ProHoster > Ibhulogi > Ulawulo > Incwadi ethi "BPF yokuJonga iLinux"

Incwadi ethi "BPF yokuJonga iLinux"

Incwadi ethi "BPF yokuJonga iLinux"Molweni, bahlali baseKhabro! Umatshini wenyani we-BPF lelinye lawona malungu abalulekileyo e-Linux kernel. Ukusetyenziswa kwayo ngokufanelekileyo kuya kuvumela iinjineli zenkqubo ukuba zifumane iimpazamo kwaye zisombulule iingxaki ezinzima kakhulu. Uya kufunda ukubhala iinkqubo ezibeka iliso kunye nokuguqula indlela yokuziphatha kwe-kernel, indlela yokuphumeza ngokukhuselekileyo ikhowudi yokubeka iliso kwiziganeko kwi-kernel, nokunye okuninzi. UDavid Calavera kunye noLorenzo Fontana baya kukunceda uvule amandla e-BPF. Yandisa ulwazi lwakho lokuphucula ukusebenza, uthungelwano, ukhuseleko. -Sebenzisa i-BPF ukubeka iliso kunye nokuguqula ukuziphatha kwe-Linux kernel. -Tofa ikhowudi yokubeka iliso ngokukhuselekileyo kwiziganeko zekernel ngaphandle kokuphinda uqokelele i-kernel okanye uqalise inkqubo kwakhona. -Sebenzisa imizekelo yekhowudi efanelekileyo kwiC, Go okanye kwiPython. - Thatha ulawulo ngokuba ngumjikelo wobomi beprogram ye-BPF.

Ukhuseleko lwe-Linux Kernel, Iimpawu zayo kunye neSeccomp

I-BPF ibonelela ngendlela enamandla yokwandisa i-kernel ngaphandle kokuncama uzinzo, ukhuseleko, okanye isantya. Ngenxa yesi sizathu, abaphuhlisi be-kernel bacinga ukuba kuya kuba yinto efanelekileyo ukusebenzisa ukuguquguquka kwayo ukuphucula inkqubo yokwahlula kwi-Seccomp ngokuphumeza izihluzi ze-Seccomp ezixhaswa ziiprogram ze-BPF, ezaziwa ngokuba yi-Seccomp BPF. Kwesi sahluko siza kuchaza ukuba yintoni iSeccomp kunye nendlela esetyenziswa ngayo. Emva koko uya kufunda ukubhala iifilitha zeSeccomp usebenzisa iinkqubo zeBPF. Emva koko, siza kujonga ii-hook ze-BPF ezakhelwe ngaphakathi ezifakwe kwi-kernel yeemodyuli zokhuseleko zeLinux.

Iimodyuli zoKhuseleko lwe-Linux (LSM) sisakhelo esibonelela ngeseti yemisebenzi enokuthi isetyenziswe ukuphumeza imifuziselo eyahlukeneyo yokhuseleko ngendlela esemgangathweni. I-LSM inokusetyenziswa ngokuthe ngqo kumthi womthombo we-kernel, njenge-Apparmor, i-SELinux kunye ne-Tomoyo.

Masiqale ngokuxoxa ngezakhono zeLinux.

Izixhobo

Undoqo wezakhono zeLinux kukuba kufuneka unike inkqubo engenalungelo imvume yokwenza umsebenzi othile, kodwa ngaphandle kokusebenzisa i-suid ngaloo njongo, okanye wenze inkqubo ibe yinyhweba, ukunciphisa uhlaselo olunokwenzeka kunye nokuvumela inkqubo ukuba yenze imisebenzi ethile. Umzekelo, ukuba isicelo sakho sifuna ukuvula izibuko elikhethekileyo, yithi 80, endaweni yokusebenzisa inkqubo njengengcambu, ungayinika ngokulula iCAP_NET_BIND_SERVICE isakhono.

