Skip to content

Commit

Permalink
define kernel_parameters in conf
Browse files Browse the repository at this point in the history
  • Loading branch information
@Gui774ume
Gui774ume committed Jul 31, 2022
1 parent 0c8a520 commit 880d590
Show file tree
Hide file tree
Showing 13 changed files with 162 additions and 103 deletions.
67 changes: 65 additions & 2 deletions cmd/krie/run/config/default_config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,5 +52,68 @@ events:
## kernel_parameter event configuration
kernel_parameter:
action: nop
periodic_action: nop
ticker: 1 # sends at most one event every [ticker] second(s)
periodic_action: log
ticker: 1 # sends at most one event every [ticker] second(s)
list:
- symbol: system/kprobes_all_disarmed
expected_value: 0
size: 4

# sysctl
- symbol: system/ftrace_dump_on_oops
expected_value: 0
size: 4
- symbol: system/kptr_restrict
expected_value: 0
size: 4
- symbol: system/randomize_va_space
expected_value: 2
size: 4
- symbol: system/stack_tracer_enabled
expected_value: 0
size: 4
- symbol: system/unprivileged_userns_clone
expected_value: 0
size: 4
- symbol: system/unprivileged_userns_apparmor_policy
expected_value: 1
size: 4
- symbol: system/sysctl_unprivileged_bpf_disabled
expected_value: 1
size: 4
- symbol: system/ptrace_scope
expected_value: 2
size: 4
- symbol: system/sysctl_perf_event_paranoid
expected_value: 2
size: 4
- symbol: system/kexec_load_disabled
expected_value: 1
size: 4
- symbol: system/dmesg_restrict
expected_value: 1
size: 4
- symbol: system/modules_disabled
expected_value: 0
size: 4
- symbol: system/ftrace_enabled
expected_value: 1
size: 4
- symbol: system/ftrace_disabled
expected_value: 0
size: 4
- symbol: system/sysctl_protected_fifos
expected_value: 1
size: 4
- symbol: system/sysctl_protected_hardlinks
expected_value: 1
size: 4
- symbol: system/sysctl_protected_regular
expected_value: 2
size: 4
- symbol: system/sysctl_protected_symlinks
expected_value: 1
size: 4
- symbol: system/sysctl_unprivileged_userfaultfd
expected_value: 0
size: 4
1 change: 1 addition & 0 deletions cmd/krie/run/options.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ func (kos *KRIEOptionsSanitizer) Set(val string) error {
if err != nil {
return fmt.Errorf("couldn't find config file %s: %w", val, err)
}
kos.options.Config = val
return nil
default:
return nil
Expand Down
6 changes: 6 additions & 0 deletions ebpf/krie/constants.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,4 +49,10 @@ __attribute__((always_inline)) u64 get_kernel_parameter_ticker() {
return kernel_parameter_ticker;
};

__attribute__((always_inline)) u64 get_kernel_parameter_count() {
u64 kernel_parameter_count;
LOAD_CONSTANT("kernel_parameter_count", kernel_parameter_count);
return kernel_parameter_count;
};

#endif
54 changes: 0 additions & 54 deletions ebpf/krie/events.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,79 +58,25 @@ struct {
kernel_event->event.type = event_type; \
kernel_event->event.cpu = bpf_get_smp_processor_id(); \
kernel_event->event.timestamp = bpf_ktime_get_ns(); \
\
perf_ret = bpf_perf_event_output(ctx, &events, kernel_event->event.cpu, kernel_event, kernel_event_size); \
\
if (kernel_event->event.type < EVENT_MAX) { \
u64 lookup_type = event_type; \
struct perf_map_stats_t *stats = bpf_map_lookup_elem(&events_stats, &lookup_type); \
if (stats != NULL) { \
if (!perf_ret) { \
__sync_fetch_and_add(&stats->bytes, kernel_event_size + 4); \
__sync_fetch_and_add(&stats->count, 1); \
} else { \
__sync_fetch_and_add(&stats->lost, 1); \
} \
} \
} \

#define send_event_with_size_ptr_ringbuf(ctx, event_type, kernel_event, kernel_event_size) \
kernel_event->event.type = event_type; \
kernel_event->event.cpu = bpf_get_smp_processor_id(); \
kernel_event->event.timestamp = bpf_ktime_get_ns(); \
\
perf_ret = bpf_ringbuf_output(&events, kernel_event, kernel_event_size, 0); \
\
if (kernel_event->event.type < EVENT_MAX) { \
u64 lookup_type = event_type; \
struct perf_map_stats_t *stats = bpf_map_lookup_elem(&events_stats, &lookup_type); \
if (stats != NULL) { \
if (!perf_ret) { \
__sync_fetch_and_add(&stats->bytes, kernel_event_size + 4); \
__sync_fetch_and_add(&stats->count, 1); \
} else { \
__sync_fetch_and_add(&stats->lost, 1); \
} \
} \
} \

