Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: sample memfd_create rule #484

Merged
merged 2 commits into from
Nov 2, 2022
Merged

chore: sample memfd_create rule #484

merged 2 commits into from
Nov 2, 2022

Conversation

krol3
Copy link
Contributor

@krol3 krol3 commented Oct 18, 2022

Hi! I would like to validate about how detect memfd_call and use the file descriptor to execute.

More notes about the output of this policy and the image test, here

@krol3 krol3 requested a review from a team as a code owner October 18, 2022 18:32
@krol3 krol3 requested a review from tixxdz October 18, 2022 18:32
@tixxdz
Copy link
Member

tixxdz commented Oct 19, 2022

Hi @krol3 thank you for providing this example.

Something like this may work:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "demo-memfd"
spec:
  kprobes:
  - call: "fd_install"
    syscall: false
    args:
    - index: 0
      type: int
    - index: 1
      type: "file"
    selectors:
    - matchPIDs:
      - operator: NotIn
        followForks: true
        isNamespacePID: true
        values:
        - 0
        - 1
      matchArgs:
      - index: 1
        operator: "Prefix"
        values:
        - "memfd:"
      matchActions:
      - action: FollowFD
        argFd: 0
        argName: 1
  - call: "__x64_sys_close"
    syscall: true
    args:
    - index: 0
      type: "int"
    selectors:
    - matchPIDs:
      - operator: NotIn
        followForks: true
        isNamespacePID: true
        values:
        - 0
        - 1
      matchActions:
      - action: UnfollowFD
        argFd: 0
        argName: 0
  # int memfd_create(const char *name, unsigned int flags);
  - call: "__x64_sys_memfd_create"
    syscall: true
    args:
    - index: 0
      type: "string"
    - index: 1
      type: "int"
    selectors:
    - matchPIDs:
      - operator: NotIn
        followForks: true
        isNamespacePID: true
        values:
        - 0
        - 1
  - call: "__x64_sys_execve"
    syscall: true
    args:
    - index: 0
      type: "string"
    selectors:
    - matchPIDs:
      - operator: NotIn
        followForks: true
        isNamespacePID: true
        values:
        - 0
        - 1
      matchArgs:
      - index: 0
        operator: "Prefix"
        values:
        - "/proc/self/fd/"
      matchActions:
      - action: Sigkill

Detection is not that hard, it may even give you the binary name that started this to track it. You may tune up that followForks depending on your environment https://github.com/cilium/tetragon/blob/main/pkg/k8s/apis/cilium.io/client/crds/v1alpha1/cilium.io_tracingpolicies.yaml#L376

For killing it works but please do test it, I will try to test this on k8s deployment tomorrow.

IIRC runc self exec through memfd so hope this won't kill it otherwise we can improve our matchBinaries to use the NotIn operator to exclude runc and other legitimate binaries... ah also this is just execve()...

BTW as said I didn't finish but we are going to make this detected by default part of the execve() events.

Output running with that CRD:

# /usr/bin/memfdloader /bin/true
Killed

{
  "process_exec": {
    "process": {
      "exec_id": "OjIyNjY5MzYyODY1NjE2OjkzOTIw",
      "pid": 93920,
      "uid": 0,
      "cwd": "/home/tixxdz",
      "binary": "/usr/bin/memfdloader",
      "arguments": "/bin/true",
      "flags": "execve clone",
      "start_time": "2022-10-19T22:14:08.935541040Z",
      "auid": 1000,
      "parent_exec_id": "OjIyNjU2NjIxOTEwMzQwOjkzODkx"
    },
    "parent": {
      "exec_id": "OjIyNjU2NjIxOTEwMzQwOjkzODkx",
      "pid": 93891,
      "uid": 0,
      "cwd": "/home/tixxdz",
      "binary": "/bin/bash",
      "flags": "execve clone",
      "start_time": "2022-10-19T22:13:56.194585073Z",
      "auid": 1000,
      "parent_exec_id": "OjIyNjU2NjIxNDgzNzQxOjkzODkw",
      "refcnt": 3
    }
  },
  "time": "2022-10-19T22:14:08.935551676Z"
}
{
  "process_kprobe": {
    "process": {
      "exec_id": "OjIyNjY5MzYyODY1NjE2OjkzOTIw",
      "pid": 93920,
      "uid": 0,
      "cwd": "/home/tixxdz",
      "binary": "/usr/bin/memfdloader",
      "arguments": "/bin/true",
      "flags": "execve clone",
      "start_time": "2022-10-19T22:14:08.935541040Z",
      "auid": 1000,
      "parent_exec_id": "OjIyNjU2NjIxOTEwMzQwOjkzODkx",
      "refcnt": 1
    },
    "parent": {
      "exec_id": "OjIyNjU2NjIxOTEwMzQwOjkzODkx",
      "pid": 93891,
      "uid": 0,
      "cwd": "/home/tixxdz",
      "binary": "/bin/bash",
      "flags": "execve clone",
      "start_time": "2022-10-19T22:13:56.194585073Z",
      "auid": 1000,
      "parent_exec_id": "OjIyNjU2NjIxNDgzNzQxOjkzODkw",
      "refcnt": 2
    },
    "function_name": "__x64_sys_memfd_create",
    "args": [
      {
        "string_arg": ""
      },
      {
        "int_arg": 0
      }
    ],
    "action": "KPROBE_ACTION_POST"
  },
  "time": "2022-10-19T22:14:08.937854039Z"
}
{
  "process_kprobe": {
    "process": {
      "exec_id": "OjIyNjY5MzYyODY1NjE2OjkzOTIw",
      "pid": 93920,
      "uid": 0,
      "cwd": "/home/tixxdz",
      "binary": "/usr/bin/memfdloader",
      "arguments": "/bin/true",
      "flags": "execve clone",
      "start_time": "2022-10-19T22:14:08.935541040Z",
      "auid": 1000,
      "parent_exec_id": "OjIyNjU2NjIxOTEwMzQwOjkzODkx",
      "refcnt": 1
    },
    "parent": {
      "exec_id": "OjIyNjU2NjIxOTEwMzQwOjkzODkx",
      "pid": 93891,
      "uid": 0,
      "cwd": "/home/tixxdz",
      "binary": "/bin/bash",
      "flags": "execve clone",
      "start_time": "2022-10-19T22:13:56.194585073Z",
      "auid": 1000,
      "parent_exec_id": "OjIyNjU2NjIxNDgzNzQxOjkzODkw",
      "refcnt": 2
    },
    "function_name": "__x64_sys_execve",
    "args": [
      {
        "string_arg": "/proc/self/fd/3"
      }
    ],
    "action": "KPROBE_ACTION_SIGKILL"
  },
  "time": "2022-10-19T22:14:08.938357602Z"
}
{
  "process_exit": {
    "process": {
      "exec_id": "OjIyNjY5MzYyODY1NjE2OjkzOTIw",
      "pid": 93920,
      "uid": 0,
      "cwd": "/home/tixxdz",
      "binary": "/usr/bin/memfdloader",
      "arguments": "/bin/true",
      "flags": "execve clone",
      "start_time": "2022-10-19T22:14:08.935541040Z",
      "auid": 1000,
      "parent_exec_id": "OjIyNjU2NjIxOTEwMzQwOjkzODkx"
    },
    "parent": {
      "exec_id": "OjIyNjU2NjIxOTEwMzQwOjkzODkx",
      "pid": 93891,
      "uid": 0,
      "cwd": "/home/tixxdz",
      "binary": "/bin/bash",
      "flags": "execve clone",
      "start_time": "2022-10-19T22:13:56.194585073Z",
      "auid": 1000,
      "parent_exec_id": "OjIyNjU2NjIxNDgzNzQxOjkzODkw",
      "refcnt": 1
    },
    "signal": "SIGKILL"
  },
  "time": "2022-10-19T22:14:08.938919410Z"
}

@jrfastab
Copy link
Contributor

jrfastab commented Nov 2, 2022

I like the example lets merge it. Please push any fixes if it needs some improvements.

@jrfastab jrfastab merged commit f5f7f1b into cilium:main Nov 2, 2022
@krol3
Copy link
Contributor Author

krol3 commented Nov 9, 2022

I like the example lets merge it. Please push any fixes if it needs some improvements.

Thank you so much @jrfastab , It was with help of tetragon team, any update! please notify me to update my sample about this too. https://github.com/krol3/demo-fileless/blob/main/tetragon.md

@mtardy mtardy mentioned this pull request Apr 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tixxdz tixxdz Awaiting requested review from tixxdz tixxdz is a code owner automatically assigned from cilium/tetragon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@krol3 @tixxdz @jrfastab