Cinga ngenkqubo yeGo ebizwa ngokuba yi-main.go:

package main
import (
            "net/http"
            "log"
)
func main() {
     log.Fatalf("%v", http.ListenAndServe(":80", nil))
}

Le nkqubo inika umncedisi we HTTP kwizibuko 80 (eli lilungelo elikhethekileyo). Ngokuqhelekileyo siyiqhuba ngokukhawuleza emva kokuhlanganiswa:

$ go build -o capabilities main.go
$ ./capabilities

Nangona kunjalo, kuba asiniki malungelo engcambu, le khowudi iya kuphosa impazamo xa ibophelela izibuko:

2019/04/25 23:17:06 listen tcp :80: bind: permission denied
exit status 1

capsh (umphathi weqokobhe) sisixhobo esisebenzisa iqokobhe ngeseti ethile yezakhono.

Kulo mzekelo, njengoko sele kukhankanyiwe, endaweni yokunika amalungelo eengcambu ezipheleleyo, ungenza ilungelo elikhethekileyo lokubopha izibuko ngokubonelela nge cap_net_bind_service isakhono kunye nayo yonke enye into esele ikwinkqubo. Ukwenza oku, sinokufaka inkqubo yethu kwi-capsh:

# capsh --caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' 
   --keep=1 --user="nobody" 
   --addamb=cap_net_bind_service -- -c "./capabilities"

Masiqonde eli qela kancinci.

  • i-capsh - sebenzisa i-capsh njengeqokobhe.
  • —caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' - kuba sifuna ukutshintsha umsebenzisi (asifuni ukusebenza njengengcambu), siya kukhankanya i-cap_net_bind_service kunye nokukwazi ukutshintsha i-ID yomsebenzisi ukusuka ingcambu kumntu, oko kukuthi cap_setuid kunye ne cap_setgid.
  • —gcina=1 — sifuna ukugcina isakhono esifakelweyo xa sitshintsha kwiakhawunti yengcambu.
  • -user="akukho mntu" - umsebenzisi wokugqibela oqhuba inkqubo akayi kuba ngumntu.
  • -addamb=cap_net_bind_service - seta ukucocwa kwezakhono ezinxulumeneyo emva kokutshintsha kwimo yengcambu.
  • -c "./capabilities" - qhuba nje inkqubo.

Izakhono ezidityanisiweyo luhlobo olukhethekileyo lwezakhono ezizuzwa njengeenkqubo zomntwana xa inkqubo yangoku izenza ngokusebenzisa execve(). Kuphela izakhono ezivumelekileyo ukuba zinxulunyaniswe, okanye ngamanye amazwi, njengezakhono zokusingqongileyo, ezinokuzuzwa njengelifa.

Mhlawumbi uyazibuza ukuba ithetha ukuthini i +eip emva kokuchaza isakhono kwi --caps ukhetho. Ezi flegi zisetyenziselwa ukumisela ukuba isakhono:

-kufuneka isebenze (p);

- iyafumaneka ukuze isetyenziswe (e);

-inokuzuzwa ngeenkqubo zomntwana (i).

Kuba sifuna ukusebenzisa i-cap_net_bind_service, kufuneka senze oku ngeflegi. Emva koko siya kuqala iqokobhe kumyalelo. Oku kuya kuqhuba ubunakho bokubini kwaye kufuneka siyiphawule ngeflegi ye. Okokugqibela, sifuna ukuba inqaku lisebenze (senze oku ngaphandle kokutshintsha i-UID) ngep. Kubonakala ngathi cap_net_bind_service+eip.

Unokujonga umphumo usebenzisa i-ss. Masinciphise imveliso kancinane ukuze ilingane kwiphepha, kodwa iya kubonisa izibuko elihambelanayo kunye ne-ID yomsebenzisi ngaphandle kwe-0, kule meko 65:

# ss -tulpn -e -H | cut -d' ' -f17-
128 *:80 *:*
users:(("capabilities",pid=30040,fd=3)) uid:65534 ino:11311579 sk:2c v6only:0

Kulo mzekelo sisebenzise i-capsh, kodwa ungabhala iqokobhe usebenzisa i-libcap. Ngolwazi oluthe vetshe, bona man 3 libcap.

Xa ubhala iinkqubo, rhoqo umphuhlisi akazi ngaphambili zonke iimpawu ezifunwa yinkqubo ngexesha lokuqhuba; Ngaphezu koko, ezi mpawu zinokutshintsha kwiinguqulelo ezintsha.

