Fix metadata service block #178

sargun · 2018-09-24T11:49:12Z

Description of the Change

This fixes a potential bypass allowing users to get to the real AWS metadata service.

codecov · 2018-09-24T12:14:46Z

Codecov Report

Merging #178 into master will increase coverage by 10.48%.
The diff coverage is 0%.

@@             Coverage Diff             @@
##           master     #178       +/-   ##
===========================================
+ Coverage   22.87%   33.36%   +10.48%     
===========================================
  Files          66       66               
  Lines        7876     7876               
===========================================
+ Hits         1802     2628      +826     
+ Misses       5861     4928      -933     
- Partials      213      320      +107

Impacted Files	Coverage Δ
vpc/bpf/filter/filter.go	`0% <0%> (ø)`	⬆️
vpc/setup/setup_linux.go	`0% <0%> (ø)`	⬆️
filesystems/watcher.go	`62% <0%> (+3.71%)`	⬆️
config/config.go	`97% <0%> (+4.5%)`	⬆️
uploader/copy.go	`50% <0%> (+5%)`	⬆️
api/netflix/titus/agent.pb.go	`29.31% <0%> (+7.56%)`	⬆️
executor/runtime/docker/capabilities.go	`88.88% <0%> (+11.11%)`	⬆️
executor/runner/runner.go	`60.62% <0%> (+11.87%)`	⬆️
executor/runtime/container.go	`91.3% <0%> (+13.04%)`	⬆️
filesystems/xattr/degrading_utils.go	`75% <0%> (+13.63%)`	⬆️
... and 9 more

coveralls · 2018-09-24T12:17:09Z

Pull Request Test Coverage Report for Build 2128

0 of 8 (0.0%) changed or added relevant lines in 2 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage remained the same at 24.509%

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
vpc/bpf/filter/filter.go	0	1	0.0%
vpc/setup/setup_linux.go	0	7	0.0%

Totals
Change from base Build 2123:	0.0%
Covered Lines:	2433
Relevant Lines:	9927

💛 - Coveralls

sargun · 2018-09-24T13:02:26Z

Waiting on @rgulewich's changes before this will be merged / pass.

fabiokung · 2018-09-24T22:42:03Z

vpc/bpf/filter.c

@@ -36,8 +36,10 @@ int classifier_egress_filter(struct __sk_buff *skb) {

 	if (eth->h_proto == __constant_htons(ETH_P_IP) && iph->daddr == __constant_htonl(METADATA_SERVICE_IP))
 		return TC_ACT_SHOT;
+
 	/* See the explanation behind this in allocation_network_linux.go */


that file does not exist anymore

fabiokung · 2018-09-24T22:51:55Z

vpc/setup/setup_linux.go

 	if err != nil {
 		return err
 	}

-	return setupIFB(ctx, vpc.EgressIFB, "classifier_egress")
+	return setupIFB(ctx, vpc.EgressIFB, "classifier_egress", unix.ETH_P_ALL)


it seems that for !unix.ETH_P_ALL, the bpf filter is a noop and will always do TC_ACT_OK, or are you relying on it to validate the L2 and L3 header lengths and formats?

That should never happen (we should never get non-ethernet traffic on the interface veth that goes into the ifb).

my bad, I meant !unix.ETH_P_IP

Yes, except for the block rule, it passes through all IP traffic. The amount of non-IP traffic we receive should be minimal, but it is on my long-term TODO list (there's a JIRA for it), to make this capture and classify all container traffic, not just IPv4 traffic.

sargun force-pushed the fix-metadata-service-block branch from ede6e9a to af7c72e Compare September 24, 2018 12:14

sargun force-pushed the fix-metadata-service-block branch from af7c72e to da94e83 Compare September 24, 2018 12:49

sargun requested review from andrew-leung and fabiokung September 24, 2018 13:02

fabiokung reviewed Sep 24, 2018

View reviewed changes

fabiokung approved these changes Sep 24, 2018

View reviewed changes

sargun force-pushed the fix-metadata-service-block branch from da94e83 to e858243 Compare September 24, 2018 22:57

Sargun Dhillon added 3 commits September 26, 2018 18:01

Configure the BPF filter to only catch IPv4 traffic

f6e6110

Bump filter.go with data from filter.c

c5eb77b

Install BPF Filter for protocol all, instead of just protocol IP(v4)

183e427

sargun force-pushed the fix-metadata-service-block branch from e858243 to 183e427 Compare September 26, 2018 16:07

sargun merged commit 93c7ea8 into master Sep 26, 2018

sargun deleted the fix-metadata-service-block branch September 26, 2018 16:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix metadata service block #178

Fix metadata service block #178

sargun commented Sep 24, 2018

codecov bot commented Sep 24, 2018 •

edited

Loading

coveralls commented Sep 24, 2018 •

edited

Loading

sargun commented Sep 24, 2018

fabiokung Sep 24, 2018

fabiokung Sep 24, 2018

sargun Sep 24, 2018

fabiokung Sep 24, 2018

sargun Sep 24, 2018

Fix metadata service block #178

Fix metadata service block #178

Conversation

sargun commented Sep 24, 2018

Description of the Change

codecov bot commented Sep 24, 2018 • edited Loading

Codecov Report

coveralls commented Sep 24, 2018 • edited Loading

Pull Request Test Coverage Report for Build 2128

💛 - Coveralls

sargun commented Sep 24, 2018

fabiokung Sep 24, 2018

Choose a reason for hiding this comment

fabiokung Sep 24, 2018

Choose a reason for hiding this comment

sargun Sep 24, 2018

Choose a reason for hiding this comment

fabiokung Sep 24, 2018

Choose a reason for hiding this comment

sargun Sep 24, 2018

Choose a reason for hiding this comment

codecov bot commented Sep 24, 2018 •

edited

Loading

coveralls commented Sep 24, 2018 •

edited

Loading