diff options
author | gVisor bot <gvisor-bot@google.com> | 2021-09-23 01:16:29 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-09-23 01:16:29 +0000 |
commit | 827f5afc4abe3bf3f3e65e5bf9f2cba4b181bdc1 (patch) | |
tree | 5c169872416372c5db9dff377fe0e97f4beaac8a /pkg/sentry/seccheck | |
parent | cb622a5dede506f187da67ba184ac09f8be95097 (diff) | |
parent | de750eb1d3ef2c8c60274c62c4463392b29b45c7 (diff) |
Merge release-20210921.0-13-gde750eb1d (automated)
Diffstat (limited to 'pkg/sentry/seccheck')
-rw-r--r-- | pkg/sentry/seccheck/execve.go | 65 | ||||
-rw-r--r-- | pkg/sentry/seccheck/exit.go | 57 | ||||
-rw-r--r-- | pkg/sentry/seccheck/seccheck.go | 26 | ||||
-rw-r--r-- | pkg/sentry/seccheck/seccheck_fieldenum.go | 133 |
4 files changed, 279 insertions, 2 deletions
diff --git a/pkg/sentry/seccheck/execve.go b/pkg/sentry/seccheck/execve.go new file mode 100644 index 000000000..f36e0730e --- /dev/null +++ b/pkg/sentry/seccheck/execve.go @@ -0,0 +1,65 @@ +// Copyright 2021 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package seccheck + +import ( + "gvisor.dev/gvisor/pkg/context" + "gvisor.dev/gvisor/pkg/sentry/kernel/auth" +) + +// ExecveInfo contains information used by the Execve checkpoint. +// +// +fieldenum Execve +type ExecveInfo struct { + // Invoker identifies the invoking thread. + Invoker TaskInfo + + // Credentials are the invoking thread's credentials. + Credentials *auth.Credentials + + // BinaryPath is a path to the executable binary file being switched to in + // the mount namespace in which it was opened. + BinaryPath string + + // Argv is the new process image's argument vector. + Argv []string + + // Env is the new process image's environment variables. + Env []string + + // BinaryMode is the executable binary file's mode. + BinaryMode uint16 + + // BinarySHA256 is the SHA-256 hash of the executable binary file. + // + // Note that this requires reading the entire file into memory, which is + // likely to be extremely slow. + BinarySHA256 [32]byte +} + +// ExecveReq returns fields required by the Execve checkpoint. +func (s *state) ExecveReq() ExecveFieldSet { + return s.execveReq.Load() +} + +// Execve is called at the Execve checkpoint. +func (s *state) Execve(ctx context.Context, mask ExecveFieldSet, info *ExecveInfo) error { + for _, c := range s.getCheckers() { + if err := c.Execve(ctx, mask, *info); err != nil { + return err + } + } + return nil +} diff --git a/pkg/sentry/seccheck/exit.go b/pkg/sentry/seccheck/exit.go new file mode 100644 index 000000000..69cb6911c --- /dev/null +++ b/pkg/sentry/seccheck/exit.go @@ -0,0 +1,57 @@ +// Copyright 2021 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package seccheck + +import ( + "gvisor.dev/gvisor/pkg/abi/linux" + "gvisor.dev/gvisor/pkg/context" +) + +// ExitNotifyParentInfo contains information used by the ExitNotifyParent +// checkpoint. +// +// +fieldenum ExitNotifyParent +type ExitNotifyParentInfo struct { + // Exiter identifies the exiting thread. Note that by the checkpoint's + // definition, Exiter.ThreadID == Exiter.ThreadGroupID and + // Exiter.ThreadStartTime == Exiter.ThreadGroupStartTime, so requesting + // ThreadGroup* fields is redundant. + Exiter TaskInfo + + // ExitStatus is the exiting thread group's exit status, as reported + // by wait*(). + ExitStatus linux.WaitStatus +} + +// ExitNotifyParentReq returns fields required by the ExitNotifyParent +// checkpoint. +func (s *state) ExitNotifyParentReq() ExitNotifyParentFieldSet { + return s.exitNotifyParentReq.Load() +} + +// ExitNotifyParent is called at the ExitNotifyParent checkpoint. +// +// The ExitNotifyParent checkpoint occurs when a zombied thread group leader, +// not waiting for exit acknowledgement from a non-parent ptracer, becomes the +// last non-dead thread in its thread group and notifies its parent of its +// exiting. +func (s *state) ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info *ExitNotifyParentInfo) error { + for _, c := range s.getCheckers() { + if err := c.ExitNotifyParent(ctx, mask, *info); err != nil { + return err + } + } + return nil +} diff --git a/pkg/sentry/seccheck/seccheck.go b/pkg/sentry/seccheck/seccheck.go index b6c9d44ce..e13274096 100644 --- a/pkg/sentry/seccheck/seccheck.go +++ b/pkg/sentry/seccheck/seccheck.go @@ -29,6 +29,8 @@ type Point uint // PointX represents the checkpoint X. const ( PointClone Point = iota + PointExecve + PointExitNotifyParent // Add new Points above this line. pointLength @@ -47,6 +49,8 @@ const ( // registered concurrently with invocations of checkpoints). type Checker interface { Clone(ctx context.Context, mask CloneFieldSet, info CloneInfo) error + Execve(ctx context.Context, mask ExecveFieldSet, info ExecveInfo) error + ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info ExitNotifyParentInfo) error } // CheckerDefaults may be embedded by implementations of Checker to obtain @@ -58,6 +62,16 @@ func (CheckerDefaults) Clone(ctx context.Context, mask CloneFieldSet, info Clone return nil } +// Execve implements Checker.Execve. +func (CheckerDefaults) Execve(ctx context.Context, mask ExecveFieldSet, info ExecveInfo) error { + return nil +} + +// ExitNotifyParent implements Checker.ExitNotifyParent. +func (CheckerDefaults) ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info ExitNotifyParentInfo) error { + return nil +} + // CheckerReq indicates what checkpoints a corresponding Checker runs at, and // what information it requires at those checkpoints. type CheckerReq struct { @@ -69,7 +83,9 @@ type CheckerReq struct { // All of the following fields indicate what fields in the corresponding // XInfo struct will be requested at the corresponding checkpoint. - Clone CloneFields + Clone CloneFields + Execve ExecveFields + ExitNotifyParent ExitNotifyParentFields } // Global is the method receiver of all seccheck functions. @@ -101,7 +117,9 @@ type state struct { // corresponding XInfo struct have been requested by any registered // checker, are accessed using atomic memory operations, and are mutated // with registrationMu locked. - cloneReq CloneFieldSet + cloneReq CloneFieldSet + execveReq ExecveFieldSet + exitNotifyParentReq ExitNotifyParentFieldSet } // AppendChecker registers the given Checker to execute at checkpoints. The @@ -110,7 +128,11 @@ type state struct { func (s *state) AppendChecker(c Checker, req *CheckerReq) { s.registrationMu.Lock() defer s.registrationMu.Unlock() + s.cloneReq.AddFieldsLoadable(req.Clone) + s.execveReq.AddFieldsLoadable(req.Execve) + s.exitNotifyParentReq.AddFieldsLoadable(req.ExitNotifyParent) + s.appendCheckerLocked(c) for _, p := range req.Points { word, bit := p/32, p%32 diff --git a/pkg/sentry/seccheck/seccheck_fieldenum.go b/pkg/sentry/seccheck/seccheck_fieldenum.go index b193b2973..4e2f691e8 100644 --- a/pkg/sentry/seccheck/seccheck_fieldenum.go +++ b/pkg/sentry/seccheck/seccheck_fieldenum.go @@ -67,6 +67,139 @@ func (fs *CloneFieldSet) AddFieldsLoadable(fields CloneFields) { } } +// A ExecveField represents a field in ExecveInfo. +type ExecveField uint + +// ExecveFieldX represents ExecveInfo field X. +const ( + ExecveFieldCredentials ExecveField = iota + ExecveFieldBinaryPath + ExecveFieldArgv + ExecveFieldEnv + ExecveFieldBinaryMode + ExecveFieldBinarySHA256 +) + +// ExecveFields represents a set of fields in ExecveInfo in a literal-friendly form. +// The zero value of ExecveFields represents an empty set. +type ExecveFields struct { + Invoker TaskFields + Credentials bool + BinaryPath bool + Argv bool + Env bool + BinaryMode bool + BinarySHA256 bool +} + +// ExecveFieldSet represents a set of fields in ExecveInfo in a compact form. +// The zero value of ExecveFieldSet represents an empty set. +type