ProHoster > Блог > Ukuphatha > Bhukha "BPF for Linux Monitoring"

Bhukha "BPF for Linux Monitoring"

Bhukha "BPF for Linux Monitoring"Sawubona, bahlali baseKhabro! Umshini obonakalayo we-BPF ungenye yezingxenye ezibaluleke kakhulu ze-Linux kernel. Ukusetshenziswa kwayo okufanele kuzovumela onjiniyela besistimu ukuthi bathole amaphutha futhi baxazulule izinkinga eziyinkimbinkimbi kakhulu. Uzofunda ukuthi zibhalwa kanjani izinhlelo eziqapha futhi ziguqule ukuziphatha kwe-kernel, ukuthi ungasebenzisa kanjani ikhodi ngokuphepha ukuze ugade imicimbi ku-kernel, nokunye okuningi. UDavid Calavera noLorenzo Fontana bazokusiza uvule amandla e-BPF. Nweba ulwazi lwakho lokuthuthukisa ukusebenza, inethiwekhi, ukuphepha. - Sebenzisa i-BPF ukuze ugade futhi uguqule ukuziphatha kwe-Linux kernel. - Faka ikhodi ukuze uqaphe ngokuphephile imicimbi ye-kernel ngaphandle kokuthi uhlanganise i-kernel noma uqalise kabusha uhlelo. - Sebenzisa izibonelo zamakhodi ezilula ku-C, Go noma Python. - Thatha ukulawula ngokuba nomjikelezo wokuphila wohlelo lwe-BPF.

I-Linux Kernel Security, Izici zayo kanye ne-Seccomp

I-BPF inikeza indlela enamandla yokwelula i-kernel ngaphandle kokudela ukuzinza, ukuphepha, noma isivinini. Ngalesi sizathu, abathuthukisi be-kernel bacabange ukuthi kungaba umqondo omuhle ukusebenzisa ukuguquguquka kwayo ukuze kuthuthukiswe inqubo yokuhlukaniswa yedwa ku-Seccomp ngokusebenzisa izihlungi ze-Seccomp ezisekelwa izinhlelo ze-BPF, ezaziwa nangokuthi i-Seccomp BPF. Kulesi sahluko sizochaza ukuthi iyini iSeccomp nokuthi isetshenziswa kanjani. Ngemuva kwalokho uzofunda ukubhala izihlungi ze-Seccomp usebenzisa izinhlelo ze-BPF. Ngemuva kwalokho, sizobheka izingwegwe ze-BPF ezakhelwe ngaphakathi ezifakwe ku-kernel yamamojula wokuphepha we-Linux.

Amamojula Okuphepha e-Linux (LSM) awuhlaka oluhlinzeka ngesethi yemisebenzi engasetshenziswa ukuze kusetshenziswe amamodeli okuphepha ahlukahlukene ngendlela emisiwe. I-LSM ingasetshenziswa ngokuqondile esihlahleni somthombo we-kernel, njenge-Apparmor, i-SELinux ne-Tomoyo.

Ake siqale ngokuxoxa ngamakhono e-Linux.

Izici

Ingqikithi yamakhono e-Linux ukuthi udinga ukunikeza inqubo engenamalungelo imvume yokwenza umsebenzi othile, kodwa ngaphandle kokusebenzisa i-suid ngaleyo njongo, noma wenze inqubo ibe nelungelo, unciphise amathuba okuhlasela futhi uvumele inqubo ukwenza imisebenzi ethile. Isibonelo, uma uhlelo lwakho lokusebenza ludinga ukuvula imbobo enelungelo, ithi 80, esikhundleni sokuqalisa inqubo njengempande, ungavele uyinikeze amandla e-CAP_NET_BIND_SERVICE.

Cabangela uhlelo lwe-Go olubizwa ngokuthi i-main.go:

package main
import (
            "net/http"
            "log"
)
func main() {
     log.Fatalf("%v", http.ListenAndServe(":80", nil))
}

Lolu hlelo lusebenzela iseva ye-HTTP ku-port 80 (lena ichweba elikhethekile). Ngokuvamile siyisebenzisa ngokushesha ngemva kokuhlanganiswa:

$ go build -o capabilities main.go
$ ./capabilities

Kodwa-ke, njengoba singanikezi amalungelo ezimpande, le khodi izophonsa iphutha lapho ibopha imbobo:

2019/04/25 23:17:06 listen tcp :80: bind: permission denied
exit status 1

i-capsh (umphathi wegobolondo) iyithuluzi elisebenzisa igobolondo elinesethi ethile yamakhono.

