STRLCPY/ebpfguard

■ ■ ■ ■ ■ ■

README.md

		skipped 52 lines
53	53
54	54		### Defining single policies
55	55
	56	+	#### `file_open`
	57	+
56	58		The [file_open](https://github.com/deepfence/guardity/tree/main/examples/file_open)
57	59		example shows how to define a policy for `file_open` LSM hook as Rust code.
58	60		It denies the given binary (or all processes, if none defined) from opening
		skipped 27 lines
86	88		```bash
87	89		[2023-04-22T20:51:01Z INFO file_open] file_open: pid=3001 subject=980333 path=9632
88	90		[2023-04-22T20:51:03Z INFO file_open] file_open: pid=3010 subject=980298 path=9633
	91	+	```
	92	+
	93	+	#### `task_fix_setuid`
	94	+
	95	+	The [task_fix_setuid](https://github.com/deepfence/guardity/tree/main/examples/task_fix_setuid)
	96	+	example shows how to define a policy for `task_fix_setuid` LSM hook as Rust
	97	+	code. It denies the `setuid` operation for all processes except for the
	98	+	optionally given one.
	99	+
	100	+	To try it out, run our example policy program, first without providing any
	101	+	binary to allow `setuid` for (so it's denied for all processes):
	102	+
	103	+	```bash
	104	+	$ RUST_LOG=info cargo xtask run --example task_fix_setuid
	105	+	```
	106	+
	107	+	Then try to use `sudo`. It should fail with the following error:
	108	+
	109	+	```bash
	110	+	sudo -i
	111	+	sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
	112	+	sudo: error initializing audit plugin sudoers_audit
	113	+	```
	114	+
	115	+	And the policy program should show log like:
	116	+
	117	+	```bash
	118	+	[2023-04-23T15:15:00Z INFO task_fix_setuid] file_open: pid=25604 subject=674642 old_uid=1000 old_gid=1000 new_uid=0 new_gid=1000
	119	+	```
	120	+
	121	+	Now, let's try to allow `setuid` for a specific binary. Let's use `sudo`:
	122	+
	123	+	```bash
	124	+	$ RUST_LOG=info cargo xtask run --example task_fix_setuid -- --allow /usr/bin/sudo
	125	+	```
	126	+
	127	+	Then try to use `sudo` again. It should work this time:
	128	+
	129	+	```bash
	130	+	$ sudo -i
	131	+	# whoami
	132	+	root
89	133		```
90	134
91	135		### Daemon with CLI and YAML engine
		skipped 27 lines

■ ■ ■ ■ ■ ■

examples/file_open/examples/file_open.rs

1		-	use std::{fs::create_dir_all, path::PathBuf};
	1	+	use std::{
	2	+	fs::{create_dir_all, remove_dir_all},
	3	+	path::PathBuf,
	4	+	};
2	5
3	6		use clap::Parser;
4	7		use guardity::{
		skipped 29 lines
34	37		create_dir_all(&bpf_path)?;
35	38
36	39		// Create a policy manager.
37		-	let mut policy_manager = PolicyManager::new(bpf_path)?;
	40	+	let mut policy_manager = PolicyManager::new(&bpf_path)?;
38	41
39	42		// Attach the policy manager to the `file_open` LSM hook.
40	43		let mut file_open = policy_manager.attach_file_open()?;
		skipped 32 lines
73	76		}
74	77		}
75	78		}
	79	+
	80	+	info!("Exiting...");
	81	+	remove_dir_all(&bpf_path)?;
76	82
77	83		Ok(())
78	84		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

examples/task_fix_setuid/Cargo.toml

1	+	[package]
2	+	name = "task_fix_set_uid"
3	+	version = "0.1.0"
4	+	edition = "2021"
5	+
6	+	[dependencies]
7	+	anyhow = { version = "1", features = ["backtrace"] }
8	+	clap = { version = "4.2", features = ["derive"] }
9	+	env_logger = "0.10"
10	+	guardity = { path = "../../guardity" }
11	+	log = "0.4"
12	+	tokio = { version = "1.25", features = ["macros", "rt", "rt-multi-thread", "net", "signal", "sync"] }
13	+

