Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Add dynamic parameter extration for specific use cases #3142

Open
2 tasks done
ScriptSathi opened this issue Nov 19, 2024 · 0 comments · May be fixed by #3143
Open
2 tasks done

Add dynamic parameter extration for specific use cases #3142

ScriptSathi opened this issue Nov 19, 2024 · 0 comments · May be fixed by #3143
Labels
kind/enhancement This improves or streamlines existing functionality

Comments

@ScriptSathi
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem?

Hello ! I have not found any related topics, so I opening it.

For some CVE mitigations, it is necessary to have access to certain hooks, but if you can't reach the data, you won't be able to do anything.
So this feature should allow extracting any parameter from structure argument such as linux_binprm or struct file and gather any data inside.

Describe the feature you would like

The feature could look like this

# ...
spec:
  lsmhooks:
  - hook: "bprm_check_security"
    args:
      - index: 0
        type: "linux_binprm"
        extractParam: "file.f_path.dentry.d_name.name"
# Or    extractParam: "argc"
# ...

After this, we could match the data with the normal Tetragon behavior, like Equal or Postfix.

Describe your proposed solution

To do such a feature, it is possible to search for a specific type in BTF file and extract the offsets of the required data. Then, those offsets could be given to the BPF program that would use it to reach the data.

To make it simpler to understand, let's take an example using the above config

- Split extractParam string in order to have an array of childrens
- Search the parent, `linux_binprm` and look for any childrens called `file`.
  If found, we store the offset 
- If `file` parameter is found in `linux_binprm` search inside `file` to reach the child `f_path`
- And so on, until the end of the array.
- After all the offsets have been found, we gave it to the BPF program and loop on the argument buffer to search for the required data.
- Then we read the data and it should work

Code of Conduct

  • I agree to follow this project's Code of Conduct
@ScriptSathi ScriptSathi added the kind/enhancement This improves or streamlines existing functionality label Nov 19, 2024
@ScriptSathi ScriptSathi linked a pull request Nov 19, 2024 that will close this issue
5 tasks
@mtardy mtardy linked a pull request Nov 21, 2024 that will close this issue
5 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
kind/enhancement This improves or streamlines existing functionality
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant