bpf: Fix Prefix operator for matchBinaries #2718
Conversation
|
I discovered this issue while working on #2689. @mtardy , @kevsecurity , please, have a look. |
Hey I haven't looked in details but a good way to present this would be:
|
I have Tetragon running and it is armed with this policy: apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "lsm"
spec:
lsmhooks:
- hook: "file_open"
args:
- index: 0
type: "file"
selectors:
- matchBinaries:
- operator: "Prefix"
values:
- "/home/anfedotoff/go/src/github.com/cilium/tetragon/contrib/tester-progs"if I run this binary, the LSM is not triggered, but it seems to me it does. |
anfedotoff
force-pushed
the
matchbinaries-prefix-fix
branch
from
ee68207 to
ac9d609
Compare
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
anfedotoff
force-pushed
the
matchbinaries-prefix-fix
branch
from
f26e8f5 to
a8c593b
Compare
|
@mtardy, Hey! I added a test. It is failed on some VMs. I think, it because it isn't allowed to run binaries from But overall it shows the problem, I think. Maybe you have an idea where to create a large path to test binary? |
yes, do you remember this #2698? tetragon/pkg/sensors/tracing/enforcer_test.go Lines 300 to 304 in b506aa1 |
I once created this thing https://github.com/mtardy/pathgen that could be adapted or copy-pasted in our test base, as the comment below, you could use If you can avoid using the direct write tester I would as it uses a not very user-friendly Linux interface (breaks on tmpfs). |
Ahh, thanks! I think I'll try to look at some other executable from |
anfedotoff
force-pushed
the
matchbinaries-prefix-fix
branch
from
a8c593b to
eeb05e8
Compare
mtardy
added
the
release-note/bug
There was a problem hiding this comment.
Thanks for the test, it seems to highlight the issue nicely, it's a great start! I think this is something I missed because I somehow forgot that the dentry will be walked from end to start and thus this will break the Prefix feature! Thanks!
could you explain more about your patch however? It looks to me that you rewrote the existing <5.4 behavior implem (with the heap, instead of p->args) as a fallback from the read_exe failure. See my comments for more details.
| curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.off); | ||
| if (curr->bin.path_length == 0) | ||
| curr->bin.path_length = event->exe.len; | ||
| } else { | ||
| heap = map_lookup_elem(&execve_heap, &zero); |
There was a problem hiding this comment.
so I'm not sure it's really appropriate as a fix:
- The current implementation is indeed limited to 256 bytes on
exeread, but this could be increased (maybe that's what you want to actually do). This is indeed bad that it's failing open for something as Prefix. - Here you read
execve_heapthat contains the binary only because of the way we read args attracepoint/sys_execve, I don't think there are any guarantees that this heap will actually contain this btw since it's just a heap, we can use it for anything. This rollback to the old situation where we retrieved the filename from that args (which is still in place for <5.4) that could lead to read a relative path or a symlink (we switched to exe for that reason, reading the syscall args wasn't reliable). See:tetragon/bpf/process/bpf_execve_event.c
Lines 248 to 254 in 92a17c2
I agree that there is a limitation on the current implementation which is pretty explicit (with BINARY_PATH_MAX_LEN), but falling back to the way we do things on <5.4 kernels will not help as it's also flawed and can be escaped with relative paths symlinks.
There was a problem hiding this comment.
Thinking a bit more about this, it's indeed not great that we never check for the error at read from #1926 and that fallback to the args' filename could be an idea but it looks flawed. Indeed, we have unit tests on the function that uses read_exe and the error should be filled if the path is too big to enter the buffer of 256 (it seems that the limit is 255) so we should be aware that we could not match properly.
Because as your test highlights, an errored dentry will not work since it's reading from the end to the start, and thus the beginning of the path containing the prefix will not be here. Switching back to the old implem (as it seems you do even though you read from the execve_heap instead of p->args) could work until you don't use any relative path or symlink.
So I see two things:
- support the error more explicitly and return an error to the user so that he knows we might have skipped an event because of path len limitation
- fix the issue by increasing
BINARY_PATH_MAX_LENto 4096.
There was a problem hiding this comment.
Thanks for detailed review! Yes you are right, relative paths and symlinks might be a problem. It is good to find a better solution that I proposed. Let me explain what I've done.
IIUC, we read the first argument here.
tetragon/bpf/process/bpf_execve_event.c
Lines 59 to 69 in 1a7b15a
Here we think that p->args contains the first argument, but it seems to me that p->args contains arguments starting from the second one. So that's why I changed the logic for old kernels.
tetragon/bpf/process/bpf_execve_event.c
Line 338 in 1a7b15a
There was a problem hiding this comment.
So I see two things:
support the error more explicitly and return an error to the user so that he knows we might have skipped an event because of path len limitation
fix the issue by increasing BINARY_PATH_MAX_LEN to 4096.
I think it's a good idea to increase BINARY_PATH_MAX_LEN to 4096. If so we don't need file_copy_reverse here. And also, we don't need to have extra variables to hold postfix path.
Do you see any limitations that can stop us to increase the BINARY_PATH_MAX_LEN?
IIUC, limitations with prefix/postfix matching we can avoid by copying exact amount of data (STRING_PREFIX_MAX_LENGTH / STRING_POSTFIX_MAX_LENGTH).
There was a problem hiding this comment.
We can have problems here, if __LARGE_MAP_KEYS is not defined, I think:
tetragon/bpf/process/types/basic.h
Lines 1581 to 1587 in 1a7b15a
But we can have a check for this case.
There was a problem hiding this comment.
Here we think that p->args contains the first argument, but it seems to me that p->args contains arguments starting from the second one. So that's why I changed the logic for old kernels.
It's not the case, event->process.args is read in function read_path and the first string separated by \0 is the first args, thus the (relative/symlink/etc) binary given to sys_execve:
tetragon/bpf/process/bpf_execve_event.c
Lines 102 to 111 in 8e07d6c
There was a problem hiding this comment.
read_args, reads the args (hear the args of the execve binary not the args of the syscall), and thus use probe_read_str to remove the first part of the args, but does not touch it.
There was a problem hiding this comment.
Hmm... I see, thanks making it clear!
There was a problem hiding this comment.
Do you see any limitations that can stop us to increase the BINARY_PATH_MAX_LEN?
It all boils down to make prepend_name support more than 256 bytes. I'm looking into it at the moment as it's the only function I've written BPF unit tests so that might be helpful here.
| curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.off); | ||
| if (curr->bin.path_length == 0) | ||
| curr->bin.path_length = event->exe.len; | ||
| } else { | ||
| heap = map_lookup_elem(&execve_heap, &zero); |
There was a problem hiding this comment.
Thinking a bit more about this, it's indeed not great that we never check for the error at read from #1926 and that fallback to the args' filename could be an idea but it looks flawed. Indeed, we have unit tests on the function that uses read_exe and the error should be filled if the path is too big to enter the buffer of 256 (it seems that the limit is 255) so we should be aware that we could not match properly.
Because as your test highlights, an errored dentry will not work since it's reading from the end to the start, and thus the beginning of the path containing the prefix will not be here. Switching back to the old implem (as it seems you do even though you read from the execve_heap instead of p->args) could work until you don't use any relative path or symlink.
So I see two things:
- support the error more explicitly and return an error to the user so that he knows we might have skipped an event because of path len limitation
- fix the issue by increasing
BINARY_PATH_MAX_LENto 4096.
anfedotoff
force-pushed
the
matchbinaries-prefix-fix
branch
from
eeb05e8 to
09bd635
Compare
If path larger than 256 bytes need to copy prefix from args. Signed-off-by: Andrei Fedotov <[email protected]>
Adding test that has Prefix operator in matchBinaries selector. The file path of test binary (direct-write-tester) being executed is larger than 256 bytes. Signed-off-by: Andrei Fedotov <[email protected]>
anfedotoff
force-pushed
the
matchbinaries-prefix-fix
branch
from
09bd635 to
ec359d8
Compare
|
The Fix: #2764 |
It seems to me, that Prefix operator for matchBinaries selector is not applied if executable path length is greater than 256 bytes.