Ukuqonda ngcono ubunakho benkqubo yethu, singathatha iBCC isixhobo esikwaziyo, esiseta i kprobe yomsebenzi we kernel cap_capable:

/usr/share/bcc/tools/capable
TIME      UID  PID   TID   COMM               CAP    NAME           AUDIT
10:12:53 0 424     424     systemd-udevd 12 CAP_NET_ADMIN         1
10:12:57 0 1103   1101   timesync        25 CAP_SYS_TIME         1
10:12:57 0 19545 19545 capabilities       10 CAP_NET_BIND_SERVICE 1

Singafezekisa into enye ngokusebenzisa ibpftrace nge-liner-kprobe kwi-cap_capable kernel function:

bpftrace -e 
   'kprobe:cap_capable {
      time("%H:%M:%S ");
      printf("%-6d %-6d %-16s %-4d %dn", uid, pid, comm, arg2, arg3);
    }' 
    | grep -i capabilities

Oku kuzakukhupha into efana nale ilandelayo ukuba ubuchule benkqubo yethu yenziwe emva kwe kprobe:

12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 10 1

Ikholamu yesihlanu izakhono ezifunwa yinkqubo, kwaye ekubeni le mveliso ibandakanya iziganeko ezingaphicothi-zincwadi, sibona zonke iitshekhi ezingaphicothi-zincwadi kwaye ekugqibeleni amandla afunekayo kunye neflegi yophicotho-zincwadi (eyokugqibela kwimveliso) ibekwe kwi-1. Ukukwazi enye esinomdla kuyo yi CAP_NET_BIND_SERVICE, ichazwa njengengatshintshiyo kwikhowudi yemvelaphi yekernel kwifayile iquka/uapi/linux/ability.h ngesihlonzi 10:

/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10<source lang="go">

Ubunakho buhlala buvulwa ngexesha lokusebenza kwizikhongozeli ezinje nge-runC okanye i-Docker ukubavumela ukuba basebenze kwimowudi engafanelekanga, kodwa bavunyelwe kuphela amandla afunekayo ukuqhuba uninzi lwezicelo. Xa isicelo sifuna izakhono ezithile, iDocker inokubonelela ngokusebenzisa --cap-add:

docker run -it --rm --cap-add=NET_ADMIN ubuntu ip link add dummy0 type dummy

Lo myalelo uya kunika isikhongozeli amandla eCAP_NET_ADMIN, ukusivumela ukuba siqwalasele ikhonkco lothungelwano ukongeza i-dummy0 interface.

Icandelo elilandelayo libonisa indlela yokusebenzisa iimpawu ezinjengokucoca, kodwa kusetyenziswa indlela eyahlukileyo evumela ukuba siphumeze ngokwenkqubo izihluzo zethu.

Seccomp

I-Seccomp imele iKhompyutha eKhuselekileyo kwaye lulwaleko lokhuseleko olumiliselwe kwi-Linux kernel evumela abaphuhlisi ukuba bahluze iminxeba ethile yenkqubo. Nangona i-Seccomp ithelekiseka kubuchule beLinux, ukukwazi kwayo ukulawula iminxeba ethile yenkqubo iyenza ibe bhetyebhetye ngakumbi xa ithelekiswa nabo.

Iimpawu zeSeccomp kunye neLinux azihlukani kwaye zihlala zisetyenziswa kunye ukuxhamla kuzo zombini iindlela. Umzekelo, ungafuna ukunika inkqubo iCAP_NET_ADMIN amandla kodwa ungayivumeli ukuba yamkele imidibaniso yesokethi, ivalela ukwamkela kunye nokwamkela iifowuni zesistim4.

Indlela yokucoca i-Seccomp isekelwe kwizihluzi ze-BPF ezisebenza kwimodi ye-SECCOMP_MODE_FILTER, kwaye inkqubo yokucoca ifowuni yenziwa ngendlela efanayo neyeepakethi.

Izihluzi zeSeccomp zilayishwa kusetyenziswa i-prctl nge-PR_SET_SECCOMP yokusebenza. Ezi zihluzo zithatha uhlobo lwenkqubo ye-BPF eyenziwa kwipakethi nganye ye-Seccomp emelwe yi-seccomp_data structure. Esi sakhiwo siqulathe ulwakhiwo lwereferensi, isalathisi kwimiyalelo yeprosesa ngexesha lenkqubo yokufowuna, kunye nobuninzi beengxoxo zefowuni ezintandathu, ezichazwe njenge-uint64.

