added added capability enforcement mode; added mapping syscalls-cap

chains-project · Jan 6, 2025 · 2c4bce7 · 2c4bce7
1 parent 593b33b
commit 2c4bce7
Show file tree

Hide file tree

Showing 4 changed files with 588 additions and 62 deletions.
diff --git a/eBPFleash/Makefile b/eBPFleash/Makefile
@@ -1,11 +1,20 @@
-.PHONY: all clean
+.PHONY: all clean build cap-enforce sys-enforce
 
 all: bpf_loader
 
 bpf_loader: main.go
 	go generate
 	go build -o bpf_loader
 
+build:
+	sudo ./bpf_loader -binary ../../testCGO/testCGO -manifest ../../testCGO/go.mod -mode build
+
+cap-enforce:
+	sudo ./bpf_loader -binary ../../testCGO/testCGO -manifest ../../testCGO/go.mod -mode cap-enforce
+
+sys-enforce:
+	sudo ./bpf_loader -binary ../../testCGO/testCGO -manifest ../../testCGO/go.mod -mode sys-enforce
+
 clean:
 	rm -f bpf_loader
 	rm -r *.o

diff --git a/eBPFleash/backend.c b/eBPFleash/backend.c
@@ -8,7 +8,7 @@
 
 char __license[] SEC("license") = "Dual MIT/GPL";
 
-static char target_comm[10] = "coredns";
+static char target_comm[10] = "testCGO";
 
 struct event {
     u32 pid;

diff --git a/eBPFleash/main.go b/eBPFleash/main.go
@@ -24,32 +24,43 @@ func main() {
 
 	var args Args
 	flag.StringVar(&args.BinaryPath, "binary", "", "Path to the binary for syscall tracking")
-	flag.StringVar(&args.Mode, "mode", "enforce", "Execution mode: 'build', 'enforce' or 'trace'")
-	flag.StringVar(&args.ModManifest, "mod-manifest", "", "Path to the go.mod manifest file")
-
+	flag.StringVar(&args.Mode, "mode", "enforce", "Execution mode: 'build', 'sys-enforce', 'cap-enforce' or 'trace'")
+	flag.StringVar(&args.ModManifest, "manifest", "", "Path to the go.mod manifest file")
 	flag.Parse()
 
-	if args.BinaryPath == "" {
-		log.Fatal("Please provide a binary path using the -binary flag")
+	if args.BinaryPath == "" || args.ModManifest == "" {
+		log.Fatal("Both -binary and -manifest flags are required")
 	}
 
-	if args.ModManifest == "" {
-		log.Fatal("Please provide a go.mod manifest file path using the -mod-manifest flag. This is required to determine the caller package of a syscall.")
+	modes := map[string]func(Args){
+		"build":       runBuildMode,
+		"sys-enforce": runSysEnforceMode,
+		"cap-enforce": runCapabilityEnforceMode,
+		"trace":       runTraceMode,
 	}
 
-	switch args.Mode {
-	case "build":
-		runBuildMode(args)
-	case "enforce":
-		runEnforceMode(args)
-	case "trace":
-		runTraceMode(args)
-	default:
-		log.Fatalf("Invalid mode: %s. Use 'build', 'enforce' or 'trace'", args.Mode)
+	if fn, exists := modes[args.Mode]; exists {
+		fn(args)
+	} else {
+		log.Fatalf("Invalid mode: %s. Use 'build', 'sys-enforce', 'cap-enforce' or 'trace'", args.Mode)
 	}
 
 }
 
+func createLogFile(filename string) *os.File {
+	f, err := os.Create(filename)
+	if err != nil {
+		log.Fatalf("creating %s: %v", filename, err)
+	}
+	return f
+}
+
+func handleUnauthorized(pid uint32, msg string, f *os.File) {
+	log.Print(msg)
+	fmt.Fprintln(f, msg)
+	syscall.Kill(int(pid), syscall.SIGKILL)
+}
+
 func runBuildMode(args Args) {
 	syscalls := make(map[string]map[int]bool)
 	setupAndRun(args.BinaryPath, args.ModManifest, func(event ebpfEvent, stackTrace []uint64, objs *ebpfObjects) {
@@ -69,11 +80,17 @@ func runBuildMode(args Args) {
 
