summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/seccheck
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2021-09-23 01:16:29 +0000
committergVisor bot <gvisor-bot@google.com>2021-09-23 01:16:29 +0000
commit827f5afc4abe3bf3f3e65e5bf9f2cba4b181bdc1 (patch)
tree5c169872416372c5db9dff377fe0e97f4beaac8a /pkg/sentry/seccheck
parentcb622a5dede506f187da67ba184ac09f8be95097 (diff)
parentde750eb1d3ef2c8c60274c62c4463392b29b45c7 (diff)
Merge release-20210921.0-13-gde750eb1d (automated)
Diffstat (limited to 'pkg/sentry/seccheck')
-rw-r--r--pkg/sentry/seccheck/execve.go65
-rw-r--r--pkg/sentry/seccheck/exit.go57
-rw-r--r--pkg/sentry/seccheck/seccheck.go26
-rw-r--r--pkg/sentry/seccheck/seccheck_fieldenum.go133
4 files changed, 279 insertions, 2 deletions
diff --git a/pkg/sentry/seccheck/execve.go b/pkg/sentry/seccheck/execve.go
new file mode 100644
index 000000000..f36e0730e
--- /dev/null
+++ b/pkg/sentry/seccheck/execve.go
@@ -0,0 +1,65 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package seccheck
+
+import (
+ "gvisor.dev/gvisor/pkg/context"
+ "gvisor.dev/gvisor/pkg/sentry/kernel/auth"
+)
+
+// ExecveInfo contains information used by the Execve checkpoint.
+//
+// +fieldenum Execve
+type ExecveInfo struct {
+ // Invoker identifies the invoking thread.
+ Invoker TaskInfo
+
+ // Credentials are the invoking thread's credentials.
+ Credentials *auth.Credentials
+
+ // BinaryPath is a path to the executable binary file being switched to in
+ // the mount namespace in which it was opened.
+ BinaryPath string
+
+ // Argv is the new process image's argument vector.
+ Argv []string
+
+ // Env is the new process image's environment variables.
+ Env []string
+
+ // BinaryMode is the executable binary file's mode.
+ BinaryMode uint16
+
+ // BinarySHA256 is the SHA-256 hash of the executable binary file.
+ //
+ // Note that this requires reading the entire file into memory, which is
+ // likely to be extremely slow.
+ BinarySHA256 [32]byte
+}
+
+// ExecveReq returns fields required by the Execve checkpoint.
+func (s *state) ExecveReq() ExecveFieldSet {
+ return s.execveReq.Load()
+}
+
+// Execve is called at the Execve checkpoint.
+func (s *state) Execve(ctx context.Context, mask ExecveFieldSet, info *ExecveInfo) error {
+ for _, c := range s.getCheckers() {
+ if err := c.Execve(ctx, mask, *info); err != nil {
+ return err
+ }
+ }
+ return nil
+}
diff --git a/pkg/sentry/seccheck/exit.go b/pkg/sentry/seccheck/exit.go
new file mode 100644
index 000000000..69cb6911c
--- /dev/null
+++ b/pkg/sentry/seccheck/exit.go
@@ -0,0 +1,57 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package seccheck
+
+import (
+ "gvisor.dev/gvisor/pkg/abi/linux"
+ "gvisor.dev/gvisor/pkg/context"
+)
+
+// ExitNotifyParentInfo contains information used by the ExitNotifyParent
+// checkpoint.
+//
+// +fieldenum ExitNotifyParent
+type ExitNotifyParentInfo struct {
+ // Exiter identifies the exiting thread. Note that by the checkpoint's
+ // definition, Exiter.ThreadID == Exiter.ThreadGroupID and
+ // Exiter.ThreadStartTime == Exiter.ThreadGroupStartTime, so requesting
+ // ThreadGroup* fields is redundant.
+ Exiter TaskInfo
+
+ // ExitStatus is the exiting thread group's exit status, as reported
+ // by wait*().
+ ExitStatus linux.WaitStatus
+}
+
+// ExitNotifyParentReq returns fields required by the ExitNotifyParent
+// checkpoint.
+func (s *state) ExitNotifyParentReq() ExitNotifyParentFieldSet {
+ return s.exitNotifyParentReq.Load()
+}
+
+// ExitNotifyParent is called at the ExitNotifyParent checkpoint.
+//
+// The ExitNotifyParent checkpoint occurs when a zombied thread group leader,
+// not waiting for exit acknowledgement from a non-parent ptracer, becomes the
+// last non-dead thread in its thread group and notifies its parent of its
+// exiting.
