Skip to content

Commit

Permalink
tetragon: Support IMA hash collection for LSM sensor
Browse files Browse the repository at this point in the history 
Adding support for IMA hash collection in Post Action.
Adding IMA hashes in LSM events. Hash is represented by
a string algorithm:value. Support loading lsm.s/ima_* program
for one of lsm hooks (file_open, mmap_file, bprm_check_security).

Signed-off-by: Andrei Fedotov <[email protected]>
  • Loading branch information
@anfedotoff
anfedotoff committed Aug 29, 2024
1 parent e38e738 commit f9e5ac0
Show file tree
Hide file tree
Showing 22 changed files with 646 additions and 292 deletions.
1 change: 1 addition & 0 deletions api/v1/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

283 changes: 147 additions & 136 deletions api/v1/tetragon/tetragon.pb.go
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions api/v1/tetragon/tetragon.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -546,6 +546,8 @@ message ProcessLsm {
KprobeAction action = 8;
// Tags of the Tracing Policy to categorize the event.
repeated string tags = 9;
// IMA file hash. Format algorithm:value.
string ima_hash = 11;
}

message KernelModule {
Expand Down
1 change: 1 addition & 0 deletions docs/content/en/docs/reference/grpc-api.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions pkg/api/processapi/processapi.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const (
MSG_COMMON_FLAG_RETURN = 0x1
MSG_COMMON_FLAG_KERNEL_STACKTRACE = 0x2
MSG_COMMON_FLAG_USER_STACKTRACE = 0x4
MSG_COMMON_FLAG_IMA_HASH = 0x8

BINARY_PATH_MAX_LEN = 256

Expand Down
26 changes: 26 additions & 0 deletions pkg/grpc/tracing/tracing.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package tracing

import (
"encoding/hex"
"fmt"

"github.com/cilium/tetragon/pkg/metrics/eventcachemetrics"
Expand Down Expand Up @@ -815,13 +816,19 @@ func (msg *MsgGenericUprobeUnix) Cast(o interface{}) notify.Message {
return &t
}

type MsgImaHash struct {
Algo int32 `align:"algo"`
Hash [64]uint8 `align:"hash"`
}

type MsgGenericLsmUnix struct {
Msg *tracingapi.MsgGenericKprobe
Hook string
Args []tracingapi.MsgGenericKprobeArg
PolicyName string
Message string
Tags []string
ImaHash MsgImaHash
}

func (msg *MsgGenericLsmUnix) Notify() bool {
Expand Down Expand Up @@ -896,6 +903,25 @@ func GetProcessLsm(event *MsgGenericLsmUnix) *tetragon.ProcessLsm {
Tags: event.Tags,
}

switch event.ImaHash.Algo {
case 1: // MD5
tetragonEvent.ImaHash = fmt.Sprintf("md5:%s", hex.EncodeToString(event.ImaHash.Hash[:16]))
case 2: // SHA1
tetragonEvent.ImaHash = fmt.Sprintf("sha1:%s", hex.EncodeToString(event.ImaHash.Hash[:20]))
case 4: // SHA256
tetragonEvent.ImaHash = fmt.Sprintf("sha256:%s", hex.EncodeToString(event.ImaHash.Hash[:32]))
case 5: // SHA384
tetragonEvent.ImaHash = fmt.Sprintf("sha384:%s", hex.EncodeToString(event.ImaHash.Hash[:48]))
case 6: // SHA512
tetragonEvent.ImaHash = fmt.Sprintf("sha512:%s", hex.EncodeToString(event.ImaHash.Hash[:]))
case 7: // SHA224
tetragonEvent.ImaHash = fmt.Sprintf("sha224:%s", hex.EncodeToString(event.ImaHash.Hash[:28]))
case -1: // No hash in the map
break
default:
logger.GetLogger().Debugf("bpf_ima_inode_hash/bpf_ima_file_hash returned code: %d", event.ImaHash.Algo)
}