 	// Convert syscalls map to the format expected by syscallfilter.Write
 	convertedSyscalls := syscallfilter.ConvertSyscallsMap(syscalls)
-
 	if err := syscallfilter.Write(convertedSyscalls); err != nil {
 		log.Fatalf("Writing allowlist JSON: %v", err)
 	}
-	log.Println("Build mode completed. Allowlist JSON file created.")
+
+	// Generate and write capability allowlist
+	capAllowlist := syscallfilter.GenerateCapabilityMap(convertedSyscalls)
+	if err := syscallfilter.WriteCapabilities(capAllowlist); err != nil {
+		log.Fatalf("Writing capabilities JSON: %v", err)
+	}
+
+	log.Println("Build mode completed. Allowlist and capabilities JSON files created.")
 }
 
 func runTraceMode(args Args) {
@@ -84,16 +101,37 @@ func runTraceMode(args Args) {
 	log.Println("Trace mode completed.")
 }
 
-func runEnforceMode(args Args) {
-	allowlist, err := syscallfilter.Load()
+func runSysEnforceMode(args Args) {
+	sysAllowlist, err := syscallfilter.LoadSyscalls()
 	if err != nil {
-		log.Fatalf("loading allowlist: %v", err)
+		log.Fatalf("loading syscall allowlist: %v", err)
 	}
 
-	f, err := os.Create("unauthorized.log")
+	f := createLogFile("unauthorized_syscalls.log")
+	defer f.Close()
+
+	setupAndRun(args.BinaryPath, args.ModManifest, func(event ebpfEvent, stackTrace []uint64, objs *ebpfObjects) {
+		callerPackage, _, err := stackanalyzer.GetCallerPackageAndFunction(stackTrace)
+		if err != nil {
+			log.Printf("Error getting caller package: %v", err)
+			return
+		}
+		logEvent(event, stackTrace)
+		if callerPackage != "" && !sysAllowlist.SyscallAllowed(callerPackage, int(event.Syscall)) {
+			handleUnauthorized(event.Pid,
+				fmt.Sprintf("Unauthorized syscall %d from package %s", event.Syscall, callerPackage),
+				f)
+		}
+	})
+}
+
+func runCapabilityEnforceMode(args Args) {
+	capAllowlist, err := syscallfilter.LoadCapabilities()
 	if err != nil {
-		log.Fatalf("creating unauthorized.log: %v", err)
+		log.Fatalf("loading capability allowlist: %v", err)
 	}
+
+	f := createLogFile("unauthorized_capabilities.log")
 	defer f.Close()
 
 	setupAndRun(args.BinaryPath, args.ModManifest, func(event ebpfEvent, stackTrace []uint64, objs *ebpfObjects) {
@@ -102,12 +140,16 @@ func runEnforceMode(args Args) {
 			log.Printf("Error getting caller package: %v", err)
 			return
 		}
-		logEvent(event, stackTrace)
-		if callerPackage != "" && !allowlist.SyscallAllowed(callerPackage, int(event.Syscall)) {
-			log.Printf("Unauthorized syscall %d from package %s", event.Syscall, callerPackage)
-			fmt.Fprintf(f, "Unauthorized syscall %d from package %s\n", event.Syscall, callerPackage)
 
-			syscall.Kill(int(event.Pid), syscall.SIGKILL)
+		capability, exists := syscallfilter.GetCapabilityForSyscall(int(event.Syscall))
+		if exists && callerPackage != "" {
+			if !capAllowlist.CapabilityAllowed(callerPackage, capability) {
+				handleUnauthorized(event.Pid,
+					fmt.Sprintf("Unauthorized capability %s (syscall %d) from package %s",
+						capability, event.Syscall, callerPackage),
+					f)
+			}
 		}
+		logEvent(event, stackTrace)
 	})
 }