+func (s *state) ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info *ExitNotifyParentInfo) error {
+ for _, c := range s.getCheckers() {
+ if err := c.ExitNotifyParent(ctx, mask, *info); err != nil {
+ return err
+ }
+ }
+ return nil
+}
diff --git a/pkg/sentry/seccheck/seccheck.go b/pkg/sentry/seccheck/seccheck.go
index b6c9d44ce..e13274096 100644
--- a/pkg/sentry/seccheck/seccheck.go
+++ b/pkg/sentry/seccheck/seccheck.go
@@ -29,6 +29,8 @@ type Point uint
// PointX represents the checkpoint X.
const (
PointClone Point = iota
+ PointExecve
+ PointExitNotifyParent
// Add new Points above this line.
pointLength
@@ -47,6 +49,8 @@ const (
// registered concurrently with invocations of checkpoints).
type Checker interface {
Clone(ctx context.Context, mask CloneFieldSet, info CloneInfo) error
+ Execve(ctx context.Context, mask ExecveFieldSet, info ExecveInfo) error
+ ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info ExitNotifyParentInfo) error
}
// CheckerDefaults may be embedded by implementations of Checker to obtain
@@ -58,6 +62,16 @@ func (CheckerDefaults) Clone(ctx context.Context, mask CloneFieldSet, info Clone
return nil
}
+// Execve implements Checker.Execve.
+func (CheckerDefaults) Execve(ctx context.Context, mask ExecveFieldSet, info ExecveInfo) error {
+ return nil
+}
+
+// ExitNotifyParent implements Checker.ExitNotifyParent.
+func (CheckerDefaults) ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info ExitNotifyParentInfo) error {
+ return nil
+}
+
// CheckerReq indicates what checkpoints a corresponding Checker runs at, and
// what information it requires at those checkpoints.
type CheckerReq struct {
@@ -69,7 +83,9 @@ type CheckerReq struct {
// All of the following fields indicate what fields in the corresponding
// XInfo struct will be requested at the corresponding checkpoint.
- Clone CloneFields
+ Clone CloneFields
+ Execve ExecveFields
+ ExitNotifyParent ExitNotifyParentFields
}
// Global is the method receiver of all seccheck functions.
@@ -101,7 +117,9 @@ type state struct {
// corresponding XInfo struct have been requested by any registered
// checker, are accessed using atomic memory operations, and are mutated
// with registrationMu locked.
- cloneReq CloneFieldSet
+ cloneReq CloneFieldSet
+ execveReq ExecveFieldSet
+ exitNotifyParentReq ExitNotifyParentFieldSet
}
// AppendChecker registers the given Checker to execute at checkpoints. The
@@ -110,7 +128,11 @@ type state struct {
func (s *state) AppendChecker(c Checker, req *CheckerReq) {
s.registrationMu.Lock()
defer s.registrationMu.Unlock()
+
s.cloneReq.AddFieldsLoadable(req.Clone)
+ s.execveReq.AddFieldsLoadable(req.Execve)
+ s.exitNotifyParentReq.AddFieldsLoadable(req.ExitNotifyParent)
+
s.appendCheckerLocked(c)
for _, p := range req.Points {
word, bit := p/32, p%32
diff --git a/pkg/sentry/seccheck/seccheck_fieldenum.go b/pkg/sentry/seccheck/seccheck_fieldenum.go
index b193b2973..4e2f691e8 100644
--- a/pkg/sentry/seccheck/seccheck_fieldenum.go
+++ b/pkg/sentry/seccheck/seccheck_fieldenum.go
@@ -67,6 +67,139 @@ func (fs *CloneFieldSet) AddFieldsLoadable(fields CloneFields) {
}
}
+// A ExecveField represents a field in ExecveInfo.
+type ExecveField uint
+
+// ExecveFieldX represents ExecveInfo field X.
+const (
+ ExecveFieldCredentials ExecveField = iota
+ ExecveFieldBinaryPath
+ ExecveFieldArgv
+ ExecveFieldEnv
+ ExecveFieldBinaryMode
+ ExecveFieldBinarySHA256
+)
+
+// ExecveFields represents a set of fields in ExecveInfo in a literal-friendly form.
+// The zero value of ExecveFields represents an empty set.
+type ExecveFields struct {
+ Invoker TaskFields
+ Credentials bool
+ BinaryPath bool
+ Argv bool
+ Env bool
+ BinaryMode bool
+ BinarySHA256 bool
+}
+
+// ExecveFieldSet represents a set of fields in ExecveInfo in a compact form.
+// The zero value of ExecveFieldSet represents an empty set.
+type ExecveFieldSet struct {
+ Invoker TaskFieldSet
+ fields [1]uint32
+}
+
+// Contains returns true if f is present in the ExecveFieldSet.