if tetragonProcess.Pid == nil {
eventcachemetrics.EventCacheError(eventcachemetrics.NilProcessPid, notify.EventType(tetragonEvent)).Inc()
return nil
Expand Down
35 changes: 35 additions & 0 deletions pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,11 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
type: boolean
required:
- action
type: object
Expand Down Expand Up @@ -994,6 +999,11 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
type: boolean
required:
- action
type: object
Expand Down Expand Up @@ -1313,6 +1323,11 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
type: boolean
required:
- action
type: object
Expand Down Expand Up @@ -1636,6 +1651,11 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
type: boolean
required:
- action
type: object
Expand Down Expand Up @@ -1955,6 +1975,11 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
type: boolean
required:
- action
type: object
Expand Down Expand Up @@ -2215,6 +2240,11 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
type: boolean
required:
- action
type: object
Expand Down Expand Up @@ -2534,6 +2564,11 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
type: boolean
required:
- action
type: object
Expand Down
32 changes: 32 additions & 0 deletions pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpoliciesnamespaced.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,10 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
required:
- action
type: object
Expand Down Expand Up @@ -702,6 +706,10 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
required:
- action
type: object
Expand Down Expand Up @@ -994,6 +1002,10 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
required:
- action
type: object
Expand Down Expand Up @@ -1313,6 +1325,10 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
required:
- action
type: object
Expand Down Expand Up @@ -1636,6 +1652,10 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
required:
- action
type: object
Expand Down Expand Up @@ -1955,6 +1975,10 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
required:
- action
type: object
Expand Down Expand Up @@ -2215,6 +2239,10 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
required:
- action
type: object
Expand Down Expand Up @@ -2534,6 +2562,10 @@ spec:
description: Enable user stack trace export. Only
valid with the post action.
type: boolean
imaHash:
description: Enable collection of file hashes
from integrity subsystem. Only valid with the
post action.
required:
- action
type: object
Expand Down
4 changes: 4 additions & 0 deletions pkg/k8s/apis/cilium.io/v1alpha1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,10 @@ type ActionSelector struct {
// +kubebuilder:validation:Optional
// Enable user stack trace export. Only valid with the post action.
UserStackTrace bool `json:"userStackTrace"`
// +kubebuilder:validation:Optional
// Enable collection of file hashes from integrity subsystem.
// Only valid with the post action.
ImaHash bool `json:"imaHash"`
}

type TracepointSpec struct {
Expand Down
2 changes: 1 addition & 1 deletion pkg/k8s/apis/cilium.io/v1alpha1/version.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ package v1alpha1
// Used to determine if CRD needs to be updated in cluster
//
// Developers: Bump patch for each change in the CRD schema.
const CustomResourceDefinitionSchemaVersion = "1.2.4"
const CustomResourceDefinitionSchemaVersion = "1.2.5"
17 changes: 17 additions & 0 deletions pkg/kernels/kernels.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"strings"

"github.com/cilium/tetragon/pkg/bpf"
"github.com/cilium/tetragon/pkg/logger"
"github.com/cilium/tetragon/pkg/option"

"golang.org/x/sys/unix"
Expand Down Expand Up @@ -162,3 +163,19 @@ func GenericKprobeObjs() (string, string) {
}
return "bpf_generic_kprobe.o", "bpf_generic_retkprobe.o"
}

func EnableIMA() bool {
_, err := os.Stat("/sys/kernel/security/integrity/ima")
if err != nil {
return false
}
b, err := os.ReadFile("/proc/cmdline")
if err != nil {
logger.GetLogger().WithError(err).Error("failed to read /proc/cmdline")
return false
}
if !strings.Contains(string(b), "ima_policy=") {
return false
}
return true
}
5 changes: 5 additions & 0 deletions pkg/selectors/kernel.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -963,6 +963,11 @@ func ParseMatchAction(k *KernelSelectorState, action *v1alpha1.ActionSelector, a
userStackTrace = 1
}
WriteSelectorUint32(&k.data, userStackTrace)
imaHash := uint32(0)
if action.ImaHash {
imaHash = 1
}
WriteSelectorUint32(&k.data, imaHash)
case ActionTypeNoPost:
// no arguments
case ActionTypeSigKill:
Expand Down
Loading

0 comments on commit f9e5ac0

Please sign in to comment.