-
Notifications
You must be signed in to change notification settings - Fork 4
ROX-30296: track POSIX ACL changes via inode_set_acl LSM hook #878
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
60ab038
19a175a
3e30921
ffcdc1d
fff48a3
5a64ed2
198156f
be7fb22
1dc7ae0
fc73ed7
516433e
4be488a
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -160,3 +160,45 @@ __always_inline static void submit_xattr_event(struct submit_event_args_t* args, | |
|
|
||
| __submit_event(args, false); | ||
| } | ||
|
|
||
| __always_inline static void submit_acl_event(struct submit_event_args_t* args, | ||
| const char* acl_name, | ||
| struct posix_acl* kacl) { | ||
| if (!reserve_event(args)) { | ||
| return; | ||
| } | ||
|
|
||
| args->event->type = FILE_ACTIVITY_ACL_SET; | ||
|
|
||
| // Determine ACL type from the xattr name. | ||
| // "system.posix_acl_access" vs "system.posix_acl_default" | ||
| char name_buf[32] = {0}; | ||
| long name_len = bpf_probe_read_kernel_str(name_buf, sizeof(name_buf), acl_name); | ||
| if (name_len == 25 && __builtin_memcmp(name_buf, "system.posix_acl_default", 24) == 0) { | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could there be a situation where we want to keep the full name of the ACL as opposed to just a generic marker? (I apologize if this is a dumb question, I'm not super familiar with ACLs).
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So ACLs can only be the xattrs |
||
| args->event->acl.acl_type = FACT_ACL_TYPE_DEFAULT; | ||
| } else { | ||
| args->event->acl.acl_type = FACT_ACL_TYPE_ACCESS; | ||
| } | ||
|
|
||
| if (kacl == NULL) { | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. [ultra-nit] Can we negate this condition so the largest block is the one for the true condition and not the else? |
||
| args->event->acl.count = 0; | ||
| } else { | ||
| unsigned int count = 0; | ||
| bpf_probe_read_kernel(&count, sizeof(count), &kacl->a_count); | ||
| if (count > FACT_MAX_ACL_ENTRIES) { | ||
| count = FACT_MAX_ACL_ENTRIES; | ||
| } | ||
| args->event->acl.count = count; | ||
|
|
||
| for (unsigned int i = 0; i < FACT_MAX_ACL_ENTRIES && i < count; i++) { | ||
| struct posix_acl_entry entry = {0}; | ||
| bpf_probe_read_kernel(&entry, sizeof(entry), &kacl->a_entries[i]); | ||
| args->event->acl.entries[i].e_tag = entry.e_tag; | ||
| args->event->acl.entries[i].e_perm = entry.e_perm; | ||
| args->event->acl.entries[i].e_id = entry.e_uid.val; | ||
| } | ||
|
Comment on lines
+193
to
+199
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
git ls-files 'fact-ebpf/src/bpf/events.h' 'fact-ebpf/src/lib.rs'
wc -l fact-ebpf/src/bpf/events.h fact-ebpf/src/lib.rs
ast-grep outline fact-ebpf/src/bpf/events.h --view expanded
ast-grep outline fact-ebpf/src/lib.rs --view expandedRepository: stackrox/fact Length of output: 1670 🏁 Script executed: #!/bin/bash
set -euo pipefail
sed -n '1,240p' fact-ebpf/src/bpf/events.h
printf '\n---- lib.rs ----\n'
sed -n '1,220p' fact-ebpf/src/lib.rsRepository: stackrox/fact Length of output: 11141 Avoid copying
🤖 Prompt for AI Agents |
||
| } | ||
|
|
||
| // inode_set_acl does not support bpf_d_path (no struct path available) | ||
| __submit_event(args, false); | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -58,6 +58,18 @@ typedef enum monitored_t { | |
| // For the time being we just keep a char. | ||
| typedef char inode_value_t; | ||
|
|
||
| #define FACT_MAX_ACL_ENTRIES 32 | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Out of curiosity, is there a max number of ACLs in the kernel? For our implementation, 32 is probably fine as is.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The max is based on the xattr limit, which appears to be about 65k (total memory) which I think means it's about ~8k theoretical possible ACL entries. In practice at the file system level the limit is lower, though probably still in the hundreds. It's hard to tell what the numbers will be "in the wild" but we can raise this limit if we hit issues with it |
||
|
|
||
| // ACL type constants matching the xattr names | ||
| #define FACT_ACL_TYPE_ACCESS 0 | ||
| #define FACT_ACL_TYPE_DEFAULT 1 | ||
|
|
||
| struct acl_entry_t { | ||
| short e_tag; | ||
| unsigned short e_perm; | ||
| unsigned int e_id; | ||
| }; | ||
|
|
||
| typedef enum file_activity_type_t { | ||
| FILE_ACTIVITY_INIT = -1, | ||
| FILE_ACTIVITY_OPEN = 0, | ||
|
|
@@ -70,6 +82,7 @@ typedef enum file_activity_type_t { | |
| DIR_ACTIVITY_UNLINK, | ||
| FILE_ACTIVITY_SETXATTR, | ||
| FILE_ACTIVITY_REMOVEXATTR, | ||
| FILE_ACTIVITY_ACL_SET, | ||
| } file_activity_type_t; | ||
|
|
||
| struct event_t { | ||
|
|
@@ -99,6 +112,11 @@ struct event_t { | |
| struct { | ||
| char name[XATTR_NAME_MAX_LEN]; | ||
| } xattr; | ||
| struct { | ||
| unsigned int count; | ||
| unsigned int acl_type; | ||
| struct acl_entry_t entries[FACT_MAX_ACL_ENTRIES]; | ||
| } acl; | ||
| }; | ||
| }; | ||
|
|
||
|
|
@@ -143,4 +161,5 @@ struct metrics_t { | |
| struct metrics_by_hook_t path_rmdir; | ||
| struct metrics_by_hook_t inode_setxattr; | ||
| struct metrics_by_hook_t inode_removexattr; | ||
| struct metrics_by_hook_t inode_set_acl; | ||
| }; | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,6 +26,7 @@ const RINGBUFFER_NAME: &str = "rb"; | |
|
|
||
| pub struct Bpf { | ||
| obj: Ebpf, | ||
| checks: Checks, | ||
|
|
||
| tx: mpsc::Sender<Event>, | ||
|
|
||
|
|
@@ -64,6 +65,7 @@ impl Bpf { | |
| let paths = Vec::new(); | ||
| let mut bpf = Bpf { | ||
| obj, | ||
| checks, | ||
| tx, | ||
| paths, | ||
| paths_config, | ||
|
|
@@ -178,28 +180,38 @@ impl Bpf { | |
| let Some(hook) = name.strip_prefix("trace_") else { | ||
| bail!("Invalid hook name: {name}"); | ||
| }; | ||
|
|
||
| // Skip hooks that the kernel doesn't support | ||
| if hook == "inode_set_acl" && !self.checks.supports_inode_set_acl { | ||
| info!("Skipping {hook}: not supported on this kernel"); | ||
| continue; | ||
| } | ||
|
|
||
| match prog { | ||
| Program::Lsm(prog) => prog.load(hook, btf)?, | ||
| u => unimplemented!("{u:?}"), | ||
| } | ||
| }; | ||
| } | ||
| Ok(()) | ||
| } | ||
|
|
||
| /// Attaches all BPF programs. If any attach fails, all previously | ||
| /// attached programs are automatically detached via drop. | ||
| /// Attaches all loaded BPF programs. Programs that were not loaded | ||
| /// (e.g. optional hooks on unsupported kernels) are skipped. | ||
| /// If any attach fails, all previously attached programs are | ||
| /// automatically detached via drop. | ||
| fn attach_progs(&mut self) -> anyhow::Result<()> { | ||
| self.links = self | ||
| .obj | ||
| .programs_mut() | ||
| .map(|(_, prog)| match prog { | ||
| for (_, prog) in self.obj.programs_mut() { | ||
| match prog { | ||
| Program::Lsm(prog) => { | ||
| if prog.fd().is_err() { | ||
| continue; | ||
| } | ||
| let link_id = prog.attach()?; | ||
| prog.take_link(link_id) | ||
| self.links.push(prog.take_link(link_id)?); | ||
| } | ||
| u => unimplemented!("{u:?}"), | ||
| }) | ||
| .collect::<Result<_, _>>()?; | ||
| } | ||
| } | ||
|
Comment on lines
+203
to
+214
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The new approach is fine, but if you wanted to keep the functional one you could do so using self.links = self
.obj
.programs_mut()
.filter_map(|(_, prog)| match prog {
Program::Lsm(prog) => {
if prog.fd().is_err() {
return None;
}
let link_id = match prog.attach() {
Ok(link_id) => link_id,
Err(e) => return Some(Err(e)),
};
Some(prog.take_link(link_id))
}
u => unimplemented!("{u:?}"),
})
.collect::<Result<_, _>>()?;There is also one small change that I think won't matter, but the new approach does not drop any existing links from the vector before pushing the new ones, we might want to clear the vector just in case if we want to keep this new approach. |
||
| Ok(()) | ||
| } | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the length here random or does it come from some kernel constant somehwere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It only needs to store
"system.posix_acl_{access,default}", max 25 chars, but rounded up to nearest power of 2 to be a little neater for alignment etc. I can adjust the comment for clarity