+func (fs ExecveFieldSet) Contains(f ExecveField) bool {
+ return fs.fields[0] & (uint32(1) << uint(f)) != 0
+}
+
+// Add adds f to the ExecveFieldSet.
+func (fs *ExecveFieldSet) Add(f ExecveField) {
+ fs.fields[0] |= uint32(1) << uint(f)
+}
+
+// Remove removes f from the ExecveFieldSet.
+func (fs *ExecveFieldSet) Remove(f ExecveField) {
+ fs.fields[0] &^= uint32(1) << uint(f)
+}
+
+// Load returns a copy of the ExecveFieldSet.
+// Load is safe to call concurrently with AddFieldsLoadable, but not Add or Remove.
+func (fs *ExecveFieldSet) Load() (copied ExecveFieldSet) {
+ copied.Invoker = fs.Invoker.Load()
+ copied.fields[0] = atomic.LoadUint32(&fs.fields[0])
+ return
+}
+
+// AddFieldsLoadable adds the given fields to the ExecveFieldSet.
+// AddFieldsLoadable is safe to call concurrently with Load, but not other methods (including other calls to AddFieldsLoadable).
+func (fs *ExecveFieldSet) AddFieldsLoadable(fields ExecveFields) {
+ fs.Invoker.AddFieldsLoadable(fields.Invoker)
+ if fields.Credentials {
+ atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldCredentials)))
+ }
+ if fields.BinaryPath {
+ atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinaryPath)))
+ }
+ if fields.Argv {
+ atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldArgv)))
+ }
+ if fields.Env {
+ atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldEnv)))
+ }
+ if fields.BinaryMode {
+ atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinaryMode)))
+ }
+ if fields.BinarySHA256 {
+ atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExecveFieldBinarySHA256)))
+ }
+}
+
+// A ExitNotifyParentField represents a field in ExitNotifyParentInfo.
+type ExitNotifyParentField uint
+
+// ExitNotifyParentFieldX represents ExitNotifyParentInfo field X.
+const (
+ ExitNotifyParentFieldExitStatus ExitNotifyParentField = iota
+)
+
+// ExitNotifyParentFields represents a set of fields in ExitNotifyParentInfo in a literal-friendly form.
+// The zero value of ExitNotifyParentFields represents an empty set.
+type ExitNotifyParentFields struct {
+ Exiter TaskFields
+ ExitStatus bool
+}
+
+// ExitNotifyParentFieldSet represents a set of fields in ExitNotifyParentInfo in a compact form.
+// The zero value of ExitNotifyParentFieldSet represents an empty set.
+type ExitNotifyParentFieldSet struct {
+ Exiter TaskFieldSet
+ fields [1]uint32
+}
+
+// Contains returns true if f is present in the ExitNotifyParentFieldSet.
+func (fs ExitNotifyParentFieldSet) Contains(f ExitNotifyParentField) bool {
+ return fs.fields[0] & (uint32(1) << uint(f)) != 0
+}
+
+// Add adds f to the ExitNotifyParentFieldSet.
+func (fs *ExitNotifyParentFieldSet) Add(f ExitNotifyParentField) {
+ fs.fields[0] |= uint32(1) << uint(f)
+}
+
+// Remove removes f from the ExitNotifyParentFieldSet.
+func (fs *ExitNotifyParentFieldSet) Remove(f ExitNotifyParentField) {
+ fs.fields[0] &^= uint32(1) << uint(f)
+}
+
+// Load returns a copy of the ExitNotifyParentFieldSet.
+// Load is safe to call concurrently with AddFieldsLoadable, but not Add or Remove.
+func (fs *ExitNotifyParentFieldSet) Load() (copied ExitNotifyParentFieldSet) {
+ copied.Exiter = fs.Exiter.Load()
+ copied.fields[0] = atomic.LoadUint32(&fs.fields[0])
+ return
+}
+
+// AddFieldsLoadable adds the given fields to the ExitNotifyParentFieldSet.
+// AddFieldsLoadable is safe to call concurrently with Load, but not other methods (including other calls to AddFieldsLoadable).
+func (fs *ExitNotifyParentFieldSet) AddFieldsLoadable(fields ExitNotifyParentFields) {
+ fs.Exiter.AddFieldsLoadable(fields.Exiter)
+ if fields.ExitStatus {
+ atomic.StoreUint32(&fs.fields[0], fs.fields[0] | (uint32(1) << uint(ExitNotifyParentFieldExitStatus)))
+ }
+}
+
// A TaskField represents a field in TaskInfo.
type TaskField uint