■ ■ ■ ■ ■ ■

examples/task_fix_setuid/examples/task_fix_setuid.rs

1	+	use std::{
2	+	fs::{create_dir_all, remove_dir_all},
3	+	path::PathBuf,
4	+	};
5	+
6	+	use clap::Parser;
7	+	use guardity::{
8	+	policy::{PolicySubject, TaskFixSetuid},
9	+	PolicyManager,
10	+	};
11	+	use log::info;
12	+
13	+	#[derive(Debug, Parser)]
14	+	struct Opt {
15	+	#[clap(long, default_value = "/sys/fs/bpf")]
16	+	bpffs_path: PathBuf,
17	+	#[clap(long, default_value = "example_task_fix_setuid")]
18	+	bpffs_dir: PathBuf,
19	+	/// Binary which should be allowed to change UID.
20	+	#[clap(long)]
21	+	allow: Option<PathBuf>,
22	+	}
23	+
24	+	#[tokio::main]
25	+	async fn main() -> anyhow::Result<()> {
26	+	let opt = Opt::parse();
27	+
28	+	env_logger::init();
29	+
30	+	// Create a directory where guardity policy manager can store its BPF
31	+	// objects (maps).
32	+	let bpf_path = opt.bpffs_path.join(opt.bpffs_dir);
33	+	create_dir_all(&bpf_path)?;
34	+
35	+	// Create a policy manager.
36	+	let mut policy_manager = PolicyManager::new(&bpf_path)?;
37	+
38	+	// Attach the policy manager to the `task_fix_setuid` LSM hook.
39	+	let mut task_fix_setuid = policy_manager.attach_task_fix_setuid()?;
40	+
41	+	// Get the receiver end of the alerts channel (for the `file_open` LSM
42	+	// hook).
43	+	let mut rx = task_fix_setuid.alerts().await?;
44	+
45	+	// Define policies which deny setuid for all processes (except for the
46	+	// specified subject, if defined).
47	+	let wildcard_deny_policy = TaskFixSetuid {
48	+	subject: PolicySubject::All,
49	+	allow: false,
50	+	};
51	+	task_fix_setuid.add_policy(wildcard_deny_policy).await?;
52	+	if let Some(subject) = opt.allow {
53	+	let subject_allow_policy = TaskFixSetuid {
54	+	subject: PolicySubject::Binary(subject),
55	+	allow: true,
56	+	};
57	+	task_fix_setuid.add_policy(subject_allow_policy).await?;
58	+	}
59	+
60	+	info!("Waiting for Ctrl-C...");
61	+
62	+	// Wait for policy violation alerts (or for CTRL+C).
63	+	loop {
64	+	tokio::select! {
65	+	Some(alert) = rx.recv() => {
66	+	info!(
67	+	"file_open: pid={} subject={} old_uid={} old_gid={} new_uid={} new_gid={}",
68	+	alert.pid,
69	+	alert.subject,
70	+	alert.old_uid,
71	+	alert.old_gid,
72	+	alert.new_uid,
73	+	alert.new_gid
74	+	);
75	+	}
76	+	_ = tokio::signal::ctrl_c() => {
77	+	break;
78	+	}
79	+	}
80	+	}
81	+
82	+	info!("Exiting...");
83	+	remove_dir_all(&bpf_path)?;
84	+
85	+	Ok(())
86	+	}
87	+