Kulokhu, njengoba sekushiwo kakade, esikhundleni sokunikeza amalungelo ezimpande agcwele, ungakwazi ukunika amandla ukubophezela kwembobo okukhethekile ngokunikeza i-cap_net_bind_service ikhono kanye nakho konke okunye osekuvele kuhlelo. Ukwenza lokhu, singafaka uhlelo lwethu nge-capsh:

# capsh --caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' 
   --keep=1 --user="nobody" 
   --addamb=cap_net_bind_service -- -c "./capabilities"

Ake siliqonde leli qembu kancane.

  • i-capsh - sebenzisa i-capsh njengegobolondo.
  • —caps='cap_net_bind_service+eip cap_setpcap,cap_setuid,cap_setgid+ep' - njengoba sidinga ukushintsha umsebenzisi (asifuni ukusebenza njengempande), sizocacisa i-cap_net_bind_service kanye nekhono lokushintsha ngempela i-ID yomsebenzisi impande kumuntu, okuyi-cap_setuid ne-cap_setgid.
  • —gcina=1 — sifuna ukugcina amandla afakiwe lapho sisuka ku-akhawunti yezimpande.
  • — umsebenzisi=“akekho” — umsebenzisi wokugcina osebenzisa uhlelo ngeke abe muntu.
  • —addamb=cap_net_bind_service — setha ukusulwa kwamakhono ahlobene ngemva kokusuka kumodi yezimpande.
  • -c "./capabilities" - vele usebenzise uhlelo.

Amandla axhunyiwe awuhlobo olukhethekile lwamakhono azuzwa izinhlelo zezingane uma uhlelo lwamanje luwenza kusetshenziswa i-execve(). Amakhono kuphela avunyelwe ukuhlotshaniswa, noma ngamanye amazwi, njengamakhono emvelo, angazuzwa njengefa.

Cishe uyazibuza ukuthi kusho ukuthini +eip ngemva kokucacisa amandla kunketho --caps. Lawa mafulegi asetshenziselwa ukunquma ukuthi ikhono:

-kumele icushwe (p);

- etholakalayo ukuze isetshenziswe (e);

-ingatholwa yizinqubo zengane (i).

Njengoba sifuna ukusebenzisa i-cap_net_bind_service, sidinga ukwenza lokhu ngefulegi le-e. Khona-ke sizoqala igobolondo kumyalo. Lokhu kuzosebenzisa amakhono kanambambili futhi sidinga ukuyimaka ngefulegi i. Okokugcina, sifuna ukuthi isici sinikwe amandla (senze lokhu ngaphandle kokushintsha i-UID) nge-p. Kubukeka njenge-cap_net_bind_service+eip.

Ungahlola umphumela usebenzisa i-ss. Ake sifinyeze okukhiphayo kancane ukuze kulingane ekhasini, kodwa kuzobonisa imbobo ehlobene ne-ID yomsebenzisi ngaphandle kuka-0, kulokhu 65:

# ss -tulpn -e -H | cut -d' ' -f17-
128 *:80 *:*
users:(("capabilities",pid=30040,fd=3)) uid:65534 ino:11311579 sk:2c v6only:0

Kulesi sibonelo sisebenzise i-capsh, kodwa ungabhala igobolondo usebenzisa i-libcap. Ukuze uthole ulwazi olwengeziwe, bona man 3 libcap.

Lapho ebhala izinhlelo, ngokuvamile unjiniyela akazi kusengaphambili zonke izici ezidingwa uhlelo ngesikhathi sokusebenza; Ngaphezu kwalokho, lezi zici zingashintsha ezinguqulweni ezintsha.

