policylibrary: consolidate privileges raising operations into privileges-raise.yaml single policy #1957
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tixxdz
added
the
release-note/minor
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
tixxdz
force-pushed
the
pr/tixxdz/privileges-raise-by-userns
branch
from
2769e72
to
819c515
Compare
tixxdz
force-pushed
the
pr/tixxdz/privileges-raise-by-userns
branch
2 times, most recently
from
3b77982
to
3fff5d2
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
tixxdz
force-pushed
the
pr/tixxdz/privileges-raise-by-userns
branch
from
3fff5d2
to
a3aad8e
Compare
tixxdz
force-pushed
the
pr/tixxdz/privileges-raise-by-userns
branch
from
a3aad8e
to
0f74264
Compare
jrfastab
reviewed
Jan 26, 2024
pkg/sensors/tracing/generickprobe.go
Outdated
| @@ -1561,6 +1561,62 @@ func handleMsgGenericKprobe(m *api.MsgGenericKprobe, gk *genericKprobe, r *bytes | |||
| } | |||
| arg.Label = a.label | |||
| unix.Args = append(unix.Args, arg) | |||
| case gt.GenericKernelCap: | |||
| var output uint64 | |||
| var arg api.MsgGenericKprobeArgKernelCapType | |||
There was a problem hiding this comment.
the push 64-bit arg is a bit redundant it would be nice if we could extract that somehow to a helper. But I think the typing is a bit awkward in golang/here for that to work.
jrfastab
approved these changes
Jan 26, 2024
|
needs a rebase but otherwise lgtm. |
kkourt
reviewed
Jan 31, 2024
| case kernel_cap_ty: | ||
| case cap_inh_ty: | ||
| case cap_prm_ty: | ||
| case cap_eff_ty: |
There was a problem hiding this comment.
Why do we need a different type from the bpf side, can we just treat it as u64?
There was a problem hiding this comment.
But how we will be able to remap it into userspace to one of these?
"kernel_cap_arg": "00ff..."
"cap_effective_arg:" "00ff..."
so you pretty print which caps we are talking about effective, permitted etc
If there is a better solution I will convert to it
This adds 'privileges-raise' tracing policy that will include most operations that will raise privileges. We could rename privileges-setuid-root.yaml and add on top of it, but it seems there are users that started to reference and use that one, so let's be nice add new one to not break their links, also things are still in example directory. We definitly need a better plan in the future like how to organize tracing policies into directories and how to name the files. Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
kernel_cap_t: default type in kernel for uint64 caps cap_inheritable: for inheritable capabilities cap_permitted: for permitted set cap_effective: for the current effective set. Signed-off-by: Djalal Harouni <[email protected]>
Internally kernel handles capabilities as uint64 in kernel_cap_t, so let's add the corresponding capabilities types in order to use them in calls like security_capset. The aim is to print the arguments in hex. Signed-off-by: Djalal Harouni <[email protected]>
Support kernel_cap_t uint64 capabilities. Usually these are the ones passed to capset() to security_capset(). Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Produced event:
...
"function_name": "security_capset",
"args": [
{
"process_credentials_arg": {
{
"cap_effective_arg": "000001ffffffffff"
},
{
"cap_inheritable_arg": "0000000000000000"
},
{
"cap_permitted_arg": "000001ffffffffff"
}
],
"return": {
"int_arg": 0
},
"action": "KPROBE_ACTION_POST",
"policy_name": "privileges-raise",
"return_action": "KPROBE_ACTION_POST",
"message": "Process changed its capabilities using capset system call"
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
tixxdz
force-pushed
the
pr/tixxdz/privileges-raise-by-userns
branch
from
0f74264
to
6b6b309
Compare
|
ci failure about validate crd is tracked here: #2063. The version is updated so merging. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds kernel capability types (uint64) and consolidates some operations into single privileges-raise.yaml Tracing Policy.
Produced kprobe event:
For further details, please see patches. Doc use case will follow later.