fix example policies program with correct permissions
sangam14 opened this issue · 11 comments
Hi Sangam. This folder contains multiple examples. Few questions as task description is quite vague.
- what environment are you using?
In particular distribution and kernel version. If those differ between compilation and runtime please add both.
-
which example this issue is for?
-
what commands did you execute?
-
what outcome did you expect?
-
what kind of permissions need to be corrected?
-
is this an enhancement as labelled or a bug?
As a side note. When linking code in issues please point to particular commit instead of tree/main.
Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1025-aws x86_64)
file open
RUST_LOG=info cargo xtask run --example file_open -- --path-to-deny /tmp/test
Compiling file_open v0.1.0 (/home/ubuntu/ebpfguard/examples/file_open)
Finished dev [unoptimized + debuginfo] target(s) in 4.24s
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }', ebpfguard/src/policy/mod.rs:56:53
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Failed to run `sudo -E target/x86_64-unknown-linux-musl/debug/examples/file_open --path-to-deny /tmp/test`
mount
RUST_LOG=info cargo xtask run --example mount
. :~$ mkdir /tmp/test1
:~$ mkdir /tmp/test2
:~$ sudo mount --bind /tmp/test1 /tmp/test2
task fix setuid
RUST_LOG=info cargo xtask run --example task_fix_setuid
Finished dev [unoptimized + debuginfo] target(s) in 5.03s
[2023-05-18T20:31:04Z INFO task_fix_setuid] Waiting for Ctrl-C...
:~$ sudo -i
:~# exit
logout
etc ...
What's the output of
cat /sys/kernel/security/lsmzgrep CONFIG_DEBUG_INFO_BTF /boot/config-"$(uname -r)"
Does the file /tmp/test exist when file_open example is executed?
$ cat /sys/kernel/security/lsm
lockdown,capability,landlock,yama,apparmor
$ zgrep CONFIG_DEBUG_INFO_BTF /boot/config-"$(uname -r)"
CONFIG_DEBUG_INFO_BTF=y
CONFIG_DEBUG_INFO_BTF_MODULES=y
RUST_LOG=info cargo xtask run --example file_open -- --path-to-deny /tmp/test
:~$ ls /tmp/test
test
$ cat /sys/kernel/security/lsm
lockdown,capability,landlock,yama,apparmor
You don't have bpf lsm module enabled in kernel. prerequisites.md kernel capabilities section has an instruction how to do it. This involves changing grub configuration so be rather cautious. Backing old files up is strongly advised.
solved now its working perfectly thanks @tomaszjonak and @noboruma
#!/bin/bash
# Update the system
sudo apt update
# Install the necessary packages
sudo apt install -y libbpfcc
# Load the required kernel modules
sudo modprobe bpfilter
sudo modprobe bpf
# Configure the system to enable BPF LSM
echo "lsm=bpf" | sudo tee -a /etc/default/grub > /dev/null
sudo update-grub
# Reboot the system to apply the changes
sudo reboot
sudo modprobe bpfilter
sudo modprobe bpf
This will not stick after a reboot. If you want to persist their loading use /etc/modules or /etc/modules-load.d. You shouldn't need to load those by hand on ubuntu 22.04 though.
libbpfcc provides
/usr/lib/x86_64-linux-gnu/libbcc.so.0
/usr/lib/x86_64-linux-gnu/libbcc.so.0.18.0
/usr/lib/x86_64-linux-gnu/libbcc_bpf.so.0
/usr/lib/x86_64-linux-gnu/libbcc_bpf.so.0.18.0
/usr/share/doc/libbpfcc/FAQ.txt
/usr/share/doc/libbpfcc/NEWS.Debian.gz
/usr/share/doc/libbpfcc/README.Debian
/usr/share/doc/libbpfcc/README.md.gz
/usr/share/doc/libbpfcc/changelog.Debian.gz
/usr/share/doc/libbpfcc/copyright
Afair it's for writing eBPF code in C language. We use aya-rs instead.
All that you need is
# Configure the system to enable BPF LSM
echo "lsm=bpf" | sudo tee -a /etc/default/grub > /dev/null
sudo update-grub
# Reboot the system to apply the changes
sudo reboot
It's not quite right though. You should also add all other security modules. Since you had the following content before enabling bpf:
$ cat /sys/kernel/security/lsm
lockdown,capability,landlock,yama,apparmorIt should be:
$ echo "lsm=lockdown,capability,landlock,yama,apparmor,bpf" | sudo tee -a /etc/default/grub > /dev/nullAnd that wouldn't be quite right as it affects every grub based boot option. Some setups will kernel panic when bpf is added as it implies additional dependencies. I.e my thinkpad requires integrity module or it wont boot.
To recover I needed to modify kernel options by hand via grub console to get my setup back to booting properly. There's no point in making other people experience similar problems.
That's why the most reasonable option is to append whatever lsm line you end up with to GRUB_CMDLINE_LINUX_DEFAULT as it doesn't affect recovery grub items. This way you always get a fallback mechanism in case of unforeseen problems like integrity module required but missing.
On my thinkpad - ubuntu 22.04 - this results in
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash lsm=lockdown,capability,landlock,yama,apparmor,bpf,integrity"In /etc/default/grub.
I took a look at https://blog.cloudnativefolks.org/ebpf-for-cybersecurity-part-4#heading-introducing-ebpfguard which is apparently a result of this discussion.
Dependency section of that blogpost contains some unnecessary stuff. In particular installation of multiple llvm packages. All dependencies that you need outside of grub dance are outlined in dockerfile for ubuntu 22.04.
I tried unfortunately its not worked for me ! Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1025-aws x86_64) but totally make sense
all above pointed
I will try dockerfile more om next blog post ! Thanks @tomaszjonak !
https://github.com/deepfence/ebpfguard/blob/4a744204b257008e837b129970ee1bc30ee78396/docker/ubuntu/Dockerfile.
If something is not working or you need additional deps ping me on slack. I'd like to know what went wrong, can assist in finding out missing ones. Will likely extend readme with findings. Can't really set up all distros/kernels/envs myself so stuff might be missing.
Indeed ! totally agree on it @tomaszjonak I will ping you on slack for any help !