Yile ndlela i-seccomp_data ijongeka ngayo kwikhowudi yomthombo wekernel kwifayile yelinux/seccomp.h:

struct seccomp_data {
int nr;
      __u32 arch;
      __u64 instruction_pointer;
      __u64 args[6];
};

Njengoko ubona kolu lwakhiwo, singakwazi ukuhluza ngefowuni yenkqubo, iingxoxo zayo, okanye indibaniselwano yazo zombini.

Emva kokufumana ipakethi nganye yeSeccomp, isihluzi kufuneka senze inkqubo ukwenza isigqibo sokugqibela kwaye uxelele i-kernel ukuba yenze ntoni ngokulandelayo. Isigqibo sokugqibela sivakaliswa ngelinye lamaxabiso embuyekezo (iikhowudi zesimo).

- SECCOMP_RET_KILL_PROCESS - ibulala yonke inkqubo ngoko nangoko emva kokucoca umnxeba wenkqubo ongaphunyezwanga ngenxa yoku.

- SECCOMP_RET_KILL_THREAD - kuphelisa intambo yangoku ngokukhawuleza emva kokucoca umnxeba wenkqubo ongaphunyezwanga ngenxa yoku.

- SECCOMP_RET_KILL - isibizo se-SECCOMP_RET_KILL_THREAD, ekhohlo ukuhambelana nomva.

- I-SECCOMP_RET_TRAP - ifowuni yenkqubo inqatshelwe, kwaye i-SIGSYS (i-Bad System Call) isignali ithunyelwa kumsebenzi oyibizayo.

- SECCOMP_RET_ERRNO - Umnxeba wenkqubo ayenziwanga, kwaye inxalenye yexabiso le-SECCOMP_RET_DATA lokubuyisela ixabiso lokucoca ligqithiselwe kwisithuba somsebenzisi njengexabiso le-errno. Ngokuxhomekeke kwisizathu sempazamo, amaxabiso ahlukeneyo errno abuyiswa. Uluhlu lwamanani empazamo lunikiwe kwicandelo elilandelayo.

- SECCOMP_RET_TRACE - Isetyenziselwa ukwazisa i-ptrace tracer usebenzisa - PTRACE_O_TRACESECCOMP ukuthintela xa kusenziwa umnxeba wenkqubo ukubona nokulawula loo nkqubo. Ukuba umkhondo awuqhagamshelwanga, impazamo ibuyiswa, i-errno imiselwe ku-ENOSYS, kwaye inkqubo yokufowuna ayiphunyezwanga.

- SECCOMP_RET_LOG - umnxeba wenkqubo usonjululwe kwaye ungenisiwe.

- SECCOMP_RET_ALLOW - umnxeba wenkqubo uvunyelwe ngokulula.

i-ptrace lubizo lwenkqubo yokuphumeza iindlela zokulandela umkhondo kwinkqubo ebizwa ngokuba yi-tracee, ekwaziyo ukubeka iliso nokulawula ukwenziwa kwenkqubo. Inkqubo yomkhondo inokuphembelela ngokusebenzayo ukuphunyezwa kunye nokuguqula iirejista zeememori zomkhondo. Kwimeko ye-Seccomp, i-ptrace isetyenziswe xa iqhutywe yikhowudi yesimo se-SECCOMP_RET_TRACE, ngoko umkhondo unokuthintela umnxeba wenkqubo ukuba uphumeze kwaye uphumeze ingqiqo yayo.

Seccomp iimpazamo

Ngamaxesha ngamaxesha, ngelixa usebenza ne-Seccomp, uya kudibana neempazamo ezahlukeneyo, ezichongiweyo ngexabiso lokubuyisela uhlobo lwe-SECCOMP_RET_ERRNO. Ukunika ingxelo yempazamo, umnxeba wenkqubo ye-seccomp uya kubuya -1 endaweni ye-0.