Ukuze siqonde kangcono amakhono ohlelo lwethu, singathatha ithuluzi elikwaziyo le-BCC, elisetha i-kprobe yomsebenzi we-cap_capable kernel:

/usr/share/bcc/tools/capable
TIME      UID  PID   TID   COMM               CAP    NAME           AUDIT
10:12:53 0 424     424     systemd-udevd 12 CAP_NET_ADMIN         1
10:12:57 0 1103   1101   timesync        25 CAP_SYS_TIME         1
10:12:57 0 19545 19545 capabilities       10 CAP_NET_BIND_SERVICE 1

Singakwazi ukufeza into efanayo ngokusebenzisa i-bpftrace nge-kprobe yomugqa owodwa ku-cap_capable kernel function:

bpftrace -e 
   'kprobe:cap_capable {
      time("%H:%M:%S ");
      printf("%-6d %-6d %-16s %-4d %dn", uid, pid, comm, arg2, arg3);
    }' 
    | grep -i capabilities

Lokhu kuzokhipha okuthile okufana nokulandelayo uma amandla ohlelo lwethu enikwe amandla ngemva kwe-kprobe:

12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 21 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 12 0
12:01:56 1000 13524 capabilities 10 1

Ikholomu yesihlanu amakhono adingwa yinqubo, futhi njengoba lokhu okukhiphayo kuhlanganisa imicimbi engacwaningiwe, sibona konke ukuhlola okungahloliwe futhi ekugcineni nekhono elidingekayo ngefulegi lokucwaninga (elilokugcina ekuphumeni) limiswe kokuthi 1. Ikhono. eyodwa esiyithandayo yi-CAP_NET_BIND_SERVICE, ichazwa njengokungaguquki kukhodi yomthombo we-kernel kufayela ihlanganisa/uapi/linux/ability.h ngesihlonzi 10:

/* Allows binding to TCP/UDP sockets below 1024 */
/* Allows binding to ATM VCIs below 32 */
#define CAP_NET_BIND_SERVICE 10<source lang="go">

Amakhono avamise ukunikwa amandla ngesikhathi sokusebenza kweziqukathi ezifana ne-runC noma i-Docker ukuze azivumele ukuthi zisebenze ngemodi engafanele, kodwa avunyelwa kuphela amakhono adingekayo ukuze kusetshenziswe izinhlelo zokusebenza eziningi. Uma uhlelo lokusebenza ludinga amakhono athile, i-Docker ingawahlinzeka isebenzisa --cap-add:

docker run -it --rm --cap-add=NET_ADMIN ubuntu ip link add dummy0 type dummy

Lo myalo uzonikeza isiqukathi amandla e-CAP_NET_ADMIN, ukusivumela ukuthi silungiselele isixhumanisi senethiwekhi ukuze sengeze isixhumi esibonakalayo se-dummy0.

Isigaba esilandelayo sibonisa indlela yokusebenzisa izici ezinjengokuhlunga, kodwa kusetshenziswa indlela ehlukile esivumela ukuthi sisebenzise ngokuhlelekile izihlungi zethu.

Secomp

I-Seccomp imele i-Secure Computing futhi iyisendlalelo sokuvikela esisetshenziswa ku-Linux kernel evumela abathuthukisi ukuthi bahlunge izingcingo zesistimu ezithile. Nakuba i-Seccomp iqhathaniswa namakhono e-Linux, amandla ayo okuphatha izingcingo zesistimu ethile ayenza ibe lula kakhulu uma iqhathaniswa nayo.

Izici ze-Seccomp ne-Linux azihlukani futhi zivame ukusetshenziswa ndawonye ukuze kuzuze kuzo zombili izindlela. Isibonelo, ungase ufune ukunikeza inqubo amandla e-CAP_NET_ADMIN kodwa ungayivumeli ukuthi yamukele ukuxhunywa kwamasokhethi, uvimbele ukwamukela nokwamukela izingcingo zesistimu.

Indlela yokuhlunga ye-Seccomp isuselwe kuzihlungi ze-BPF ezisebenza kumodi ye-SECCOMP_MODE_FILTER, futhi ukuhlunga ikholi yesistimu kwenziwa ngendlela efanayo neyamaphakethe.

Izihlungi ze-Seccomp zilayishwa kusetshenziswa i-prctl ngokusebenza kwe-PR_SET_SECCOMP. Lezi zihlungi zithatha uhlobo lohlelo lwe-BPF olusetshenziswa kuphakethe le-Seccomp ngalinye elimelwe ukwakheka kwedatha ye-seccomp. Lesi sakhiwo siqukethe ukwakheka kwereferensi, isikhombi semiyalo yokucubungula ngesikhathi socingo lwesistimu, kanye nezimpikiswano zezingcingo zesistimu, ezivezwe njenge-uint64.