#define send_event_with_size_perf(ctx, event_type, kernel_event, kernel_event_size) \
kernel_event.event.type = event_type; \
kernel_event.event.cpu = bpf_get_smp_processor_id(); \
kernel_event.event.timestamp = bpf_ktime_get_ns(); \
\
perf_ret = bpf_perf_event_output(ctx, &events, kernel_event.event.cpu, &kernel_event, kernel_event_size); \
\
if (kernel_event.event.type < EVENT_MAX) { \
struct perf_map_stats_t *stats = bpf_map_lookup_elem(&events_stats, &kernel_event.event.type); \
if (stats != NULL) { \
if (!perf_ret) { \
__sync_fetch_and_add(&stats->bytes, kernel_event_size + 4); \
__sync_fetch_and_add(&stats->count, 1); \
} else { \
__sync_fetch_and_add(&stats->lost, 1); \
} \
} \
} \

#define send_event_with_size_ringbuf(ctx, event_type, kernel_event, kernel_event_size) \
kernel_event.event.type = event_type; \
kernel_event.event.cpu = bpf_get_smp_processor_id(); \
kernel_event.event.timestamp = bpf_ktime_get_ns(); \
\
perf_ret = bpf_ringbuf_output(&events, &kernel_event, kernel_event_size, 0); \
\
if (kernel_event.event.type < EVENT_MAX) { \
struct perf_map_stats_t *stats = bpf_map_lookup_elem(&events_stats, &kernel_event.event.type); \
if (stats != NULL) { \
if (!perf_ret) { \
__sync_fetch_and_add(&stats->bytes, kernel_event_size + 4); \
__sync_fetch_and_add(&stats->count, 1); \
} else { \
__sync_fetch_and_add(&stats->lost, 1); \
} \
} \
} \

#define send_event(ctx, event_type, kernel_event) \
u64 size = sizeof(kernel_event); \
Expand Down
21 changes: 10 additions & 11 deletions ebpf/krie/krie/kernel_parameter.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,20 +26,15 @@ struct kernel_parameter_event_t {

memory_factory(kernel_parameter_event)

#define KERNEL_PARAMETER_MAX 50

struct {
__uint(type, BPF_MAP_TYPE_HASH);
__type(key, u32);
__type(value, struct kernel_parameter_t);
__uint(max_entries, 1000);
__uint(max_entries, KERNEL_PARAMETER_MAX);
} kernel_parameters SEC(".maps");

enum kernel_parameter_key {
KERNEL_PARAMETER_MIN = 0,
KERNEL_PARAMETER_FTRACE_ENABLED = KERNEL_PARAMETER_MIN,
KERNEL_PARAMETER_KPROBES_ALL_DISAMED = 1,
KERNEL_PARAMETER_MAX = KERNEL_PARAMETER_KPROBES_ALL_DISAMED,
};

__attribute__((always_inline)) u32 run_kernel_parameter_check(void *ctx, struct process_context_t *process_ctx, u8 is_periodic) {
u32 kernel_parameter_key = 0;
struct kernel_parameter_t *param = NULL;
Expand All @@ -62,14 +57,17 @@ __attribute__((always_inline)) u32 run_kernel_parameter_check(void *ctx, struct
event->event.action = policy->action;

#pragma unroll
for(int i = KERNEL_PARAMETER_MIN; i <= KERNEL_PARAMETER_MAX; i++) {
for(int i = 0; i < KERNEL_PARAMETER_MAX; i++) {
if (i >= get_kernel_parameter_count()){
goto out;
}
kernel_parameter_key = i;
param = bpf_map_lookup_elem(&kernel_parameters, &kernel_parameter_key);
if (param == NULL) {
continue;
goto out;
}
if (param->addr == 0) {
continue;
goto out;
}
bpf_probe_read_kernel(&event->actual_value, (param->size & 7), (void *)param->addr);

Expand All @@ -84,6 +82,7 @@ __attribute__((always_inline)) u32 run_kernel_parameter_check(void *ctx, struct
}
}

out:
if (triggered) {
return policy->action;
}
Expand Down
5 changes: 5 additions & 0 deletions ebpf/main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@
* License as published by the Free Software Foundation.
*/

#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wunused-but-set-variable"

// Custom eBPF helpers
#include "include/all.h"

Expand All @@ -24,5 +27,7 @@
// events
#include "krie/hooks/all_hooks.h"

#pragma clang diagnostic pop

char _license[] SEC("license") = "GPL";
__u32 _version SEC("version") = 0xFFFFFFFE;
12 changes: 6 additions & 6 deletions pkg/assets/probe.go
View file

Large diffs are not rendered by default.

