-
Notifications
You must be signed in to change notification settings - Fork 355
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IMA hashes in LSM events #2818
IMA hashes in LSM events #2818
Commits on Oct 3, 2024
-
bpf: return flag from generic_actions if event is to be posted
Before: if event is to be posted tail call from generic_action occurs. Otherwise function returns 0. Now: Previous logic is saved. But now the value (true/false) is returned from generic_action in case tail call is failed. Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
Configuration menu - View commit details
-
Copy full SHA for 06ee614 - Browse repository at this point
Copy the full SHA 06ee614View commit details -
bpf: Add lsm.s/* bpf programs for IMA hash collection
Due to restrictions of bpf sleepable programs (no tailcalls, no perf buffer and per_cpu maps, etc.), we need to split generic LSM sensor into three parts (collections) and load them in this order: - bpf_generic_output sends event using perf buffer - bpf_generic_lsm_ima_* calculates hash using IMA helpers - bpf_generic_lsm_core does everything else Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
Configuration menu - View commit details
-
Copy full SHA for e215409 - Browse repository at this point
Copy the full SHA e215409View commit details -
tetragon: Support IMA hash collection for LSM sensor
Adding support for IMA hash collection in Post Action. Adding IMA hashes in LSM events. Hash is represented by a string algorithm:value. Support loading lsm.s/generic_lsm_ima_* programs. Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
Configuration menu - View commit details
-
Copy full SHA for 04e7de5 - Browse repository at this point
Copy the full SHA 04e7de5View commit details -
tetra: add IMA hashes human output to compact mode
The output looks similar to this: 🔒 LSM user-nix /usr/bin/zsh bprm_check_security /usr/bin/git sha256:29aa689f38158d2e8941fa54e436f0260890af31cecad1e8799e5c2df7bc1ecc 🔒 LSM user-nix /usr/bin/zsh bprm_check_security /usr/bin/ls sha256:8696974df4fc39af88ee23e307139afc533064f976da82172de823c3ad66f444 🔒 LSM user-nix /usr/bin/zsh bprm_check_security /usr/bin/wc sha256:5a91d203948e44a538e8e5179e712f37fa3264593748e5ce0f888b600447d004 Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
Configuration menu - View commit details
-
Copy full SHA for 2f4aa53 - Browse repository at this point
Copy the full SHA 2f4aa53View commit details -
Adding test for ImaHash Post action. Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
Configuration menu - View commit details
-
Copy full SHA for d2890ab - Browse repository at this point
Copy the full SHA d2890abView commit details -
Update LSM tracingPolicy examples
Add imaHash post action to lsm_bprm_check.yaml Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
Configuration menu - View commit details
-
Copy full SHA for 40a4f86 - Browse repository at this point
Copy the full SHA 40a4f86View commit details -
docs: imaHash flag for Post Action selector
Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
Configuration menu - View commit details
-
Copy full SHA for 3ee96a1 - Browse repository at this point
Copy the full SHA 3ee96a1View commit details