Yilokhu okubukeka kwesakhiwo se-seccomp_data kusuka kukhodi yomthombo we-kernel kufayela le-linux/seccomp.h:

struct seccomp_data {
int nr;
      __u32 arch;
      __u64 instruction_pointer;
      __u64 args[6];
};

Njengoba ubona kulesi sakhiwo, singahlunga ngekholi yesistimu, izimpikiswano zayo, noma inhlanganisela yakho kokubili.

Ngemva kokuthola iphakethe le-Seccomp ngalinye, isihlungi kufanele senza ukucubungula ukuze senze isinqumo sokugcina futhi sitshele i-kernel ukuthi yenzeni ngokulandelayo. Isinqumo sokugcina sivezwa elinye lamanani okubuyisela (amakhodi wesimo).

- SECCOMP_RET_KILL_PROCESS - ibulala yonke inqubo ngokushesha ngemva kokuhlunga ikholi yesistimu engenziwanga ngenxa yalokhu.

- SECCOMP_RET_KILL_THREAD - inqamula uchungechunge lwamanje ngokushesha ngemva kokuhlunga ikholi yesistimu engenziwanga ngenxa yalokhu.

— SECCOMP_RET_KILL — isibizo se-SECCOMP_RET_KILL_THREAD, esisele ukuze kuhambisane nokubuyela emuva.

- SECCOMP_RET_TRAP - ucingo lwesistimu aluvunyelwe, futhi isignali ye-SIGSYS (I-Bad System Call) ithunyelwa kumsebenzi oyibizayo.

- SECCOMP_RET_ERRNO - Ucingo lwesistimu alwenziwa, futhi ingxenye yenani lokubuyisela lesihlungi se-SECCOMP_RET_DATA idluliselwa esikhaleni somsebenzisi njengevelu ye-errno. Ngokuya ngembangela yephutha, amanani e-errno ahlukile abuyiselwa. Uhlu lwezinombolo zamaphutha lunikeziwe esigabeni esilandelayo.

- I-SECCOMP_RET_TRACE - Isetshenziselwa ukwazisa i-ptrace tracer isebenzisa - PTRACE_O_TRACESECCOMP ukuze ibambe lapho ikholi yesistimu yenzelwa ukubona nokulawula leyo nqubo. Uma i-tracer ingaxhumekile, iphutha liyabuyiswa, i-errno isethwe kokuthi -ENOSYS, futhi ikholi yesistimu ayenziwa.

- SECCOMP_RET_LOG - ikholi yesistimu ixazululiwe futhi ingeniwe.

- SECCOMP_RET_ALLOW - ucingo lwesistimu luvunyelwe kalula.

I-ptrace iwucingo lohlelo lokusebenzisa izindlela zokulandelela enqubweni ebizwa ngokuthi i-tracee, enekhono lokuqapha nokulawula ukwenziwa kwenqubo. Uhlelo lokulandelela lungaba nomthelela ngempumelelo ekusebenzeni futhi luguqule amarejista enkumbulo ye-tracee. Kumongo we-Seccomp, i-ptrace isetshenziswa uma icushwa ikhodi yesimo ye-SECCOMP_RET_TRACE, ukuze umkhondo uvimbele ikholi yesistimu ekwenzeni nokusebenzisa ingqondo yayo.

Seccomp amaphutha

Ngezikhathi ezithile, ngenkathi usebenza ne-Seccomp, uzohlangabezana namaphutha ahlukahlukene, abonakala ngenani lokubuyisela lohlobo SECCOMP_RET_ERRNO. Ukuze ubike iphutha, ikholi yesistimu ye-seccomp izobuya -1 esikhundleni sika-0.