ExecveFieldSet struct { + Invoker TaskFieldSet + fields [1]uint32 +} + +// Contains returns true if f is present in the ExecveFieldSet. +func (fs ExecveFieldSet) Contains(f ExecveField) bool { + return fs.fields[0] & (uint32(1) << uint(f)) != 0 +} + +// Add adds f to the ExecveFieldSet. +func (fs *ExecveFieldSet) Add(f ExecveField) { + fs.fields[0] |= uint32(1) << uint(f) +} + +// Remove removes f from the ExecveFieldSet. +func (fs *ExecveFieldSet) Remove(f ExecveField) { + fs.fields[0] &^= uint32(1) << uint(f) +} + +// Load returns a copy of the ExecveFieldSet. +// Load is safe to call concurrently with AddFieldsLoadable, but not Add or Remove. +func (fs *ExecveFieldSet) Load() (copied ExecveFieldSet) { + copied.Invoker = fs.Invoker.Load() + copied.fields[0] = atomic.LoadUint32(&fs.fields[0]) + return +} + +// AddFieldsLoadable adds the given fields to the ExecveFieldSet. +// AddFieldsLoadable is safe to call concurrently with Load, but not other methods (including other calls to AddFieldsLoadable). +func (fs *ExecveFieldSet) AddFieldsLoadable(fields ExecveFields) { + fs.Invoker.AddFieldsLoadable(fields.Invoker) + if fields.Credentials { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldCredentials))) + } + if fields.BinaryPath { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinaryPath))) + } + if fields.Argv { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldArgv))) + } + if fields.Env { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldEnv))) + } + if fields.BinaryMode { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinaryMode))) + } + if fields.BinarySHA256 { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinarySHA256))) + } +} + +// A ExitNotifyParentField represents a field in ExitNotifyParentInfo. +type ExitNotifyParentField uint + +// ExitNotifyParentFieldX represents ExitNotifyParentInfo field X. +const ( + ExitNotifyParentFieldExitStatus ExitNotifyParentField = iota +) + +// ExitNotifyParentFields represents a set of fields in ExitNotifyParentInfo in a literal-friendly form. +// The zero value of ExitNotifyParentFields represents an empty set. +type ExitNotifyParentFields struct { + Exiter TaskFields + ExitStatus bool +} + +// ExitNotifyParentFieldSet represents a set of fields in ExitNotifyParentInfo in a compact form. +// The zero value of ExitNotifyParentFieldSet represents an empty set. +type ExitNotifyParentFieldSet struct { + Exiter TaskFieldSet + fields [1]uint32 +} + +// Contains returns true if f is present in the ExitNotifyParentFieldSet. +func (fs ExitNotifyParentFieldSet) Contains(f ExitNotifyParentField) bool { + return fs.fields[0] & (uint32(1) << uint(f)) != 0 +} + +// Add adds f to the ExitNotifyParentFieldSet. +func (fs *ExitNotifyParentFieldSet) Add(f ExitNotifyParentField) { + fs.fields[0] |= uint32(1) << uint(f) +} + +// Remove removes f from the ExitNotifyParentFieldSet. +func (fs *ExitNotifyParentFieldSet) Remove(f ExitNotifyParentField) { + fs.fields[0] &^= uint32(1) << uint(f) +} + +// Load returns a copy of the ExitNotifyParentFieldSet. +// Load is safe to call concurrently with AddFieldsLoadable, but not Add or Remove. +func (fs *ExitNotifyParentFieldSet) Load() (copied ExitNotifyParentFieldSet) { + copied.Exiter = fs.Exiter.Load() + copied.fields[0] = atomic.LoadUint32(&fs.fields[0]) + return +} + +// AddFieldsLoadable adds the given fields to the ExitNotifyParentFieldSet. +// AddFieldsLoadable is safe to call concurrently with Load, but not other methods (including other calls to AddFieldsLoadable). +func (fs *ExitNotifyParentFieldSet) AddFieldsLoadable(fields ExitNotifyParentFields) { + fs.Exiter.AddFieldsLoadable(fields.Exiter) + if fields.ExitStatus { + atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExitNotifyParentFieldExitStatus))) + } +} + // A TaskField represents a field in TaskInfo. type TaskField uint |