11 changes: 11 additions & 0 deletions pkg/krie/events/events.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,17 @@ func (o *Options) ActivatedEventTypes() EventTypeList {
return o.activatedEvents
}

func (o *Options) IsValid() error {
if err := o.KernelParameterEvent.IsValid(); err != nil {
return fmt.Errorf("invalid kernel_parameter section: %w", err)
}

if o.HookedSyscallTableEvent == BlockAction || o.HookedSyscallTableEvent == KillAction {
return fmt.Errorf("hooked_syscall_table cannot be set to \"block\" or \"kill\"")
}
return nil
}

// NewEventsOptions returns a new initialized instance of EventsOptions
func NewEventsOptions() *Options {
return &Options{
Expand Down
33 changes: 30 additions & 3 deletions pkg/krie/events/kernel_parameter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ import (
"fmt"
)

// MaxKernelParameterCount is the hardcoded maximum count of kernel parameters that KRIE can check
const MaxKernelParameterCount = 1000

// KernelParameterEvent represents a kernel_parameter event
type KernelParameterEvent struct {
Parameter KernelSymbol `json:"parameter,omitempty"`
Expand Down Expand Up @@ -53,11 +56,35 @@ func NewKernelParameterEventSerializer(e *KernelParameterEvent) *KernelParameter
}
}

// ParameterOption is used to configure a kernel parameter that KRIE should check
type ParameterOption struct {
Symbol string `yaml:"symbol"`
Address uint64 `yaml:"address"`
ExpectedValue uint64 `yaml:"expected_value"`
Size uint64 `yaml:"size"`
}

// KernelParameterOptions is used to configure the kernel_parameter events
type KernelParameterOptions struct {
Action Action `yaml:"action"`
PeriodicAction Action `yaml:"periodic_action"`
Ticker int64 `yaml:"ticker"`
Action Action `yaml:"action"`
PeriodicAction Action `yaml:"periodic_action"`
Ticker int64 `yaml:"ticker"`
List []ParameterOption `yaml:"list"`
}

func (o KernelParameterOptions) IsValid() error {
if len(o.List) > MaxKernelParameterCount {
return fmt.Errorf("too many kernel parameters to check: %d > %d", len(o.List), MaxKernelParameterCount)
}
for _, param := range o.List {
if len(param.Symbol) == 0 && param.Address == 0 {
return fmt.Errorf("each parameter should have at least a symbol or an address: %+v", param)
}
}
if o.PeriodicAction == BlockAction || o.PeriodicAction == KillAction {
return fmt.Errorf("kernel_parameter.periodic_action cannot be set to \"block\" or \"kill\"")
}
return nil
}

// NewKernelParameterOptions returns a new instance of KernelParameterOptions
Expand Down
46 changes: 20 additions & 26 deletions pkg/krie/kernel_parameters.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ package krie

import (
"fmt"

"github.com/Gui774ume/krie/pkg/krie/events"
)

type KernelParameter struct {
Expand All @@ -27,36 +29,28 @@ type KernelParameter struct {
Size uint64
}

var (
kernerlParameters = []struct {
Symbol string
Parameter *KernelParameter
}{
{
Symbol: "system/ftrace_enabled",
Parameter: &KernelParameter{
ExpectedValue: 1,
Size: 4,
},
},
{
Symbol: "system/kprobes_all_disarmed",
Parameter: &KernelParameter{
ExpectedValue: 0,
Size: 4,
},
},
func kernelParameterFromParameterOption(po events.ParameterOption) *KernelParameter {
return &KernelParameter{
Address: po.Address,
ExpectedValue: po.ExpectedValue,
Size: po.Size,
}
)
}

func (e *KRIE) loadKernelParameters() error {
for key, param := range kernerlParameters {
address, ok := e.kernelSymbols[param.Symbol]
if !ok {
return fmt.Errorf("couldn't find %s kernel parameter", param.Symbol)
for key, param := range e.options.Events.KernelParameterEvent.List {
if param.Address == 0 {
if len(param.Symbol) == 0 {
return fmt.Errorf("couldn't load kernel parameters: an address or a symbol must be provided for each parameter: %+v", param)
}
address, ok := e.kernelSymbols[param.Symbol]
if !ok {
return fmt.Errorf("couldn't find %s kernel parameter", param.Symbol)
}
param.Address = address.Value
}
param.Parameter.Address = address.Value
if err := e.kernelParametersMap.Put(uint32(key), param.Parameter); err != nil {

if err := e.kernelParametersMap.Put(uint32(key), kernelParameterFromParameterOption(param)); err != nil {
return fmt.Errorf("couldn't push %s kernel parameter: %w", param.Symbol, err)
}
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/krie/krie.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ func NewKRIE(options *Options) (*KRIE, error) {
var err error

if err = options.IsValid(); err != nil {
return nil, err
return nil, fmt.Errorf("invalid configuration: %w", err)
}

e := &KRIE{
Expand Down
4 changes: 4 additions & 0 deletions pkg/krie/manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,10 @@ func (e *KRIE) prepareManager() {
Name: "kernel_parameter_ticker",
Value: uint64(e.options.Events.KernelParameterEvent.Ticker * time.Second.Nanoseconds()),
},
{
Name: "kernel_parameter_count",
Value: uint64(len(e.options.Events.KernelParameterEvent.List)),
},
},
ActivatedProbes: events.AllProbesSelectors(e.options.Events.ActivatedEventTypes()),
}
Expand Down
Loading

0 comments on commit 880d590

Please sign in to comment.