Amaphutha alandelayo angenzeka:

- UKUFINYELELA - Oshaya ucingo akavunyelwe ukuthi ashaye ucingo lwesistimu. Lokhu kuvame ukwenzeka ngoba ayinawo amalungelo we-CAP_SYS_ADMIN noma okuthi no_new_privs akumiswanga kusetshenziswa i-prctl (sizokhuluma ngalokhu kamuva);

— EFAULT — izimpikiswano eziphasisiwe (ama-args esakhiweni se-seccomp_data) azinalo ikheli elivumelekile;

- EINVAL - kungaba nezizathu ezine lapha:

-ukusebenza okuceliwe akwaziwa noma akusekelwe yi-kernel ekucushweni kwamanje;

-amafulegi ashiwo awavumelekile ekusebenzeni okuceliwe;

-ukusebenza kuhlanganisa i-BPF_ABS, kodwa kunezinkinga nge-offset ecacisiwe, engase idlule usayizi wesakhiwo se-seccomp_data;

-inani lemiyalelo edluliselwe kusihlungi lidlula inani eliphezulu;

- ENOMEM - ayikho inkumbulo eyanele yokwenza uhlelo;

- EOPNOTSUPP - umsebenzi ubonise ukuthi nge-SECCOMP_GET_ACTION_AVAIL isenzo sasitholakala, kodwa i-kernel ayikusekeli ukubuyiselwa kwezimpikiswano;

- ESRCH - kube nenkinga lapho kuvumelanisa omunye ukusakaza;

- ENOSYS - Ayikho i-tracer enamathiselwe esenzweni se-SECCOMP_RET_TRACE.

I-prctl ikholi yesistimu evumela uhlelo lwesikhala somsebenzisi ukuthi lusebenzise (ukusetha nokuthola) izici ezithile zenqubo, ezifana ne-byte endianness, amagama entambo, imodi evikelekile yokubala (i-Seccomp), amalungelo, imicimbi ye-Perf, njll.

I-Seccomp ingase ibonakale njengobuchwepheshe be-sandbox kuwe, kodwa akunjalo. I-Seccomp iyinsiza evumela abasebenzisi ukuthi bakhe indlela ye-sandbox. Manje ake sibheke ukuthi izinhlelo zokusebenzisana nabasebenzisi zidalwa kanjani kusetshenziswa isihlungi esibizwa ngokuqondile ngocingo lwesistimu ye-Seccomp.

Isibonelo Sesihlungi Se-BPF Seccomp

Lapha sizobonisa indlela yokuhlanganisa izenzo ezimbili okukhulunywe ngazo ngaphambili, okuyilezi:

— sizobhala uhlelo lwe-Seccomp BPF, oluzosetshenziswa njengesihlungi esinamakhodi ahlukene okubuyisela kuye ngezinqumo ezenziwe;

— layisha isihlungi usebenzisa i-prctl.

Okokuqala udinga izihloko ezivela kulabhulali ejwayelekile kanye ne-Linux kernel:

#include <errno.h>
#include <linux/audit.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/prctl.h>
#include <unistd.h>

Ngaphambi kokuzama lesi sibonelo, kufanele siqinisekise ukuthi i-kernel ihlanganiswe ne-CONFIG_SECCOMP kanye ne-CONFIG_SECCOMP_FILTER isethwe ukuze ithi y. Emshinini osebenzayo ungabheka lokhu kanje:

cat /proc/config.gz| zcat | grep -i CONFIG_SECCOMP

Ikhodi esele iwumsebenzi wokuhlunga_wezingxenye ezimbili. Ingxenye yokuqala iqukethe uhlu lwethu lwemiyalo yokuhlunga ye-BPF:

static int install_filter(int nr, int arch, int error) {
  struct sock_filter filter[] = {
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3),
    BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
    BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (error & SECCOMP_RET_DATA)),
    BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
  };

Imiyalo isethwe kusetshenziswa amamakhro e-BPF_STMT kanye ne-BPF_JUMP achazwe kufayela le-linux/filter.h.
Ake sidlule imiyalelo.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, arch))) - isistimu ilayisha futhi inqwabelana isuka ku-BPF_LD ngesimo segama elithi BPF_W, idatha yephakethe itholakala endaweni engaguquki BPF_ABS.

- BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, arch, 0, 3) - ihlola kusetshenziswa i-BPF_JEQ ukuthi inani lezakhiwo ku-accumulator engaguquki ye-BPF_K liyalingana yini ne-arch. Uma kunjalo, yeqela ku-offset 0 ukuya emyalezweni olandelayo, kungenjalo yeqa ku-offset 3 (kulokhu) ukuze uphonsa iphutha ngoba i-arch ayifani.

