Merge pull request #1 from bytedance/ptrace-confine

support ptrace enforcement

Author: Danny-Wei

pkg/bpfenforcer/bpf/enforcer.c

@@ -10,9 +10,13 @@
 #include "file.h"
 #include "process.h"
 #include "network.h"
+#include "ptrace.h"
 
 char __license[] SEC("license") = "GPL";
 
+// Save the mnt ns id of init task
+volatile const u32 init_mnt_ns;
+
 // Tail call map (program array) initialized with program pointers.
 struct {
 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
@@ -269,3 +273,30 @@ int BPF_PROG(varmor_socket_connect, struct socket *sock, struct sockaddr *addres
   // Iterate all rules in the inner map
   return iterate_net_inner_map(vnet_inner, address);
 }
+
+SEC("lsm/ptrace_access_check")
+int BPF_PROG(varmor_ptrace_access_check, struct task_struct *child, unsigned int mode) {
+  // Retrieve the current task
+  struct task_struct *current = (struct task_struct *)bpf_get_current_task();
+  u32 current_mnt_ns = get_task_mnt_ns_id(current);
+  u32 child_mnt_ns = get_task_mnt_ns_id(child);
+  
+  // Whether the current task has ptrace access control rule
+  u64 *rule = get_ptrace_rule(current_mnt_ns);
+  if (rule != 0) {
+    DEBUG_PRINT("================ lsm/ptrace_access_check ================");
+    if (!ptrace_permission_check(current_mnt_ns, child_mnt_ns, *rule, (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ : AA_PTRACE_TRACE))
+      return -EPERM;
+  }
+
+  // Whether the child task has ptrace access control rule
+  // We allow tasks from the init mnt ns by default
+  rule = get_ptrace_rule(child_mnt_ns);
+  if (current_mnt_ns != init_mnt_ns && rule != 0) {
+    DEBUG_PRINT("================ lsm/ptrace_access_check ================");
+    if (!ptrace_permission_check(current_mnt_ns, child_mnt_ns, *rule, (mode & PTRACE_MODE_READ) ? AA_MAY_BE_READ : AA_MAY_BE_TRACED))
+      return -EPERM;
+  }
+
+  return 0;
+}

pkg/bpfenforcer/bpf/enforcer.h

@@ -15,14 +15,14 @@
 #define FILE_PATH_PATTERN_SIZE_MAX 64
 #define BUFFER_MAX 4096*3
 
-#define PRECISE_MATCH 0x1
-#define GREEDY_MATCH 0x2
-#define PREFIX_MATCH 0x4
-#define SUFFIX_MATCH 0x8
-#define CIDR_MATCH 0x00000020
-#define IPV4_MATCH 0x00000040
-#define IPV6_MATCH 0x00000080
-#define PORT_MATCH 0x00000100
+#define PRECISE_MATCH 0x00000001
+#define GREEDY_MATCH  0x00000002
+#define PREFIX_MATCH  0x00000004
+#define SUFFIX_MATCH  0x00000008
+#define CIDR_MATCH    0x00000020
+#define IPV4_MATCH    0x00000040
+#define IPV6_MATCH    0x00000080
+#define PORT_MATCH    0x00000100
 
 #undef container_of
 #define container_of(ptr, type, member)                                        \

pkg/bpfenforcer/bpf/perms.h

@@ -5,36 +5,44 @@
 
 // https://elixir.bootlin.com/linux/v5.10.178/source/tools/include/nolibc/nolibc.h#L446
 /* fcntl / open */
-#define O_RDONLY            0
-#define O_WRONLY            1
-#define O_RDWR              2
-#define O_CREAT          0x40
-#define O_EXCL           0x80
-#define O_NOCTTY        0x100
-#define O_TRUNC         0x200
-#define O_APPEND        0x400
-#define O_NONBLOCK      0x800
-#define O_DIRECTORY   0x10000
+#define O_RDONLY      0x00000000
+#define O_WRONLY      0x00000001
+#define O_RDWR        0x00000002
+#define O_CREAT       0x00000040
+#define O_EXCL        0x00000080
+#define O_NOCTTY      0x00000100
+#define O_TRUNC       0x00000200
+#define O_APPEND      0x00000400
+#define O_NONBLOCK    0x00000800
+#define O_DIRECTORY   0x00010000
 
