Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IMA hashes in LSM events #2818

Merged
merged 7 commits into from
Oct 4, 2024
Merged

IMA hashes in LSM events #2818

merged 7 commits into from
Oct 4, 2024

Commits on Oct 3, 2024

  1. bpf: return flag from generic_actions if event is to be posted 

    Before:
if event is to be posted tail call from generic_action occurs.
Otherwise function returns 0.
Now:
Previous logic is saved. But now the value (true/false) is returned
from generic_action in case tail call is failed.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
    @anfedotoff
    anfedotoff committed Oct 3, 2024
    Configuration menu
    Copy the full SHA
    06ee614 View commit details
    Browse the repository at this point in the history

  2. bpf: Add lsm.s/* bpf programs for IMA hash collection 

    Due to restrictions of bpf sleepable programs (no tailcalls,
no perf buffer and per_cpu maps, etc.), we need to split
generic LSM sensor into three parts (collections)
and load them in this order:

- bpf_generic_output sends event using perf buffer
- bpf_generic_lsm_ima_*  calculates hash using IMA helpers
- bpf_generic_lsm_core does everything else

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
    @anfedotoff
    anfedotoff committed Oct 3, 2024
    Configuration menu
    Copy the full SHA
    e215409 View commit details
    Browse the repository at this point in the history

  3. tetragon: Support IMA hash collection for LSM sensor 

    Adding support for IMA hash collection in Post Action.
Adding IMA hashes in LSM events. Hash is represented by
a string algorithm:value. Support loading lsm.s/generic_lsm_ima_* programs.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
    @anfedotoff
    anfedotoff committed Oct 3, 2024
    Configuration menu
    Copy the full SHA
    04e7de5 View commit details
    Browse the repository at this point in the history

  4. tetra: add IMA hashes human output to compact mode 

    The output looks similar to this:

🔒 LSM     user-nix /usr/bin/zsh bprm_check_security
   /usr/bin/git sha256:29aa689f38158d2e8941fa54e436f0260890af31cecad1e8799e5c2df7bc1ecc
🔒 LSM     user-nix /usr/bin/zsh bprm_check_security
   /usr/bin/ls sha256:8696974df4fc39af88ee23e307139afc533064f976da82172de823c3ad66f444
🔒 LSM     user-nix /usr/bin/zsh bprm_check_security
   /usr/bin/wc sha256:5a91d203948e44a538e8e5179e712f37fa3264593748e5ce0f888b600447d004

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
    @anfedotoff
    anfedotoff committed Oct 3, 2024
    Configuration menu
    Copy the full SHA
    2f4aa53 View commit details
    Browse the repository at this point in the history

  5. tetragon: Add TestLSMIMAHash 

    Adding test for ImaHash Post action.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
    @anfedotoff
    anfedotoff committed Oct 3, 2024
    Configuration menu
    Copy the full SHA
    d2890ab View commit details
    Browse the repository at this point in the history

  6. Update LSM tracingPolicy examples 

    Add imaHash post action to lsm_bprm_check.yaml

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
    @anfedotoff
    anfedotoff committed Oct 3, 2024
    Configuration menu
    Copy the full SHA
    40a4f86 View commit details
    Browse the repository at this point in the history

  7. docs: imaHash flag for Post Action selector 

    Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
    @anfedotoff
    anfedotoff committed Oct 3, 2024
    Configuration menu
    Copy the full SHA
    3ee96a1 View commit details
    Browse the repository at this point in the history