- BPF_STMT(BPF_LD + BPF_W + BPF_ABS (offsetof(struct seccomp_data, nr))) - Ilayisha futhi iqongelele isuka ku-BPF_LD ngesimo segama elithi BPF_W, okuyinombolo yocingo yesistimu equkethwe ku-fixed offset ye-BPF_ABS.

— BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, nr, 0, 1) — iqhathanisa inombolo yekholi yesistimu nevelu ye-nr variable. Uma zilingana, idlulela emyalelweni olandelayo futhi ikhubaze ikholi yesistimu, ngaphandle kwalokho ivumela ikholi yesistimu nge-SECCOMP_RET_ALLOW.

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (iphutha & SECCOMP_RET_DATA)) - inqamula uhlelo nge-BPF_RET futhi ngenxa yalokho ikhiqiza iphutha elingu-SECCOMP_RET_ERRNO ngenombolo evela kokuguquguqukayo kwephutha.

- BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW) - inqamula uhlelo nge-BPF_RET futhi ivumela ikholi yesistimu ukuthi yenziwe kusetshenziswa i-SECCOMP_RET_ALLOW.

I-SECCOMP I-CBPF
Ungase uzibuze ukuthi kungani kusetshenziswa uhlu lwemiyalo esikhundleni sento ehlanganisiwe ye-ELF noma uhlelo oluhlanganisiwe lwe-JIT.

Kunezizathu ezimbili zalokhu.

• Okokuqala, i-Seccomp isebenzisa i-cBPF (i-BPF yakudala) hhayi i-eBPF, okusho ukuthi: ayinawo amarejista, kodwa kuphela i-accumulator yokugcina umphumela wokubala wokugcina, njengoba kubonakala esibonelweni.

• Okwesibili, i-Seccomp yamukela inkomba yemiyalelo ye-BPF ngokuqondile hhayi okunye. Amamakhro esiwasebenzisile asiza nje ukucacisa le miyalo ngendlela elungele umhleli.

Uma udinga usizo olwengeziwe lokuqonda lo mhlangano, cabangela i-pseudocode eyenza into efanayo:

if (arch != AUDIT_ARCH_X86_64) {
    return SECCOMP_RET_ALLOW;
}
if (nr == __NR_write) {
    return SECCOMP_RET_ERRNO;
}
return SECCOMP_RET_ALLOW;

Ngemva kokuchaza ikhodi yokuhlunga esakhiweni se-socket_filter, udinga ukuchaza i-sock_fprog equkethe ikhodi nobude obubaliwe besihlungi. Lesi sakhiwo sedatha siyadingeka njengempikiswano yokumemezela inqubo ezoqalisa kamuva:

struct sock_fprog prog = {
   .len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
   .filter = filter,
};

Kunento eyodwa kuphela esele okufanele yenziwe ku-install_filter - layisha uhlelo ngokwalo! Ukwenza lokhu, sisebenzisa i-prctl, sithatha i-PR_SET_SECCOMP njengenketho yokufaka imodi yekhompyutha evikelekile. Bese sitshela imodi ukuthi ilayishe isihlungi isebenzisa i-SECCOMP_MODE_FILTER, equkethwe ekuguquguqukeni kwe-prog yohlobo lwe-sock_fprog:

  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
    perror("prctl(PR_SET_SECCOMP)");
    return 1;
  }
  return 0;
}

Okokugcina, singasebenzisa umsebenzi wethu we-install_filter, kodwa ngaphambi kwalokho sidinga ukusebenzisa i-prctl ukusetha i-PR_SET_NO_NEW_PRIVS yokwenza kwamanje futhi ngaleyo ndlela sigweme isimo lapho izinqubo zezingane zithola amalungelo amaningi kunabazali bazo. Ngalokhu, singenza amakholi we-prctl alandelayo ku-install_filter umsebenzi ngaphandle kokuba namalungelo ezimpande.