 // https://elixir.bootlin.com/linux/v5.10.178/source/include/linux/fs.h#L95
-#define MAY_EXEC		0x00000001
-#define MAY_WRITE		0x00000002
-#define MAY_READ		0x00000004
-#define MAY_APPEND	0x00000008
-#define MAY_ACCESS	0x00000010
-#define MAY_OPEN		0x00000020
-#define MAY_CHDIR		0x00000040
-#define FMODE_READ  0x1
-#define FMODE_WRITE 0x2
+#define MAY_EXEC		  0x00000001
+#define MAY_WRITE		  0x00000002
+#define MAY_READ		  0x00000004
+#define MAY_APPEND	  0x00000008
+#define MAY_ACCESS	  0x00000010
+#define MAY_OPEN		  0x00000020
+#define MAY_CHDIR		  0x00000040
+#define FMODE_READ    0x00000001
+#define FMODE_WRITE   0x00000002
 
 // https://elixir.bootlin.com/linux/v5.10.178/source/security/apparmor/include/perms.h#L16
 // https://elixir.bootlin.com/linux/v5.10.178/source/security/apparmor/include/net.h#L72
-#define AA_MAY_EXEC     MAY_EXEC
-#define AA_MAY_WRITE  	MAY_WRITE
-#define AA_MAY_READ     MAY_READ
-#define AA_MAY_APPEND		MAY_APPEND
-#define AA_MAY_CREATE   0x0010
-#define AA_MAY_RENAME   0x0080
-#define AA_MAY_LINK		  0x00040000
+#define AA_MAY_EXEC       MAY_EXEC
+#define AA_MAY_WRITE  	  MAY_WRITE
+#define AA_MAY_READ       MAY_READ
+#define AA_MAY_APPEND		  MAY_APPEND
+#define AA_MAY_CREATE     0x00000010
+#define AA_MAY_RENAME     0x00000080
+#define AA_MAY_LINK		    0x00040000
+#define AA_PTRACE_TRACE   MAY_WRITE
+#define AA_PTRACE_READ    MAY_READ
+#define AA_MAY_BE_TRACED  AA_MAY_APPEND
+#define AA_MAY_BE_READ		AA_MAY_CREATE
+
+// https://elixir.bootlin.com/linux/v5.10.178/source/include/linux/ptrace.h#L62
+#define PTRACE_MODE_READ	  0x01
+#define PTRACE_MODE_ATTACH	0x02
 
 #endif /* __PERMS_H */

pkg/bpfenforcer/bpf/ptrace.h

@@ -0,0 +1,50 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright 2023 vArmor-ebpf Authors
+
+#ifndef __PTRACE_H
+#define __PTRACE_H
+
+#include "vmlinux.h"
+#include "bpf_helpers.h"
+#include "bpf_tracing.h"
+#include "bpf_core_read.h"
+#include "enforcer.h"
+#include "perms.h"
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__type(key, u32);
+	__type(value, u64); // rule: permissions + flags
+	__uint(max_entries, OUTER_MAP_ENTRIES_MAX);
+} v_ptrace SEC(".maps");
+
+static __always_inline u64 *get_ptrace_rule(u32 mnt_ns) {
+    return bpf_map_lookup_elem(&v_ptrace, &mnt_ns);
+}
+
+static __always_inline bool ptrace_permission_check(u32 current_mnt_ns, u32 child_mnt_ns, u64 rule, u32 request_permission) {
+  DEBUG_PRINT("current task(mnt ns: %u) request the vArmor ptrace permission(0x%x) of child task(mnt ns: %u)", 
+          current_mnt_ns, request_permission, child_mnt_ns);
+
+  u32 permissions = rule >> 32;
+  u32 flags = (u32)(rule & 0xffffffff);
+
+  if (permissions & request_permission) {
+    // deny all tasks
+    if (flags & GREEDY_MATCH) {
+      DEBUG_PRINT("access denied");
+      return false;
+    }
+
+    // only deny tasks outside the container
+    if (flags & PRECISE_MATCH && current_mnt_ns != child_mnt_ns) {
+      DEBUG_PRINT("access denied");
+      return false;
+    }
+  }
+
+  DEBUG_PRINT("access allowed");
+  return true;
+}
+
+#endif /* __PTRACE_H */

pkg/bpfenforcer/bpf_bpfel.go

@@ -21,6 +21,8 @@ import "C"
 import (
 	"fmt"
 	"net"
+	"os"
+	"strconv"
 	"strings"
 
