsong (p);
- fumaneha bakeng sa tšebeliso (e);
-e ka futsa ka mekhoa ea ngoana (i).
Kaha re batla ho sebelisa cap_net_bind_service, re hloka ho etsa sena ka e folakha. Joale re tla qala khetla ka taelo. Sena se tla tsamaisa bokhoni ba binary mme re hloka ho e tšoaea ka i flag. Qetellong, re batla hore tšobotsi e khonehe (re entse sena ntle le ho fetola UID) ka p. E shebahala joalo ka cap_net_bind_service+eip.
U ka hlahloba sephetho u sebelisa ss. Ha re khutsufatse tlhahiso hanyane hore e lekane leqepheng, empa e tla bonts'a boema-kepe bo amanang le mosebelisi ntle le 0, ntlheng ena 65:
# ss -tulpn -e -H | cut -d' ' -f17-
128 *:80 *:*
users:(("capabilities",pid=30040,fd=3)) uid:65534 ino:11311579 sk:2c v6only:0Mohlaleng ona re sebelisitse capsh, empa o ka ngola khetla o sebelisa libcap. Bakeng sa tlhaiso-leseling e batsi, bona man 3 libcap.
Ha a ngola mananeo, hangata mohlahlami ha a tsebe esale pele likarolo tsohle tseo lenaneo le li hlokang ka nako ea ts'ebetso; Ho feta moo, likarolo tsena li ka fetoha liphetolelong tse ncha.
Ho utloisisa hamolemo bokhoni ba lenaneo la rona, re ka nka sesebelisoa se nang le bokhoni sa BCC, se behang kprobe bakeng sa ts'ebetso ea kernel ea cap_capable:
/usr/share/bcc/tools/capable
TIME UID PID TID COMM CAP NAME AUDIT
10:12:53 0 424 424 systemd-udevd 12 CAP_NET_ADMIN 1
10:12:57 0 1103 1101 timesync 25 CAP_SYS_TIME 1
10:12:57 0 19545 19545 capabilities 10 CAP_NET_BIND_SERVICE 1Re ka fihlela ntho e tšoanang ka ho sebelisa bpftrace ka kprobe ea liner e le 'ngoe ho cap_capable kernel function:
bpftrace -e
'kprobe:cap_capable {
time("%H:%M:%S ");
printf("%-6d %-6d %-16s %-4d %dn", uid, pid, comm, arg2, arg3);
}'
| grep -i capabilitiesSena se tla hlahisa ntho e kang e latelang haeba bokhoni ba lenaneo la rona bo nolofalitsoe ka mor'a kprobe:
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 10 1Kholomo ea bohlano ke bokhoni boo ts'ebetso e bo hlokang, 'me kaha tlhahiso ena e kenyelletsa liketsahalo tse sa hlahlojoeng, re bona licheke tsohle tseo e seng tsa liphuputso' me qetellong re bona bokhoni bo hlokahalang ka folakha ea tlhahlobo (ea ho qetela sephethong) e behiloe ho 1. Bokhoni. e 'ngoe eo re e thahasellang ke CAP_NET_BIND_SERVICE, e hlalosoa e le ntho e sa fetoheng ho khoutu ea mohloli oa kernel faeleng e kenyelletsa/uapi/linux/ability.h e nang le identifier 10:
/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10<source lang="go">Bokhoni bo atisa ho nolofalloa ka nako ea ho sebetsa bakeng sa lijana tse kang runC kapa Docker ho li lumella ho sebetsa ka mokhoa o sa tsitsang, empa li lumelloa feela bokhoni bo hlokahalang ho tsamaisa lits'ebetso tse ngata. Ha kopo e hloka bokhoni bo itseng, Docker e ka fana ka bona ka ho sebelisa --cap-add:
docker run -it --rm --cap-add=NET_ADMIN ubuntu ip link add dummy0 type dummyTaelo ena e tla fa sets'oants'o bokhoni ba CAP_NET_ADMIN, se se lumella ho hlophisa sehokelo sa marang-rang ho eketsa dummy0 interface.
Karolo e latelang e bontša mokhoa oa ho sebelisa likarolo tse kang ho sefa, empa ho sebelisa mokhoa o fapaneng o re lumellang ho kenya lisebelisoa tsa rona ka lenaneo.
Seccomp
Seccomp e emetse Secure Computing mme ke karolo ea ts'ireletso e kentsoeng kernel ea Linux e lumellang bahlahisi ho sefa mehala e itseng ea sistimi. Leha Seccomp e ka bapisoa ka bokhoni le Linux, bokhoni ba eona ba ho laola mehala e itseng ea sistimi e etsa hore e fetohe habonolo ha e bapisoa le bona.
Likarolo tsa Seccomp le Linux ha li khetholle 'me hangata li sebelisoa hammoho ho rua molemo mekhoeng eo ka bobeli. Mohlala, o kanna oa batla ho fana ka ts'ebetso bokhoni ba CAP_NET_ADMIN empa u sa e lumelle ho amohela likhokahano tsa sokete, ho thibela mehala ea ho amohela le ho amohela4 ea sistimi.
Mokhoa oa ho sefa oa Seccomp o thehiloe ho li-filters tsa BPF tse sebetsang ka mokhoa oa SECCOMP_MODE_FILTER, 'me mokhoa oa ho hloekisa mohala oa tsamaiso o etsoa ka tsela e tšoanang le ea lipakete.
Li-filters tsa Seccomp li kenngoa ho sebelisoa prctl ka ts'ebetso ea PR_SET_SECCOMP. Li-filters tsena li nka sebopeho sa lenaneo la BPF le etsoang bakeng sa pakete ka 'ngoe ea Seccomp e emeloang ke sebopeho sa seccomp_data. Sebopeho sena se na le meralo ea litšupiso, sesupo sa litaelo tsa processor ka nako ea mohala oa sistimi, le likhang tse ka holimo ho tse tšeletseng tsa mohala oa sistimi, tse hlahisitsoeng e le uint64.
Sena ke seo sebopeho sa seccomp_data se shebahalang ka sona ho tsoa ho khoutu ea mohloli oa kernel faeleng ea linux/seccomp.h:
struct seccomp_data {
int nr;
__u32 arch;
__u64 instruction_pointer;
__u64 args[6];
};Joalo ka ha u bona sebopeho sena, re ka sefa ka mohala oa sistimi, likhang tsa ona, kapa motsoako oa bobeli.
Kamora ho amohela pakete e 'ngoe le e' ngoe ea Seccomp, filthara e tlameha ho sebetsa ho etsa qeto ea ho qetela le ho bolella kernel hore na e etse eng kamora moo. Qeto ea ho qetela e hlahisoa ke e 'ngoe ea litekanyetso tsa ho khutlisa (likhoutu tsa boemo).
- SECCOMP_RET_KILL_PROCESS - e bolaea ts'ebetso eohle hang ka mor'a ho sefa mohala oa tsamaiso o sa etsoang ka lebaka la sena.
- SECCOMP_RET_KILL_THREAD - e emisa khoele ea hona joale hang ka mor'a ho sefa mohala oa tsamaiso o sa etsoang ka lebaka la sena.
— SECCOMP_RET_KILL — lebitso le leng la SECCOMP_RET_KILL_THREAD, le setseng bakeng sa ho sebetsa ka morao.
- SECCOMP_RET_TRAP - mohala oa tsamaiso o thibetsoe, 'me letšoao la SIGSYS (Bad System Call) le romelloa mosebetsing o le bitsang.
- SECCOMP_RET_ERRNO - Mohala oa sistimi ha o etsoe, 'me karolo ea boleng ba ho khutlisa sefe ea SECCOMP_RET_DATA e fetisetsoa sebakeng sa mosebelisi joalo ka boleng ba errno. Ho ipapisitse le sesosa sa phoso, litekanyetso tse fapaneng tsa errno lia khutlisoa. Lethathamo la linomoro tsa liphoso le fanoe karolong e latelang.
- SECCOMP_RET_TRACE - E sebedisetswa ho tsebisa ptrace tracer e sebedisa - PTRACE_O_TRACESECCOMP ho thibela ha mohala wa tsamaiso o letswa ho bona le ho laola tshebetso eo. Haeba tracer e sa kopanngoa, phoso e khutlisetsoa, errno e behiloe ho -ENOSYS, 'me mohala oa tsamaiso ha o etsoe.
- SECCOMP_RET_LOG - mohala oa sistimi o rarollotsoe 'me o kentsoe.
- SECCOMP_RET_ALLOW - mohala oa sistimi o lumelloa feela.
ptrace ke mohala oa sistimi ho kenya tšebetsong mekhoa ea ho latela mokhoa o bitsoang tracee, ka bokhoni ba ho beha leihlo le ho laola ts'ebetso ea ts'ebetso. Lenaneo la trace le ka susumetsa ts'ebetso le ho fetola lirekoto tsa memori ea tracee. Sebakeng sa Seccomp, ptrace e sebelisoa ha e hlahisoa ke khoutu ea boemo ba SECCOMP_RET_TRACE, kahoo tracer e ka thibela mohala oa sistimi hore o se ke oa etsa le ho kenya tšebetsong mabaka a eona.
Seccomp liphoso
Nako le nako, ha u ntse u sebetsa le Seccomp, u tla kopana le liphoso tse fapa-fapaneng, tse khetholloang ka boleng ba ho khutla ba mofuta oa SECCOMP_RET_ERRNO. Ho tlaleha phoso, mohala oa sistimi ea seccomp o tla khutla -1 sebakeng sa 0.
Liphoso tse latelang lia khoneha:
- EACCESS - Motho ea letsetsang ha a lumelloe ho etsa mohala oa sistimi. Hangata sena se etsahala hobane ha e na litokelo tsa CAP_SYS_ADMIN kapa no_new_privs ha e sebelisoe ho sebelisa prctl (re tla bua ka sena hamorao);
- EFAULT - likhang tse fetisitsoeng (args ka sebopeho sa seccomp_data) ha li na aterese e nepahetseng;
- EINVAL - ho ka ba le mabaka a mane mona:
- ts'ebetso e kōptjoang ha e tsejoe kapa ha e tšehetsoe ke kernel ho tlhophiso ea hona joale;
- lifolakha tse boletsoeng ha li sebetse bakeng sa ts'ebetso e batiloeng;
-opereishene e kenyelletsa BPF_ABS, empa ho na le mathata ka ho fokotseha ho boletsoeng, ho ka 'nang ha feta boholo ba sebopeho sa seccomp_data;
-palo ea litaelo tse fetiselitsoeng ho filthara e feta boholo;
- ENOMEM - ha ho na memori e lekaneng ho phethahatsa lenaneo;
- EOPNOTSUPP - ts'ebetso e bontšitse hore ka SECCOMP_GET_ACTION_AVAIL ketso e ne e le teng, empa kernel ha e tšehetse ho khutlisa likhang;
- ESRCH - bothata bo etsahetse ha ho hokahanya molapo o mong;
- ENOSYS - Ha ho tracer e khomaretsoeng ketsong ea SECCCOMP_RET_TRACE.
prctl ke mohala oa sistimi o lumellang lenaneo la sebaka sa mosebelisi ho laola (ho beha le ho fumana) likarolo tse itseng tsa ts'ebetso, joalo ka "byte endianness", mabitso a likhoele, mokhoa o sireletsehileng oa computation (Seccomp), litokelo, liketsahalo tsa Perf, jj.
Seccomp e kanna ea utloahala eka ke theknoloji ea sandbox ho uena, empa ha ho joalo. Seccomp ke sesebelisoa se lumellang basebelisi ho theha mochini oa sandbox. Joale ha re shebeng hore na mananeo a tšebelisano ea basebelisi a entsoe joang ho sebelisoa filthara e bitsoang ka kotloloho ke mohala oa sistimi ea Seccomp.
Sesefa sa BPF Seccomp Mohlala
Mona re tla bontša mokhoa oa ho kopanya liketso tse peli tse boletsoeng pejana, e leng:
- re tla ngola lenaneo la Seccomp BPF, le tla sebelisoa e le sefe se nang le mekhoa e fapaneng ea ho khutlisa ho itšetlehile ka liqeto tse entsoeng;
- kenya filthara ka ho sebelisa prctl.
Pele o hloka lihlooho tse tsoang laebraring e tloaelehileng le kernel ea Linux:
#include <errno.h>
#include <linux/audit.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <unistd.h>Pele re leka mohlala ona, re tlameha ho etsa bonnete ba hore kernel e kopantsoe le CONFIG_SECCOMP le CONFIG_SECCOM_FILTER e behiloe ho y. Ka mochine o sebetsang o ka sheba sena ka tsela ena:
cat /proc/config.gz| zcat | grep -i CONFIG_SECCOMP
Khoutu e setseng ke karolo ea likarolo tse peli install_filter. Karolo ea pele e na le lethathamo la rona la litaelo tsa ho sefa BPF:
static int install_filter(int nr, int arch, int error) {
struct sock_filter filter[] = {
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3),
BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1),
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (error & SECCOMP_RET_DATA)),
BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
};
Litaelo li behiloe ho sebelisoa li-macro tsa BPF_STMT le BPF_JUMP tse hlalositsoeng faeleng ea linux/filter.h.
Ha re hlahlobeng litaelo.
- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, arch)))) - tsamaiso e jara le ho bokella ho tloha BPF_LD ka mokhoa oa lentsoe BPF_W, data ea pakete e fumaneha sebakeng se tsitsitseng sa BPF_ABS.
- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3) - e hlahloba ka ho sebedisa BPF_JEQ hore na boleng ba meralo ho accumulator e sa fetoheng BPF_K e lekana le arch. Haeba ho joalo, tlolela ho offset 0 ho ea taelong e latelang, ho seng joalo tlole ho offset 3 (tabeng ena) ho lahla phoso hobane arch ha e tsamaellane.
- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, nr)))) - Meroalo le ho bokellana ho tloha BPF_LD ka sebopeho sa lentsoe BPF_W, e leng nomoro ea mohala oa sistimi e fumanehang ho "fixed offset" ea BPF_ABS.
- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1) - e bapisa nomoro ea mohala oa tsamaiso le boleng ba nr variable. Haeba li lekana, e fetela pele ho taelo e latelang ebe e tima mohala oa sistimi, ho seng joalo e lumella mohala oa sistimi ka SECCOMP_RET_ALLOW.
- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (phoso & SECCOMP_RET_DATA)) - e emisa lenaneo ka BPF_RET mme ka lebaka leo e hlahisa phoso SECCOMP_RET_ERRNO ka nomoro e tsoang ho phapang ea phoso.
- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) - e emisa lenaneo ka BPF_RET mme e lumella mohala oa sistimi hore o etsoe ho sebelisoa SECCOMP_RET_ALLOW.
SEECCOMP E CBPF
U ka 'na ua ipotsa hore na ke hobane'ng ha ho sebelisoa lethathamo la litaelo ho e-na le ntho e hlophisitsoeng ea ELF kapa lenaneo la C le entsoeng ka JIT.Ho na le mabaka a mabeli a sena.
• Taba ea pele, Seccomp e sebelisa cBPF (BPF ea khale) eseng eBPF, ho bolelang: ha e na lirejisetara, empa ke accumulator feela e bolokang sephetho sa ho qetela sa lipalo, joalo ka ha ho bonoa mohlaleng.
• Ea bobeli, Seccomp e amohela sesupo sa letoto la litaelo tsa BPF ka kotloloho eseng letho. Li-macros tseo re li sebelisitseng li thusa feela ho hlakisa litaelo tsena ka tsela e bonolo ea mananeo.
Haeba u hloka thuso e eketsehileng ho utloisisa kopano ena, nahana ka pseudocode e etsang ntho e tšoanang:
if (arch != AUDIT_ARCH_X86_64) {
return SECCOMP_RET_ALLOW;
}
if (nr == __NR_write) {
return SECCOMP_RET_ERRNO;
}
return SECCOMP_RET_ALLOW;Ka mor'a hore u hlalose khoutu ea filthara mohahong oa socket_filter, u lokela ho hlalosa sock_fprog e nang le khoutu le bolelele bo lekantsoeng ba filthara. Sebopeho sena sa data sea hlokahala e le khang ea ho phatlalatsa hore ts'ebetso e tla sebetsa hamorao:
struct sock_fprog prog = {
.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
.filter = filter,
};Ho na le ntho e le 'ngoe feela e setseng ho etsa ts'ebetsong ea install_filter - kenya lenaneo ka boeona! Ho etsa sena, re sebelisa prctl, re nka PR_SET_SECCOMP e le khetho ea ho kenya mokhoa o sireletsehileng oa komporo. Ebe re bolella mokhoa oa ho kenya filthara o sebelisa SECCOMP_MODE_FILTER, e fumanehang ho mofuta oa prog oa mofuta oa sock_fprog:
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
perror("prctl(PR_SET_SECCOMP)");
return 1;
}
return 0;
}Qetellong, re ka sebelisa ts'ebetso ea rona ea install_filter, empa pele ho moo re hloka ho sebelisa prctl ho seta PR_SET_NO_NEW_PRIVS bakeng sa ts'ebetso ea hona joale, 'me kahoo re qobe boemo boo ho bona bana ba fumanang litokelo tse ngata ho feta batsoali ba bona. Ka sena, re ka etsa mehala e latelang ea prctl ts'ebetsong ea install_filter ntle le ho ba le litokelo tsa metso.
Hona joale re ka letsetsa ts'ebetso ea install_filter. Ha re thibeleng mehala eohle ea sistimi ea ho ngola e amanang le meralo ea X86-64 mme re fane ka tumello e thibelang liteko tsohle. Ka mor'a ho kenya filthara, re tsoela pele ho phethahatsa re sebelisa khang ea pele:
int main(int argc, char const *argv[]) {
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("prctl(NO_NEW_PRIVS)");
return 1;
}
install_filter(__NR_write, AUDIT_ARCH_X86_64, EPERM);
return system(argv[1]);
}Ha re qaleng. Ho hlophisa lenaneo la rona re ka sebelisa clang kapa gcc, ka tsela efe kapa efe ke ho bokella file ea main.c ntle le likhetho tse khethehileng:
clang main.c -o filter-writeJoalo ka ha ho boletsoe, re koetse likenyo tsohle lenaneong. Ho leka sena o hloka lenaneo le hlahisang ho hong - ls e bonahala e le mokhethoa ea hloahloa. Ena ke tsela eo a itšoarang ka eona hangata:
ls -la
total 36
drwxr-xr-x 2 fntlnz users 4096 Apr 28 21:09 .
drwxr-xr-x 4 fntlnz users 4096 Apr 26 13:01 ..
-rwxr-xr-x 1 fntlnz users 16800 Apr 28 21:09 filter-write
-rw-r--r-- 1 fntlnz users 19 Apr 28 21:09 .gitignore
-rw-r--r-- 1 fntlnz users 1282 Apr 28 21:08 main.c
E babatseha! Mona ke hore na ho sebelisa lenaneo la rona la wrapper ho shebahala joang: Re fetisa lenaneo leo re batlang ho le leka joalo ka khang ea pele:
./filter-write "ls -la"Ha e phethiloe, lenaneo lena le hlahisa tlhahiso e se nang letho ka ho feletseng. Leha ho le joalo, re ka sebelisa strace ho bona se etsahalang:
strace -f ./filter-write "ls -la"Sephetho sa mosebetsi se khutsufalitsoe haholo, empa karolo e tsamaisanang le eona e bontša hore litlaleho li koetsoe ka phoso ea EPERM - eona eo re e lokisitseng. Sena se bolela hore lenaneo ha le hlahise letho hobane ha le khone ho fihlella mohala oa sistimi ea ho ngola:
[pid 25099] write(2, "ls: ", 4) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "write error", 11) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "n", 1) = -1 EPERM (Operation not permitted)Joale ua utloisisa hore na Seccomp BPF e sebetsa joang 'me u na le mohopolo o motle oa seo u ka se etsang ka eona. Empa na u ke ke ua rata ho fihlela ntho e tšoanang ka eBPF sebakeng sa cBPF ho sebelisa matla a eona ka botlalo?
Ha ba nahana ka mananeo a eBPF, batho ba bangata ba nahana hore ba a ngola feela ebe ba a laela ka litokelo tsa batsamaisi. Leha polelo ena e le 'nete ka kakaretso, kernel e sebelisa mekhoa e mengata ea ho sireletsa lintho tsa eBPF maemong a fapaneng. Mekhoa ena e bitsoa maraba a BPF LSM.
Maraba a BPF LSM
Ho fana ka tlhahlobo e ikemetseng ea meralo ea liketsahalo tsa sistimi, LSM e sebelisa mohopolo oa maraba. Ho letsetsa hook ho ts'oana ka botekgeniki le mohala oa sistimi, empa ke sistimi e ikemetseng mme e kopantsoe le lisebelisoa. LSM e fana ka mohopolo o mocha oo ho ona ho ka thusang ho qoba mathata a kopaneng ha o sebetsana le mehala ea sistimi ho meaho e fapaneng.
Ka nako ea ho ngola, kernel e na le lihakisi tse supileng tse amanang le mananeo a BPF, 'me SELinux ke eona feela LSM e hahiloeng ka hare e e sebelisang.
Khoutu ea mohloli oa maraba e fumaneha sefateng sa kernel faeleng e kenyelletsa/linux/security.h:
extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
extern int security_bpf_prog(struct bpf_prog *prog);
extern int security_bpf_map_alloc(struct bpf_map *map);
extern void security_bpf_map_free(struct bpf_map *map);
extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
extern void security_bpf_prog_free(struct bpf_prog_aux *aux);E mong le e mong oa bona o tla bitsoa ka mekhahlelo e fapaneng ea ho bolaoa:
- security_bpf - e etsa tlhahlobo ea pele ea mehala ea tsamaiso ea BPF e phethiloeng;
- security_bpf_map - e hlahloba ha kernel e khutlisetsa tlhaloso ea faele bakeng sa 'mapa;
- security_bpf_prog - e hlahloba ha kernel e khutlisa tlhaloso ea faele bakeng sa lenaneo la eBPF;
- security_bpf_map_alloc - e hlahloba hore na sebaka sa ts'ireletso ka har'a limmapa tsa BPF se qalile;
- security_bpf_map_free - e lekola hore na sebaka sa ts'ireletso se hlakotsoe ka har'a limmapa tsa BPF;
- security_bpf_prog_alloc - e hlahloba hore na sebaka sa ts'ireletso se qalisoa ka har'a mananeo a BPF;
- security_bpf_prog_free - e hlahloba hore na sebaka sa ts'ireletso se hlakotsoe ka har'a mananeo a BPF.
Joale, ha re bona tsena tsohle, rea utloisisa: mohopolo oa li-interceptors tsa LSM BPF ke hore li ka fana ka tšireletso ho ntho e 'ngoe le e' ngoe ea eBPF, ho netefatsa hore ke ba nang le litokelo tse loketseng feela ba ka etsang ts'ebetso ka likarete le mananeo.
Kakaretso
Tšireletso ha se ntho eo u ka e sebelisang ka mokhoa o le mong bakeng sa ntho e 'ngoe le e' ngoe eo u batlang ho e sireletsa. Ho bohlokoa ho khona ho sireletsa litsamaiso maemong a fapaneng le ka mekhoa e fapaneng. E lumela kapa che, tsela e molemo ka ho fetisisa ea ho boloka tsamaiso ke ho hlophisa maemo a fapaneng a tšireletso ho tloha libakeng tse fapaneng, e le hore ho fokotsa tšireletso ea boemo bo le bong ha ho lumelle ho fihlella tsamaiso eohle. Baetsi ba mantlha ba entse mosebetsi o motle oa ho re fa sete ea mekhahlelo e fapaneng le lintlha tsa ho ama. Re tšepa hore re u file kutloisiso e ntle ea hore na li-layers ke eng le hore na u ka sebelisa mananeo a BPF joang ho sebetsana le tsona.
Mabapi le bangoli
David Calavera ke CTO ho Netlify. O sebelitse ho tšehetso ea Docker mme a kenya letsoho ntlafatsong ea lisebelisoa tsa Runc, Go le BCC, hammoho le merero e meng ea mohloli o bulehileng. O tsebahala ka mosebetsi oa hae mererong ea Docker le nts'etsopele ea Docker plugin ecosystem. David o chesehela haholo li-graph tsa lelakabe mme o lula a batla ho ntlafatsa ts'ebetso.
Lorenzo Fontana o sebetsa sehlopheng sa mohloli o bulehileng oa Sysdig, moo a tsepamisitseng maikutlo haholo ho Falco, morero oa Cloud Native Computing Foundation o fanang ka ts'ireletso ea nako ea lisebelisoa le ho lemoha ka mokhoa o sa tloaelehang ka module ea kernel le eBPF. O chesehela litsamaiso tse ajoang, software e hlalositsoeng marang-rang, Linux kernel, le tlhahlobo ea ts'ebetso.
» Lintlha tse ling mabapi le buka li ka fumanoa ho
»
»
Bakeng sa Khabrozhiteley 25% theolelo o sebelisa setlankane - Linux
Kamora ho lefa mofuta oa pampiri oa buka, buka ea elektroniki e tla romelloa ka e-mail.
Source: www.habr.com