Manje singabiza umsebenzi we-install_filter. Masivimbe zonke izingcingo zesistimu zokubhala ezihlobene nezakhiwo ze-X86-64 futhi simane sinikeze imvume evimba yonke imizamo. Ngemva kokufaka isihlungi, siqhubeka nokwenza sisebenzisa impikiswano yokuqala:

int main(int argc, char const *argv[]) {
  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
   perror("prctl(NO_NEW_PRIVS)");
   return 1;
  }
   install_filter(__NR_write, AUDIT_ARCH_X86_64, EPERM);
  return system(argv[1]);
 }

Ake siqale. Ukuze sihlanganise uhlelo lwethu singasebenzisa i-clang noma i-gcc, noma iyiphi indlela ihlanganisa ifayela le-main.c ngaphandle kwezinketho ezikhethekile:

clang main.c -o filter-write

Njengoba kuphawuliwe, sivimbe konke okufakiwe ohlelweni. Ukuze uhlole lokhu udinga uhlelo olukhipha okuthile - ls libukeka njengekhandidethi elihle. Ngale ndlela ngokuvamile aziphatha ngayo:

ls -la
total 36
drwxr-xr-x 2 fntlnz users 4096 Apr 28 21:09 .
drwxr-xr-x 4 fntlnz users 4096 Apr 26 13:01 ..
-rwxr-xr-x 1 fntlnz users 16800 Apr 28 21:09 filter-write
-rw-r--r-- 1 fntlnz users 19 Apr 28 21:09 .gitignore
-rw-r--r-- 1 fntlnz users 1282 Apr 28 21:08 main.c

Kuhle! Nakhu ukuthi ukusebenzisa uhlelo lwethu lokugoqa kubukeka kanjani: Simane siphumelele uhlelo esifuna ukuluhlola njengengxabano yokuqala:

./filter-write "ls -la"

Uma lwenziwa, lolu hlelo lukhiqiza okukhiphayo okungenalutho ngokuphelele. Nokho, singasebenzisa i-strace ukuze sibone ukuthi kwenzekani:

strace -f ./filter-write "ls -la"

Umphumela womsebenzi ufushaniswe kakhulu, kodwa ingxenye yawo ehambisanayo ibonisa ukuthi amarekhodi avinjwe ngephutha le-EPERM - lona elifanayo esilimisile. Lokhu kusho ukuthi uhlelo alukhiphi lutho ngoba alukwazi ukufinyelela ikholi yesistimu yokubhala:

[pid 25099] write(2, "ls: ", 4) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "write error", 11) = -1 EPERM (Operation not permitted)
[pid 25099] write(2, "n", 1) = -1 EPERM (Operation not permitted)

Manje usuyaqonda ukuthi i-Seccomp BPF isebenza kanjani futhi unombono omuhle wokuthi yini ongayenza ngayo. Kodwa ubungeke yini uthande ukuzuza into efanayo nge-eBPF esikhundleni se-cBPF ukusebenzisa amandla ayo aphelele?

Uma becabanga ngezinhlelo ze-eBPF, abantu abaningi bacabanga ukuthi bamane bazibhale futhi bazilayishe ngamalungelo omlawuli. Nakuba lesi sitatimende ngokuvamile siyiqiniso, i-kernel isebenzisa isethi yezindlela zokuvikela izinto ze-eBPF emazingeni ahlukahlukene. Lezi zindlela zibizwa ngokuthi i-BPF LSM traps.

Izicupho ze-BPF LSM

Ukuhlinzeka ngokuqapha okuzimele kwezakhiwo kwemicimbi yesistimu, i-LSM isebenzisa umqondo wezicupho. Ucingo lwe-hook lufana ngokobuchwepheshe nocingo lwesistimu, kodwa luzimele futhi luhlanganiswe nengqalasizinda. I-LSM ihlinzeka ngomqondo omusha lapho isendlalelo esishubile singasiza ekugwemeni izinkinga okuhlangatshezwana nazo lapho kukhulunywa ngezingcingo zesistimu ezakhiweni ezahlukene.

Ngesikhathi sokubhala, i-kernel inamahhuku ayisikhombisa ahlotshaniswa nezinhlelo ze-BPF, futhi i-SELinux ukuphela kwe-LSM eyakhelwe ngaphakathi ezisebenzisayo.