 	"github.com/cilium/ebpf"
@@ -47,6 +49,10 @@ const (
 	AA_MAY_WRITE           = 0x00000002
 	AA_MAY_READ            = 0x00000004
 	AA_MAY_APPEND          = 0x00000008
+	AA_PTRACE_TRACE        = 0x00000002
+	AA_PTRACE_READ         = 0x00000004
+	AA_MAY_BE_TRACED       = 0x00000008
+	AA_MAY_BE_READ         = 0x00000010
 )
 
 type bpfPathRule struct {
@@ -72,6 +78,7 @@ type BpfEnforcer struct {
 	pathRenameLink  link.Link
 	bprmLink        link.Link
 	sockConnLink    link.Link
+	ptraceLink      link.Link
 	log             logr.Logger
 }
 
@@ -84,6 +91,27 @@ func NewBpfEnforcer(log logr.Logger) *BpfEnforcer {
 	return &enforcer
 }
 
+func readMntNsID(pid uint32) (uint32, error) {
+	path := fmt.Sprintf("/proc/%d/ns/mnt", pid)
+	realPath, err := os.Readlink(path)
+	if err != nil {
+		return 0, err
+	}
+
+	index := strings.Index(realPath, "[")
+	if index == -1 {
+		return 0, fmt.Errorf(fmt.Sprintf("fatel error: can not parser mnt ns id from: %s", realPath))
+	}
+
+	id := realPath[index+1 : len(realPath)-1]
+	u64, err := strconv.ParseUint(id, 10, 32)
+	if err != nil {
+		return 0, fmt.Errorf(fmt.Sprintf("fatel error: can not transform mnt ns id (%s) to uint64 type", realPath))
+	}
+
+	return uint32(u64), nil
+}
+
 func (enforcer *BpfEnforcer) InitEBPF() error {
 	// Allow the current process to lock memory for eBPF resources.
 	enforcer.log.Info("remove memory lock")
@@ -124,6 +152,16 @@ func (enforcer *BpfEnforcer) InitEBPF() error {
 	}
 	collectionSpec.Maps["v_net_outer"].InnerMap = &netInnerMap
 
+	initMntNsId, err := readMntNsID(1)
+	if err != nil {
+		return err
+	}
+
+	// Set the mnt ns id to the BPF program
+	collectionSpec.RewriteConstants(map[string]interface{}{
+		"init_mnt_ns": initMntNsId,
+	})
+
 	// Load pre-compiled programs and maps into the kernel.
 	enforcer.log.Info("load ebpf program and maps into the kernel")
 	err = collectionSpec.LoadAndAssign(&enforcer.objs, nil)
@@ -202,6 +240,14 @@ func (enforcer *BpfEnforcer) StartEnforcing() error {
 	}
 	enforcer.sockConnLink = sockConnLink
 
+	ptraceLink, err := link.AttachLSM(link.LSMOptions{
+		Program: enforcer.objs.VarmorPtraceAccessCheck,
+	})
+	if err != nil {
+		return err
+	}
+	enforcer.ptraceLink = ptraceLink
+
 	enforcer.log.Info("start enforcing")
 
 	return nil
@@ -237,6 +283,10 @@ func (enforcer *BpfEnforcer) StopEnforcing() {
 	if enforcer.sockConnLink != nil {
 		enforcer.sockConnLink.Close()
 	}
+
+	if enforcer.ptraceLink != nil {
+		enforcer.ptraceLink.Close()
+	}
 }
 
 func (enforcer *BpfEnforcer) SetCapableMap(mntNsID uint32, capability uint64) error {
@@ -481,3 +531,15 @@ func (enforcer *BpfEnforcer) SetNetMap(mntNsID uint32, networkRule *bpfNetworkRu
 func (enforcer *BpfEnforcer) ClearNetMap(mntNsID uint32) error {
 	return enforcer.objs.V_netOuter.Delete(&mntNsID)
 }
+
+func newBpfPtraceRule(permissions uint32, flags uint32) uint64 {
+	return uint64(permissions)<<32 + uint64(flags)
+}
+
+func (enforcer *BpfEnforcer) SetPtraceMap(mntNsID uint32, ptraceRule uint64) error {
+	return enforcer.objs.V_ptrace.Put(&mntNsID, &ptraceRule)
+}
+
+func (enforcer *BpfEnforcer) ClearPtraceMap(mntNsID uint32) error {
+	return enforcer.objs.V_ptrace.Delete(&mntNsID)
+}