search

exein-io / pulsar

A modular and blazing fast runtime security tool for the IoT, powered by eBPF.
https://pulsar.sh
Other
905 stars 51 forks source link

fix: Handle containers which were running before Pulsar #236

Closed vadorovsky closed 9 months ago

vadorovsky commented 10 months ago

Always check whether a detected process belongs to a container-related cgroup. This way we ensure that we are adding container info even when the container was created before Pulsar was launched.

banditopazzo commented 10 months ago

Testing this I noticed something weird.

To reproduce open pulsar in on terminal and in another start an ubuntu container:

docker run --rm -it ubuntu

Then in the container run for example:

cat /etc/shadow

to trigger a rule and you get something like:

[2024-01-08T11:28:09Z THREAT ubuntu sha256:174c8c134b2a94b5bb0b37d9a2b6ba0663d82d23ebf62bd51f74a2fd457333da /usr/bin/cat (15893)] [rules-engine - Read sensitive file] File Opened { filename: /etc/shadow, flags:(O_RDONLY) }

The container is detected, cool!! Now exit the container and in the same shell start a different container, for example fedora:

docker run --rm -it fedora

and same as before trigger the rule with the previous command. The output is:

[2024-01-08T11:34:44Z THREAT ubuntu sha256:174c8c134b2a94b5bb0b37d9a2b6ba0663d82d23ebf62bd51f74a2fd457333da /usr/bin/cat (16357)] [rules-engine - Read sensitive file] File Opened { filename: /etc/shadow, flags:(O_RDONLY) }

So the process is detected as running in the ubuntu container instead of fedora.

And also if you exit the container and in your host machine try to trigger a rule, even the host process is detected as running in the ubuntu container.

You have to restart pulsar to reset from this state

vadorovsky commented 10 months ago

@banditopazzo Thanks for spotting the issue! The last commit should fix it.

banditopazzo commented 9 months ago

@banditopazzo Thanks for spotting the issue! The last commit should fix it.

I confirm that now it's working correctly.

Before merge can we get rid of these warnings/errors on pid 0 namespaces?

[2024-01-08T16:45:37Z WARN  bpf_filtering::process_tree] Failed to determine uts namespace for process Pid(0): failed to get the uts namespace for process 0
[2024-01-08T16:45:37Z WARN  bpf_filtering::process_tree] Failed to determine ipc namespace for process Pid(0): failed to get the ipc namespace for process 0
[2024-01-08T16:45:37Z WARN  bpf_filtering::process_tree] Failed to determine mnt namespace for process Pid(0): failed to get the mnt namespace for process 0
[2024-01-08T16:45:37Z WARN  bpf_filtering::process_tree] Failed to determine net namespace for process Pid(0): failed to get the net namespace for process 0
[2024-01-08T16:45:37Z WARN  bpf_filtering::process_tree] Failed to determine pid namespace for process Pid(0): failed to get the pid namespace for process 0
[2024-01-08T16:45:37Z WARN  bpf_filtering::process_tree] Failed to determine time namespace for process Pid(0): failed to get the time namespace for process 0
[2024-01-08T16:45:37Z WARN  bpf_filtering::process_tree] Failed to determine cgroup namespace for process Pid(0): failed to get the cgroup namespace for process 0
[2024-01-08T16:45:37Z ERROR pulsar_core::pdk::process_tracker] reading link failed /proc/0/cgroup
[2024-01-08T16:45:37Z ERROR pulsar_core::pdk::process_tracker] reading link failed /proc/0/cgroup