Ikhodi yomthombo yezicupho itholakala esihlahleni se-kernel kufayela ihlanganisa/linux/security.h:

extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
extern int security_bpf_prog(struct bpf_prog *prog);
extern int security_bpf_map_alloc(struct bpf_map *map);
extern void security_bpf_map_free(struct bpf_map *map);
extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
extern void security_bpf_prog_free(struct bpf_prog_aux *aux);

Ngamunye wabo uzobizwa ngezigaba ezahlukene zokubulawa:

- security_bpf - yenza isheke lokuqala lezingcingo zesistimu ye-BPF ezenziwe;

- security_bpf_map - ibheka ukuthi i-kernel ibuyisela nini isichazi sefayela semephu;

- security_bpf_prog - ihlola ukuthi i-kernel ibuyisela nini isichazi sefayela sohlelo lwe-eBPF;

— security_bpf_map_alloc — ihlola ukuthi inkambu yokuvikela engaphakathi kwamamephu e-BPF iqaliwe yini;

- security_bpf_map_free - ihlola ukuthi inkambu yezokuphepha isuliwe yini ngaphakathi kwamamephu e-BPF;

— security_bpf_prog_alloc — ihlola ukuthi inkambu yezokuphepha iqalisiwe yini ngaphakathi kwezinhlelo ze-BPF;

- security_bpf_prog_free - ihlola ukuthi inkambu yokuvikela isuliwe yini ngaphakathi kwezinhlelo ze-BPF.

Manje, ngokubona konke lokhu, siyaqonda: umbono ngemuva kwe-LSM BPF interceptors ukuthi banganikeza isivikelo kuyo yonke into ye-eBPF, baqinisekise ukuthi yilabo kuphela abanamalungelo afanelekile abangakwazi ukwenza imisebenzi kumakhadi nezinhlelo.

Isifingqo

Ukuvikeleka akuyona into ongayisebenzisa ngendlela yobukhulu obubodwa kuyo yonke into ofuna ukuyivikela. Kubalulekile ukukwazi ukuvikela izinhlelo emazingeni ahlukene nangezindlela ezahlukene. Ukholwa noma ungakholwa, indlela engcono kakhulu yokuvikela uhlelo ukuhlela amazinga ahlukene okuvikela kusuka ezikhundleni ezahlukene, ukuze ukunciphisa ukuphepha kwezinga elilodwa kungavumeli ukufinyelela kulo lonke uhlelo. Onjiniyela abayinhloko benze umsebenzi omuhle kakhulu wokusinika isethi yezendlalelo ezahlukene kanye nezindawo zokuthinta. Sithemba ukuthi sikunikeze ukuqonda okuhle kokuthi ziyini izendlalelo nokuthi ungazisebenzisa kanjani izinhlelo ze-BPF ukuze usebenze nazo.

Mayelana nababhali

UDavid Calavera yi-CTO kwa-Netlify. Usebenze ekusekeleni i-Docker futhi waba nesandla ekuthuthukisweni kwamathuluzi e-Runc, Go kanye ne-BCC, kanye namanye amaphrojekthi omthombo ovulekile. Waziwa ngomsebenzi wakhe kumaphrojekthi we-Docker kanye nokuthuthukiswa kwe-Docker plugin ecosystem. UDavid unothando olukhulu ngamagrafu omlilo futhi uhlale ebheke ukuthuthukisa ukusebenza kahle.

Lorenzo Fontana usebenza eqenjini lemithombo evulekile e-Sysdig, lapho ngokuyinhloko egxile khona ku-Falco, iphrojekthi ye-Cloud Native Computing Foundation ehlinzeka ngokuvikeleka kwesikhathi sokusebenza kweziqukathi nokutholwa okungaqondakali ngemojula ye-kernel ne-eBPF. Unentshisekelo ngezinhlelo ezisabalalisiwe, isoftware echazwa yinethiwekhi, i-Linux kernel, nokuhlaziywa kokusebenza.

»Imininingwane eyengeziwe mayelana nencwadi ingatholakala kokuthi iwebhusayithi yomshicileli
» Uhlu lokuqukethwe
» Ingcaphuno

Ngesaphulelo esingu-25% se-Khabrozhiteley usebenzisa isigqebhezana - Linux

Ngemva kokukhokhwa kwenguqulo yephepha yencwadi, incwadi ye-elekthronikhi izothunyelwa nge-imeyili.

Source: www.habr.com

Engeza amazwana