Ezi mpazamo zilandelayo zinokwenzeka:

- I-EACCESS - Umnxeba akavumelekanga ukuba enze umnxeba wenkqubo. Oku kuqhele ukwenzeka kuba ayinayo iCAP_SYS_ADMIN amalungelo okanye no_new_privs ayimiselwanga kusetyenziswa i-prctl (siya kuthetha ngayo kamva);

- I-EFAULT - iingxoxo ezigqithisiweyo (i-args kwi-seccomp_data structure) ayinayo idilesi efanelekileyo;

- EINVAL - kukho izizathu ezine apha:

-umsebenzi oceliweyo awaziwa okanye awuxhaswanga yikernel kuqwalaselo lwangoku;

-iiflegi ezikhankanyiweyo azikho kusetyenziso oluceliweyo;

-ukusebenza kubandakanya i-BPF_ABS, kodwa kukho iingxaki nge-offset echaziweyo, enokugqithisa ubungakanani be-seccomp_data structure;

-inani lemiyalelo egqithiselwe kwisihluzi lidlula ubuninzi;

- ENOMEM - ayikho imemori eyaneleyo yokwenza inkqubo;

- EOPNOTSUPP - umsebenzi ubonise ukuba nge-SECCOMP_GET_ACTION_AVAIL isenzo besikho, kodwa i-kernel ayikuxhasi ukubuyisela kwiimpikiswano;

- ESRCH - ingxaki yenzeka xa ungqamanisa omnye umlambo;

- ENOSYS - Akukho mkhondo uncanyathiselwe kwisenzo se-SECCOMP_RET_TRACE.

I-prctl yinkqubo yokufowuna evumela inkqubo yesithuba somsebenzisi ukusebenzisa (ukuseta kwaye ufumane) imiba ethile yenkqubo, efana ne-byte endianness, amagama omsonto, imo ekhuselekileyo yokubala (Seccomp), amalungelo, imicimbi yePerf, njl.

I-Seccomp inokubonakala ngathi yitekhnoloji yebhokisi yesanti kuwe, kodwa akunjalo. I-Seccomp sisixhobo esivumela abasebenzisi ukuba baphuhlise indlela yebhokisi yesanti. Ngoku makhe sijonge indlela iinkqubo zokusebenzisana komsebenzisi zenziwe kusetyenziswa isihluzo esibizwa ngokuthe ngqo yiSeccomp inkqubo umnxeba.

Umzekelo we-BPF Seccomp Filter

Apha siza kubonisa indlela yokudibanisa izenzo ezimbini ezixoxwe ngaphambili, ezizezi:

— siya kubhala inkqubo ye-Seccomp BPF, eya kusetyenziswa njengesihluzo esineekhowudi ezahlukeneyo zokubuyisela ngokuxhomekeke kwizigqibo ezenziweyo;

— layisha isihluzi usebenzisa i-prctl.

Okokuqala udinga iiheader ezivela kwilayibrari eqhelekileyo kunye neLinux kernel:

#include <errno.h>
#include <linux/audit.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <unistd.h>

Phambi kokuzama lo mzekelo, kufuneka siqinisekise ukuba i-kernel idityaniswe ne-CONFIG_SECCOMP kunye neCONFIG_SECCOMP_FILTER isetelwe ku-y. Kumatshini osebenzayo unokujonga oku ngolu hlobo:

cat /proc/config.gz| zcat | grep -i CONFIG_SECCOMP

Eminye ikhowudi inamacandelo amabini install_filter function. Inxalenye yokuqala inoluhlu lwethu lwemiyalelo yokucoca ye-BPF:

static int install_filter(int nr, int arch, int error) {
  struct sock_filter filter[] = {
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3),
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (error & SECCOMP_RET_DATA)),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
  };

Imiyalelo isetwa kusetyenziswa i-BPF_STMT kunye ne-BPF_JUMP macros echazwe kwifayile yelinux/filter.h.
Masihambe ngemiyalelo.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, arch))) - inkqubo ilayisha kwaye iqokelele ukusuka kwi-BPF_LD ngohlobo lwegama elithi BPF_W, idatha yepakethe ifumaneka kwi-fixed offset BPF_ABS.

- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3) - ijonga usebenzisa i-BPF_JEQ ukuba ixabiso le-architecture kwi-accumulator rhoqo BPF_K lilingana ne-arch. Ukuba kunjalo, tsiba ku-0 ukuya kumyalelo olandelayo, kungenjalo tsiba kwi-offset 3 (kule meko) ukuphosa impazamo kuba i-arch ayingqamani.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, nr))) - Ilayisha kwaye iqokelele ukusuka kwi-BPF_LD ngohlobo lwegama elithi BPF_W, eyinombolo yefowuni yenkqubo equlethwe kwi-fixed offset ye-BPF_ABS.

- BPF_JUMP (BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1) - ithelekisa inombolo yefowuni yenkqubo kunye nexabiso le-nr variable. Ukuba ziyalingana, idlulela kumyalelo olandelayo kwaye ivale inkqubo yokufowuna, kungenjalo ivumela inkqubo yokufowuna nge-SECCOMP_RET_ALLOW.

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (impazamo & SECCOMP_RET_DATA)) - iphelisa inkqubo nge-BPF_RET kwaye ngenxa yoko ivelisa imposiso SECCOMP_RET_ERRNO ngenani elisuka kwi-err variable.

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) - iyayiphelisa inkqubo nge-BPF_RET kwaye ivumela umnxeba wenkqubo ukuba uqhutywe usebenzisa i-SECCOMP_RET_ALLOW.

I-SECCMP IS CBPF
Usenokuba uyazibuza ukuba kutheni kusetyenziswe uluhlu lwemiyalelo endaweni yento ehlanganisiweyo yeELF okanye iJIT equlunqwe inkqubo yeC.

Kukho izizathu ezibini zoku.

• Okokuqala, iSeccomp isebenzisa i-cBPF (i-BPF yakudala) hayi i-eBPF, into ethetha ukuthi: ayinarejista, kodwa kuphela i-accumulator yokugcina isiphumo sokugqibela sokubala, njengoko kunokubonwa kumzekelo.

• Okwesibini, i-Seccomp yamkela isalathisi kuluhlu lwemiyalelo ye-BPF ngokuthe ngqo hayi enye into. Iimakhro esizisebenzisileyo zinceda ngokulula ukucacisa le miyalelo ngendlela yomdwelisi-nkqubo enobubele.

Ukuba ufuna uncedo olungakumbi lokuqonda le ndibano, cinga ngepseudocode eyenza into enye:

if (arch != AUDIT_ARCH_X86_64) {
    return SECCOMP_RET_ALLOW;
}
if (nr == __NR_write) {
    return SECCOMP_RET_ERRNO;
}
return SECCOMP_RET_ALLOW;

Emva kokuchaza ikhowudi yokucoca kwi-socket_filter structure, kufuneka uchaze i-sock_fprog equlethe ikhowudi kunye nobude obaliweyo besihluzo. Olu lwakhiwo lwedatha luyafuneka njengengxoxo yokubhengeza inkqubo ezoqhutywa kamva:

struct sock_fprog prog = {
   .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
   .filter = filter,
};

Inye kuphela into eseleyo yokwenza kwi-install_filter function - layisha inkqubo ngokwayo! Ukwenza oku, sisebenzisa i-prctl, sithatha PR_SET_SECCOMP njengendlela yokufaka imo yekhompyutha ekhuselekileyo. Emva koko sixelela imowudi yokulayisha isihluzi usebenzisa i-SECCOMP_MODE_FILTER, equlethwe kuguquko lweprog yohlobo lwe-sock_fprog:

  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
    perror("prctl(PR_SET_SECCOMP)");
    return 1;
  }
  return 0;
}

Okokugqibela, sinokusebenzisa i-install_filter function yethu, kodwa ngaphambi koko kufuneka sisebenzise i-prctl ukuseta i-PR_SET_NO_NEW_PRIVS kumiliselo lwangoku kwaye ngaloo ndlela siphephe imeko apho iinkqubo zomntwana zifumana amalungelo awongezelelekileyo kunabazali babo. Ngale nto, sinokwenza le minxeba ilandelayo ye-prctl kwi-install_filter umsebenzi ngaphandle kokuba namalungelo engcambu.

Ngoku sinokubiza i-install_filter function. Masivale yonke iminxeba yenkqubo yokubhala enxulumene noyilo lwe-X86-64 kwaye ngokulula sinike imvume evimba yonke imizamo. Emva kokufaka isihluzi, siyaqhubeka sisebenzisa ingxabano yokuqala:

int main(int argc, char const *argv[]) {
  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
   perror("prctl(NO_NEW_PRIVS)");
   return 1;
  }
   install_filter(__NR_write, AUDIT_ARCH_X86_64, EPERM);
  return system(argv[1]);
 }

Masiqalise. Ukuqokelela inkqubo yethu sinokusebenzisa nokuba yi-clang okanye i-gcc, nokuba yeyiphi na indlela kukuqulunqa ifayile ye-main.c ngaphandle kokhetho olulodwa:

clang main.c -o filter-write

Njengoko kuphawuliwe, siwavalile onke amangeniso kwinkqubo. Ukuvavanya oku kufuneka udweliso lwenkqubo oluvelisa into - ls ibonakala njengomgqatswa olungileyo. Le yindlela aqhele ukuziphatha ngayo:

ls -la
total 36
drwxr-xr-x 2 fntlnz users 4096 Apr 28 21:09 .
drwxr-xr-x 4 fntlnz users 4096 Apr 26 13:01 ..
-rwxr-xr-x 1 fntlnz users 16800 Apr 28 21:09 filter-write
-rw-r--r-- 1 fntlnz users 19 Apr 28 21:09 .gitignore
-rw-r--r-- 1 fntlnz users 1282 Apr 28 21:08 main.c

Iyamangalisa! Nantsi into yokusebenzisa inkqubo yethu yokusonga kujongeka ngathi: Sivele siphumelele inkqubo esifuna ukuyivavanya njengengxoxo yokuqala:

./filter-write "ls -la"

Xa iphunyeziwe, le nkqubo ivelisa imveliso engenanto ngokupheleleyo. Nangona kunjalo, sinokusebenzisa i-strace ukubona ukuba kuqhubeka ntoni:

strace -f ./filter-write "ls -la"

Isiphumo somsebenzi sifutshane kakhulu, kodwa inxalenye ehambelana nayo ibonisa ukuba iirekhodi zivaliwe ngempazamo ye-EPERM - enye into esiyiqwalaseleyo. Oku kuthetha ukuba inkqubo ayikhuphi nantoni na ngenxa yokuba ayikwazi ukufikelela kwifowuni yenkqubo yokubhala:

[pid 25099] write(2, "ls: ", 4) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "write error", 11) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "n", 1) = -1 EPERM (Operation not permitted)

Ngoku uyayiqonda indlela iSeccomp BPF esebenza ngayo kwaye unombono olungileyo wento onokuyenza ngayo. Kodwa awungethandi ukufezekisa into enye nge-eBPF endaweni ye-CBPF ukusebenzisa amandla ayo apheleleyo?

Xa becinga ngeenkqubo ze-eBPF, abantu abaninzi bacinga ukuba bazibhala nje kwaye bazilayishe ngamalungelo omlawuli. Ngelixa le ngxelo iyinyani ngokubanzi, i-kernel isebenzisa iseti yeendlela zokukhusela izinto ze-eBPF kumanqanaba ahlukeneyo. Ezi ndlela zibizwa ngokuba yi-BPF LSM traps.

BPF LSM imigibe

Ukubonelela ngohlolo oluzimeleyo lolwakhiwo lweziganeko zenkqubo, i-LSM isebenzisa ingqikelelo yemigibe. Umnxeba we-hook ufana nobuchwepheshe obufana nomnxeba wenkqubo, kodwa yinkqubo ezimeleyo kwaye ihlanganiswe neziseko. I-LSM ibonelela ngombono omtsha apho umaleko wokutsalwa unokunceda ukunqanda iingxaki ekuhlangatyezwane nazo xa ujongana neefowuni zenkqubo kwii-architecture ezahlukeneyo.

Ngexesha lokubhala, i-kernel inamagwegwe asixhenxe ahambelana neenkqubo ze-BPF, kwaye i-SELinux kuphela kwe-LSM eyakhelweyo esebenzayo.

