Skip to content

Commit

Permalink
tetragon: Support IMA hash collection for LSM sensor
Browse files Browse the repository at this point in the history 
Adding support for IMA hash collection in Post Action.
Adding IMA hashes in LSM events. Hash is represented by
a string algorithm:value. Support loading lsm.s/generic_lsm_ima_* programs.

Signed-off-by: Andrei Fedotov <[email protected]>
  • Loading branch information
@anfedotoff
anfedotoff committed Oct 3, 2024
1 parent e215409 commit f774f25
Show file tree
Hide file tree
Showing 25 changed files with 886 additions and 427 deletions.
1 change: 1 addition & 0 deletions api/v1/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions api/v1/tetragon/codegen/eventchecker/eventchecker.pb.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

287 changes: 149 additions & 138 deletions api/v1/tetragon/tetragon.pb.go
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions api/v1/tetragon/tetragon.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,8 @@ message ProcessLsm {
KprobeAction action = 8;
// Tags of the Tracing Policy to categorize the event.
repeated string tags = 9;
// IMA file hash. Format algorithm:value.
string ima_hash = 11;
}

message KernelModule {
Expand Down
287 changes: 149 additions & 138 deletions contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.pb.go
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions docs/content/en/docs/reference/grpc-api.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

40 changes: 40 additions & 0 deletions install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -679,6 +684,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -968,6 +978,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1284,6 +1299,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1606,6 +1626,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1922,6 +1947,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2179,6 +2209,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2495,6 +2530,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down
40 changes: 40 additions & 0 deletions install/kubernetes/tetragon/crds-yaml/cilium.io_tracingpoliciesnamespaced.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -679,6 +684,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -968,6 +978,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1284,6 +1299,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1606,6 +1626,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -1922,6 +1947,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2179,6 +2209,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down Expand Up @@ -2495,6 +2530,11 @@ spec:
argUrl:
description: A URL for the getUrl action
type: string
imaHash:
description: Enable collection of file hashes from
integrity subsystem. Only valid with the post
action.
type: boolean
kernelStackTrace:
description: Enable kernel stack trace export. Only
valid with the post action.
Expand Down
1 change: 1 addition & 0 deletions pkg/api/processapi/processapi.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const (
MSG_COMMON_FLAG_RETURN = 0x1
MSG_COMMON_FLAG_KERNEL_STACKTRACE = 0x2
MSG_COMMON_FLAG_USER_STACKTRACE = 0x4
MSG_COMMON_FLAG_IMA_HASH = 0x8

BINARY_PATH_MAX_LEN = 256

Expand Down
25 changes: 25 additions & 0 deletions pkg/grpc/tracing/tracing.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package tracing

import (
"encoding/hex"
"fmt"

"github.com/cilium/tetragon/pkg/reader/kernel"
Expand Down Expand Up @@ -823,13 +824,19 @@ func (msg *MsgGenericUprobeUnix) Cast(o interface{}) notify.Message {
return &t
}

type MsgImaHash struct {
Algo int32 `align:"algo"`
Hash [64]uint8 `align:"hash"`
}

type MsgGenericLsmUnix struct {
Msg *tracingapi.MsgGenericKprobe
Hook string
Args []tracingapi.MsgGenericKprobeArg
PolicyName string
Message string
Tags []string
ImaHash MsgImaHash
}

func (msg *MsgGenericLsmUnix) Notify() bool {
Expand Down Expand Up @@ -904,6 +911,24 @@ func GetProcessLsm(event *MsgGenericLsmUnix) *tetragon.ProcessLsm {
Tags: event.Tags,
}

switch event.ImaHash.Algo {
case 1: // MD5
tetragonEvent.ImaHash = fmt.Sprintf("md5:%s", hex.EncodeToString(event.ImaHash.Hash[:16]))
case 2: // SHA1
tetragonEvent.ImaHash = fmt.Sprintf("sha1:%s", hex.EncodeToString(event.ImaHash.Hash[:20]))
case 4: // SHA256
tetragonEvent.ImaHash = fmt.Sprintf("sha256:%s", hex.EncodeToString(event.ImaHash.Hash[:32]))
case 6: // SHA512
tetragonEvent.ImaHash = fmt.Sprintf("sha512:%s", hex.EncodeToString(event.ImaHash.Hash[:]))
case 13: // WP512
tetragonEvent.ImaHash = fmt.Sprintf("wp512:%s", hex.EncodeToString(event.ImaHash.Hash[:]))
case 17: // SM3
tetragonEvent.ImaHash = fmt.Sprintf("sm3:%s", hex.EncodeToString(event.ImaHash.Hash[:32]))

default:
logger.GetLogger().Debugf("bpf_ima_inode_hash/bpf_ima_file_hash returned code: %d", event.ImaHash.Algo)
}

if tetragonProcess.Pid == nil {
eventcache.CacheErrors(eventcache.NilProcessPid, notify.EventType(tetragonEvent)).Inc()
return nil
Expand Down
Loading

0 comments on commit f774f25

Please sign in to comment.