tetragon: log current security context if any at startup

Signed-off-by: Djalal Harouni <[email protected]>
cilium · Feb 25, 2024 · 4ae0e3f · 4ae0e3f
1 parent 1a8e6f6
commit 4ae0e3f
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/cmd/tetragon/main.go b/cmd/tetragon/main.go
@@ -44,6 +44,7 @@ import (
 	"github.com/cilium/tetragon/pkg/process"
 	"github.com/cilium/tetragon/pkg/ratelimit"
 	"github.com/cilium/tetragon/pkg/reader/namespace"
+	"github.com/cilium/tetragon/pkg/reader/proc"
 	"github.com/cilium/tetragon/pkg/rthooks"
 	"github.com/cilium/tetragon/pkg/sensors/base"
 	"github.com/cilium/tetragon/pkg/sensors/program"
@@ -173,6 +174,9 @@ func tetragonExecute() error {
 	log.WithField("version", version.Version).Info("Starting tetragon")
 	log.WithField("config", viper.AllSettings()).Info("config settings")
 
+	// Log early security context in case something fails
+	proc.LogCurrentSecurityContext()
+
 	// When an instance terminates or restarts it may cleanup bpf programs,
 	// having a check here to see if another instance is already running, can
 	// help debug errors.

diff --git a/pkg/reader/proc/proc.go b/pkg/reader/proc/proc.go
@@ -10,6 +10,10 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+
+	"github.com/cilium/tetragon/pkg/logger"
+	"github.com/cilium/tetragon/pkg/option"
+	"github.com/sirupsen/logrus"
 )
 
 // Status reflects fields of `/proc/[pid]/status` and other
@@ -249,3 +253,35 @@ func PrependPath(s string, b []byte) []byte {
 	fullCmd := strings.Join(split[0:], "\u0000")
 	return []byte(fullCmd)
 }
+
+// LogCurrentLSMContext() Logs the current LSM security context.
+func LogCurrentSecurityContext() {
+	lsms := map[string]string{
+		"selinux":  "",
+		"apparmor": "",
+		"smack":    "",
+	}
+
+	logLSM := false
+	for k := range lsms {
+		path := ""
+		if k == "selinux" {
+			path = filepath.Join(option.Config.ProcFS, "/self/attr/current")
+		} else {
+			path = filepath.Join(option.Config.ProcFS, fmt.Sprintf("/self/attr/%s/current", k))
+		}
+		data, err := os.ReadFile(path)
+		if err == nil && len(data) > 0 {
+			lsms[k] = strings.TrimRight(string(data), "\n")
+			logLSM = true
+		}
+	}
+
+	if logLSM {
+		logger.GetLogger().WithFields(logrus.Fields{
+			"SELinux":  lsms["selinux"],
+			"AppArmor": lsms["apparmor"],
+			"Smack":    lsms["smack"],
+		}).Info("Tetragon current Security context")
+	}
+}