Ikhowudi yemvelaphi yemigibe ibekwe kumthi wekernel kwifayile ibandakanya/linux/security.h:

extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
extern int security_bpf_prog(struct bpf_prog *prog);
extern int security_bpf_map_alloc(struct bpf_map *map);
extern void security_bpf_map_free(struct bpf_map *map);
extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
extern void security_bpf_prog_free(struct bpf_prog_aux *aux);

Ngamnye wabo uya kubizwa kumanqanaba ahlukeneyo okuphunyezwa:

- security_bpf - yenza isheke yokuqala yeefowuni ze-BPF ezenziweyo;

- security_bpf_map - ijonga xa i-kernel ibuyisela inkcazo yefayile yemephu;

- security_bpf_prog - ijonga xa i-kernel ibuyisela inkcazo yefayile yeprogram ye-eBPF;

- security_bpf_map_alloc - ijonga ukuba indawo yokhuseleko ngaphakathi kwiimephu ze-BPF iyaqaliswa;

- security_bpf_map_free - ijonga ukuba ibala lokhuseleko licinyiwe na ngaphakathi kweemephu ze-BPF;

- security_bpf_prog_alloc - ihlola ukuba intsimi yokhuseleko iqaliswe ngaphakathi kweenkqubo ze-BPF;

- security_bpf_prog_free - ijonga ukuba indawo yokhuseleko iyacinywa na ngaphakathi kweenkqubo zeBPF.

Ngoku, xa sibona konke oku, siyaqonda: ingcamango emva kwe-LSM BPF interceptors kukuba banokubonelela ngokhuseleko kuyo yonke into ye-eBPF, ukuqinisekisa ukuba kuphela abo banamalungelo afanelekileyo abanokwenza imisebenzi kumakhadi kunye neenkqubo.

Isishwankathelo

Ukhuseleko ayisiyonto onokuthi uyiphumeze ngendlela yobukhulu obunye kuyo yonke into ofuna ukuyikhusela. Kubalulekile ukukwazi ukukhusela iinkqubo kumanqanaba ahlukeneyo nangeendlela ezahlukeneyo. Ukholelwa okanye cha, indlela efanelekileyo yokukhusela inkqubo kukuququzelela amanqanaba ahlukeneyo okukhusela kwizikhundla ezahlukeneyo, ukwenzela ukuba ukunciphisa ukhuseleko kwinqanaba elilodwa akuvumeli ukufikelela kuyo yonke inkqubo. Abaphuhlisi abaphambili benze umsebenzi omkhulu wokusinika iseti yeeleya ezahlukeneyo kunye neendawo zokuchukumisa. Siyathemba ukuba sikunike ukuqonda kakuhle ukuba yintoni na iileya kunye nendlela yokusebenzisa iinkqubo ze-BPF ukusebenza nazo.

Malunga nababhali

UDavid Calavera yiCTO eNetlify. Wasebenza kwinkxaso ye-Docker kwaye waba negalelo ekuphuhliseni izixhobo ze-Runc, Go kunye ne-BCC, kunye nezinye iiprojekthi zomthombo ovulekileyo. Uyaziwa ngomsebenzi wakhe kwiiprojekthi zeDocker kunye nophuhliso lwe-Docker plugin ecosystem. UDavid unomdla kakhulu malunga neegrafu zedangatye kwaye uhlala ejonge ukwandisa ukusebenza.

Lorenzo Fontana isebenza kwiqela lomthombo ovulekileyo e-Sysdig, apho igxile khona ngokuyintloko kwi-Falco, iprojekthi ye-Cloud Native Computing Foundation ebonelela ngokhuseleko lwexesha lokuqhuba kunye nokufunyanwa okungaqhelekanga ngemodyuli ye-kernel kunye ne-eBPF. Unomdla malunga neenkqubo ezisasazwayo, isoftware echazwe kwinethiwekhi, i-Linux kernel, kunye nohlalutyo lokusebenza.

» Iinkcukacha ezithe vetshe malunga nencwadi zifumaneka apha iwebhusayithi yompapashi
» Uluhlu lomxholo
» Isicatshulwa

Kuba Khabrozhiteley 25% isaphulelo usebenzisa ikhuphoni - Linux

Kwakuba kuhlawulwe ikopi yephepha lencwadi, incwadi ye-elektroniki iya kuthunyelwa nge-imeyile.

umthombo: www.habr.com

Yongeza izimvo