Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BPF LSM Meta Tracker #795

Open
6 of 13 tasks
daemon1024 opened this issue Aug 3, 2022 · 4 comments
Open
6 of 13 tasks

BPF LSM Meta Tracker #795

daemon1024 opened this issue Aug 3, 2022 · 4 comments
Assignees
@daemon1024
Labels
bug Something isn't working enhancement New feature or request roadmap Roadmap feature for KubeArmor

Comments

@daemon1024
Copy link
Member

daemon1024 commented Aug 3, 2022
edited

We introduced BPF LSM enforcement in v0.5, which has an initial implementation and has bugs and lacks some features. This issue thread is a tracker for all these pending work items and bug reports.
@daemon1024 daemon1024 added bug Something isn't working enhancement New feature or request roadmap Roadmap feature for KubeArmor labels Aug 3, 2022
@daemon1024 daemon1024 self-assigned this Aug 3, 2022
This was referenced Aug 4, 2022
Merged
Closed
@daemon1024 daemon1024 mentioned this issue Oct 5, 2022
Merged
@daemon1024 daemon1024 mentioned this issue Nov 1, 2022
Closed
@daemon1024 daemon1024 mentioned this issue Nov 8, 2022
Merged
5 tasks
@daemon1024
Copy link
Member Author

daemon1024 commented Nov 10, 2022
edited

To secure file operations with BPF LSM we need to expand on the hooks we use.
Like we don't restrict touch (file create) or rm (unlink).
AppArmor relies on SECURITY_PATH hooks to enforce file rules.
SECURITY_PATH hooks helps us enforce path based access control. They need the same flag enabled in the Kernel. It would be quickl to implement them since we already have the path struct. Issue is RHEL for some reason doesn't enable it by default ( why do they choose to be different always ;). AppArmor being a kernel module can add a dependency on this flag but we can't.
The alternate is to use inode based hooks. Based on this answer, Tomoyo maintainers added path hooks because they couldn't construct absolute paths from inode hooks. because inodes don't provide vfsmount but need both vfsmount and dentry to construct full path.

I found this https://stackoverflow.com/a/33078711 but will have to experiment and check. Or should we just enforce rules using PATH hooks and mark it a requirement? for full enforcement.

@nyrahul
Copy link
Contributor

nyrahul commented Nov 11, 2022

To secure file operations with BPF LSM we need to expand on the hooks we use. Like we don't restrict touch (file create) or rm (unlink). AppArmor relies on SECURITY_PATH hooks to enforce file rules. SECURITY_PATH hooks helps us enforce path based access control. They need the same flag enabled in the Kernel. It would be quickl to implement them since we already have the path struct. Issue is RHEL for some reason doesn't enable it by default ( why do they choose to be different always ;). AppArmor being a kernel module can add a dependency on this flag but we can't. The alternate is to use inode based hooks. Based on this answer, Tomoyo maintainers added path hooks because they couldn't construct absolute paths from inode hooks. because inodes don't provide vfsmount but need both vfsmount and dentry to construct full path.

I found this https://stackoverflow.com/a/33078711 but will have to experiment and check. Or should we just enforce rules using PATH hooks and mark it a requirement? for full enforcement.

So as I understand:
If we use PATH hooks, we cannot support RHEL. But the other option of using inode based hooks is still not fully clear.
I feel we can take a decision only once it is clear whether inode based hooks approach works.

Btw, taking a step back, is it possible to block unlink/file create access using seccomp-bpf? If it is possible then we can think of an alt strategy.

@daemon1024
Copy link
Member Author

If we use PATH hooks, we cannot support RHEL. But the other option of using inode based hooks is still not fully clear.

Right

I feel we can take a decision only once it is clear whether inode based hooks approach works.

Makes sense. I will look into it and try to execute things.

Btw, taking a step back, is it possible to block unlink/file create access using seccomp-bpf? If it is possible then we can think of an alt strategy.

I was under the assumption that we can only have seccomp filters per container but not entity specific inside the container? Like we have the capability list, we have a syscall list as seccomp profile. That would mean we will enforce create/unlink per container not based on directories inside container. Is it not the case 🤔

@daemon1024
Copy link
Member Author

Inode hooks should work fine,
Need some work but this commit showcases how it can be possibly achieved daemon1024/bpf-scratchpad@bbf5cd1. Basically taking mount point from task struct and combining it with the dentry from LSM hook args.

Parking the implementation and further research for later.

This was referenced Feb 16, 2023
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@daemon1024 daemon1024

Labels
bug Something isn't working enhancement New feature or request roadmap Roadmap feature for KubeArmor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nyrahul @daemon1024