■ ■ ■ ■ ■ ■ ■

guardity/src/lib.rs

		skipped 48 lines
49	49		//!
50	50		//! ## Defining single policies
51	51		//!
	52	+	//! ### `file_open`
	53	+	//!
52	54		//! The [file_open](https://github.com/deepfence/guardity/tree/main/examples/file_open)
53	55		//! example shows how to define a policy for `file_open` LSM hook as Rust code.
54	56		//! It denies the given binary (or all processes, if none defined) from opening
		skipped 29 lines
84	86		//! [2023-04-22T20:51:03Z INFO file_open] file_open: pid=3010 subject=980298 path=9633
85	87		//! ```
86	88		//!
	89	+	//! ### `task_fix_setuid`
	90	+	//!
	91	+	//! The [task_fix_setuid](https://github.com/deepfence/guardity/tree/main/examples/task_fix_setuid)
	92	+	//! example shows how to define a policy for `task_fix_setuid` LSM hook as Rust
	93	+	//! code. It denies the `setuid` operation for all processes except for the
	94	+	//! optionally given one.
	95	+	//!
	96	+	//! To try it out, run our example policy program, first without providing any
	97	+	//! binary to allow `setuid` for (so it's denied for all processes):
	98	+	//!
	99	+	//! ```bash
	100	+	//! $ RUST_LOG=info cargo xtask run --example task_fix_setuid
	101	+	//! ```
	102	+	//!
	103	+	//! Then try to use `sudo`. It should fail with the following error:
	104	+	//!
	105	+	//! ```bash
	106	+	//! sudo -i
	107	+	//! sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
	108	+	//! sudo: error initializing audit plugin sudoers_audit
	109	+	//! ```
	110	+	//!
	111	+	//! And the policy program should show log like:
	112	+	//!
	113	+	//! ```bash
	114	+	//! [2023-04-23T15:15:00Z INFO task_fix_setuid] file_open: pid=25604 subject=674642 old_uid=1000 old_gid=1000 new_uid=0 new_gid=1000
	115	+	//! ```
	116	+	//!
	117	+	//! Now, let's try to allow `setuid` for a specific binary. Let's use `sudo`:
	118	+	//!
	119	+	//! ```bash
	120	+	//! $ RUST_LOG=info cargo xtask run --example task_fix_setuid -- --allow /usr/bin/sudo
	121	+	//! ```
	122	+	//!
	123	+	//! Then try to use `sudo` again. It should work this time:
	124	+	//!
	125	+	//! ```bash
	126	+	//! $ sudo -i
	127	+	//! # whoami
	128	+	//! root
	129	+	//! ```
	130	+	//!
87	131		//! ## Daemon with CLI and YAML engine
88	132		//!
89	133		//! Run the daemon with:
		skipped 22 lines
112	156		programs::{lsm::LsmLink, Lsm},
113	157		Bpf, BpfLoader, Btf,
114	158		};
115		-	use hooks::{All, BprmCheckSecurity, FileOpen, SocketBind, SocketConnect, TaskFixSetuid};
116		-	use policy::inode::InodeSubjectMap;
117	159
118	160		pub mod alerts;
119	161		pub mod error;
120	162		pub mod fs;
121	163		pub mod hooks;
122	164		pub mod policy;
	165	+
	166	+	use hooks::{All, BprmCheckSecurity, FileOpen, SocketBind, SocketConnect, TaskFixSetuid};
	167	+	use policy::inode::InodeSubjectMap;
123	168
124	169		pub struct PolicyManager {
125	170		bpf: Bpf,
		skipped 223 lines

■ ■ ■ ■ ■ ■

guardity-ebpf/src/lib.rs

		skipped 4 lines
5	5		pub mod consts;
6	6		pub mod file_open;
7	7		pub mod maps;
8		-	pub mod setuid;
	8	+	pub mod task_fix_setuid;
9	9		pub mod socket_bind;
10	10		pub mod socket_connect;
11	11		#[allow(non_upper_case_globals)]
		skipped 24 lines

■ ■ ■ ■ ■ ■

guardity-ebpf/src/main.rs

		skipped 3 lines
4	4		use aya_bpf::{macros::lsm, programs::LsmContext};
5	5
6	6		use guardity_ebpf::{
7		-	bprm_check_security::bprm_check_security, file_open::file_open, setuid::task_fix_setuid,
	7	+	bprm_check_security::bprm_check_security, file_open::file_open, task_fix_setuid::task_fix_setuid,
8	8		socket_bind::socket_bind, socket_connect::socket_connect,
9	9		};
10	10
		skipped 42 lines

guardity-ebpf/src/setuid.rs guardity-ebpf/src/task_fix_setuid.rs

Content is identical

examples: Add `task_fix_setuid` example