Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SELinux prevents usage of execsnoop in enforcing mode #509

Closed
tormath1 opened this issue Sep 15, 2021 · 3 comments
Closed

SELinux prevents usage of execsnoop in enforcing mode #509

tormath1 opened this issue Sep 15, 2021 · 3 comments
Labels
area/selinux Issues related to SELinux kind/bug Something isn't working

Comments

@tormath1
Copy link
Contributor

Description

Observed into flatcar/mantle#233 - SELinux in enforcing mode (default test behavior) prevents execsnoop (and certainly other BPF tools related) to run correctly:

logs
$ getenforce
Enforcing
$ docker inspect execsnoop | jq '.[] | .Path'
"/usr/share/bcc/tools/execsnoop"
$ docker inspect execsnoop | jq '.[] | .Args'
[
  "-n",
  "docker",
  "-l",
  "ps"
]
$ docker logs execsnoop
bpf: Failed to load program: Invalid argument
Unrecognized arg#0 type PTR
; int syscall__execve(struct pt_regs *ctx)
0: (bf) r6 = r1
; struct pt_regs * __ctx = ctx->di;
1: (79) r7 = *(u64 *)(r6 +112)
; const char __user *filename; bpf_probe_read(&filename, sizeof(filename), &__ctx->di);
2: (bf) r3 = r7
3: (07) r3 += 112
4: (bf) r1 = r10
;
5: (07) r1 += -16
; const char __user *filename; bpf_probe_read(&filename, sizeof(filename), &__ctx->di);
6: (b7) r2 = 8
7: (85) call bpf_probe_read#4
unknown func bpf_probe_read#4
processed 8 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0

Traceback (most recent call last):
  File "/usr/share/bcc/tools/execsnoop", line 229, in <module>
    b.attach_kprobe(event=execve_fnname, fn_name="syscall__execve")
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 829, in attach_kprobe
    fn = self.load_func(fn_name, BPF.KPROBE)
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 528, in load_func
    (func_name, errstr))
Exception: Failed to load BPF program syscall__execve: Invalid argument
$ docker inspect execsnoop | jq '.[] | .Mounts'
[
  {
    "Type": "bind",
    "Source": "/sys/fs/cgroup",
    "Destination": "/sys/fs/cgroup",
    "Mode": "",
    "RW": true,
    "Propagation": "rprivate"
  },
  {
    "Type": "bind",
    "Source": "/sys/fs/bpf",
    "Destination": "/sys/fs/bpf",
    "Mode": "",
    "RW": true,
    "Propagation": "rprivate"
  },
  {
    "Type": "bind",
    "Source": "/lib/modules",
    "Destination": "/lib/modules",
    "Mode": "",
    "RW": true,
    "Propagation": "rprivate"
  },
  {
    "Type": "bind",
    "Source": "/sys/kernel/debug",
    "Destination": "/sys/kernel/debug",
    "Mode": "",
    "RW": true,
    "Propagation": "rprivate"
  }
]
[  395.688880] audit: type=1400 audit(1631716436.621:321): avc:  denied  { perfmon } for  pid=1979 comm="runc" capability=38  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
[  395.693540] audit: type=1400 audit(1631716436.621:321): avc:  denied  { bpf } for  pid=1979 comm="runc" capability=39  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0

Impact

it prevents bpf tools to run.

Additional information

We could try to add this patch: SELinuxProject/refpolicy@497cb3c#diff-a4d8dfc6445231bbccad2b1010d93829e7e19637c00be1eabe3f888b20304552R270 to the sec-policy/base-policy we have (or wait for a ::gentoo release to sync with the upstream)

@tormath1 tormath1 added the kind/bug Something isn't working label Sep 15, 2021
@tormath1
Copy link
Contributor Author

tormath1 commented Sep 16, 2021

NOTE: sec-policy/base-policy is released with the patch. (see: https://gitweb.gentoo.org/repo/gentoo.git/tree/sec-policy/selinux-base-policy/selinux-base-policy-2.20210908-r1.ebuild)

tormath1 added a commit to flatcar-archive/coreos-overlay that referenced this issue Dec 2, 2021
This release pulls some modification that we need regarding eBPF on
Flatcar.

Closes: flatcar/Flatcar#509

Signed-off-by: Mathieu Tortuyaux <[email protected]>
tormath1 added a commit to flatcar-archive/coreos-overlay that referenced this issue Dec 3, 2021
This release pulls some modification that we need regarding eBPF on
Flatcar.

Closes: flatcar/Flatcar#509

Signed-off-by: Mathieu Tortuyaux <[email protected]>
tormath1 added a commit to flatcar-archive/coreos-overlay that referenced this issue Dec 3, 2021
This release pulls some modification that we need regarding eBPF on
Flatcar.

Closes: flatcar/Flatcar#509

Signed-off-by: Mathieu Tortuyaux <[email protected]>
@tormath1 tormath1 added the area/selinux Issues related to SELinux label Mar 29, 2022
@krishjainx
Copy link

Since sec-policy/base-policy is released with the patch, I believe this issue should be closed since we just sync with upstream.

@tormath1
Copy link
Contributor Author

Fixed in: flatcar/scripts#917

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/selinux Issues related to SELinux kind/bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants