Add //pkg/sentry/seccheck.

This defines common infrastructure for dynamically-configured security checks, including an example usage in the clone(2) path. PiperOrigin-RevId: 394797270
author: Jamie Liu <jamieliu@google.com> 2021-09-03 19:07:12 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-09-03 19:12:54 -0700
commit: 775a321120f09420ef37ba9455371f193380a695 (patch)
tree: cadd1e37b903dcb6b24965ec79787244038831d4 /pkg/sentry/kernel
parent: 2aeab259c4d24f87d7788fed338b64d99e0865ec (diff)
3 files changed, 57 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/BUILD b/pkg/sentry/kernel/BUILD
index 816e60329..c0f13bf52 100644
--- a/pkg/sentry/kernel/BUILD
+++ b/pkg/sentry/kernel/BUILD
@@ -268,6 +268,7 @@ go_library(
         "//pkg/sentry/mm",
         "//pkg/sentry/pgalloc",
         "//pkg/sentry/platform",
+        "//pkg/sentry/seccheck",
         "//pkg/sentry/socket/netlink/port",
         "//pkg/sentry/socket/unix/transport",
         "//pkg/sentry/time",
diff --git a/pkg/sentry/kernel/task.go b/pkg/sentry/kernel/task.go
index 59eeb253d..9a95bf44c 100644
--- a/pkg/sentry/kernel/task.go
+++ b/pkg/sentry/kernel/task.go
@@ -30,6 +30,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/kernel/sched"
 	ktime "gvisor.dev/gvisor/pkg/sentry/kernel/time"
 	"gvisor.dev/gvisor/pkg/sentry/platform"
+	"gvisor.dev/gvisor/pkg/sentry/seccheck"
 	"gvisor.dev/gvisor/pkg/sentry/usage"
 	"gvisor.dev/gvisor/pkg/sentry/vfs"
 	"gvisor.dev/gvisor/pkg/sync"
@@ -874,3 +875,23 @@ func (t *Task) ResetKcov() {
 		t.kcov = nil
 	}
 }
+
+// Preconditions: The TaskSet mutex must be locked.
+func (t *Task) loadSeccheckInfoLocked(req seccheck.TaskFieldSet, mask *seccheck.TaskFieldSet, info *seccheck.TaskInfo) {
+	if req.Contains(seccheck.TaskFieldThreadID) {
+		info.ThreadID = int32(t.k.tasks.Root.tids[t])
+		mask.Add(seccheck.TaskFieldThreadID)
+	}
+	if req.Contains(seccheck.TaskFieldThreadStartTime) {
+		info.ThreadStartTime = t.startTime
+		mask.Add(seccheck.TaskFieldThreadStartTime)
+	}
+	if req.Contains(seccheck.TaskFieldThreadGroupID) {
+		info.ThreadGroupID = int32(t.k.tasks.Root.tgids[t.tg])
+		mask.Add(seccheck.TaskFieldThreadGroupID)
+	}
+	if req.Contains(seccheck.TaskFieldThreadGroupStartTime) {
+		info.ThreadGroupStartTime = t.tg.leader.startTime
+		mask.Add(seccheck.TaskFieldThreadGroupStartTime)
+	}
+}
diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go
index da4b77ca2..26a981f36 100644
--- a/pkg/sentry/kernel/task_clone.go
+++ b/pkg/sentry/kernel/task_clone.go
@@ -23,6 +23,7 @@ import (
 	"gvisor.dev/gvisor/pkg/errors/linuxerr"
 	"gvisor.dev/gvisor/pkg/hostarch"
 	"gvisor.dev/gvisor/pkg/sentry/inet"
+	"gvisor.dev/gvisor/pkg/sentry/seccheck"
 	"gvisor.dev/gvisor/pkg/usermem"
 )
 
@@ -235,7 +236,23 @@ func (t *Task) Clone(args *linux.CloneArgs) (ThreadID, *SyscallControl, error) {
 	// nt that it must receive before its task goroutine starts running.
 	tid := nt.k.tasks.Root.IDOfTask(nt)
 	defer nt.Start(tid)
-	t.traceCloneEvent(tid)
+
+	if seccheck.Global.Enabled(seccheck.PointClone) {
+		mask, info := getCloneSeccheckInfo(t, nt, args)
+		if err := seccheck.Global.Clone(t, mask, &info); err != nil {
+			// nt has been visible to the rest of the system since NewTask, so
+			// it may be blocking execve or a group stop, have been notified
+			// for group signal delivery, had children reparented to it, etc.
+			// Thus we can't just drop it on the floor. Instead, instruct the
+			// task goroutine to exit immediately, as quietly as possible.
+			nt.exitTracerNotified = true
+			nt.exitTracerAcked = true
+			nt.exitParentNotified = true
+			nt.exitParentAcked = true
+			nt.runState = (*runExitMain)(nil)
+			return 0, nil, err
+		}
+	}
 
 	// "If fork/clone and execve are allowed by @prog, any child processes will
 	// be constrained to the same filters and system call ABI as the parent." -
@@ -260,6 +277,7 @@ func (t *Task) Clone(args *linux.CloneArgs) (ThreadID, *SyscallControl, error) {
 		ntid.CopyOut(t, hostarch.Addr(args.ParentTID))
 	}
 
+	t.traceCloneEvent(tid)
 	kind := ptraceCloneKindClone
 	if args.Flags&linux.CLONE_VFORK != 0 {
 		kind = ptraceCloneKindVfork
@@ -279,6 +297,22 @@ func (t *Task) Clone(args *linux.CloneArgs) (ThreadID, *SyscallControl, error) {
 	return ntid, nil, nil
 }
 
+func getCloneSeccheckInfo(t, nt *Task, args *linux.CloneArgs) (seccheck.CloneFieldSet, seccheck.CloneInfo) {
+	req := seccheck.Global.CloneReq()
+	info := seccheck.CloneInfo{
+		Credentials: t.Credentials(),
+		Args:        *args,
+	}
+	var mask seccheck.CloneFieldSet
+	mask.Add(seccheck.CloneFieldCredentials)
+	mask.Add(seccheck.CloneFieldArgs)
+	t.k.tasks.mu.RLock()
+	defer t.k.tasks.mu.RUnlock()
+	t.loadSeccheckInfoLocked(req.Invoker, &mask.Invoker, &info.Invoker)
+	nt.loadSeccheckInfoLocked(req.Created, &mask.Created, &info.Created)
+	return mask, info
+}
+
 // maybeBeginVforkStop checks if a previously-started vfork child is still
 // running and has not yet released its MM, such that its parent t should enter
 // a vforkStop.
author	Jamie Liu <jamieliu@google.com>	2021-09-03 19:07:12 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-09-03 19:12:54 -0700
commit	775a321120f09420ef37ba9455371f193380a695 (patch)
tree	cadd1e37b903dcb6b24965ec79787244038831d4 /pkg/sentry/kernel
parent	2aeab259c4d24f87d7788fed338b64d99e0865ec (diff)