search

linux-application-whitelisting / fapolicyd

File Access Policy Daemon
GNU General Public License v3.0
192 stars 55 forks source link

version 1.3.1 still finding subject "/" on AWS AL2 Kubernetes worker node image #266

Closed ehousey closed 9 months ago

ehousey commented 1 year ago

I built the 1.3.1 source version of fapolicyd on an AWS AL2 Kubernetes worker node running the 5.4 kernel. Using the default set of sample rules (replacing deny_audit with deny_syslog), I am seeing these errors:

Aug 18 23:02:42 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28874 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:42 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28874 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:02:42 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28874 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:45 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28922 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:45 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28922 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:02:45 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28922 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:47 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28955 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:47 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28955 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:02:47 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=28955 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:51 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29019 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:51 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29019 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:02:51 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29019 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:52 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29061 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:52 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29061 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:02:52 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29061 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:55 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29108 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:55 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29108 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:02:55 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29108 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:57 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29141 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:02:57 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29141 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:02:57 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29141 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:03:01 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29205 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:03:01 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29205 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:03:01 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29205 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:03:02 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29251 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:03:02 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29251 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:03:02 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29251 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:03:05 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29299 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:03:05 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29299 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:03:05 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29299 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:03:07 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29333 exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib trust=1 Aug 18 23:03:07 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29333 exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib trust=1 Aug 18 23:03:07 ip-10-0-74-38 fapolicyd[6558]: rule=5 dec=deny_syslog perm=open auid=-1 pid=29333 exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib trust=1

Rule 5 looks like this:

deny_syslog perm=any pattern=ld_so : all

What does a subject with "exe=/" mean? I was previously using version 1.0.4 and saw the same problem, It was suggested to try a version 1.1.7 or later, but that does not seem to have solved the problem.

For 1.0.4, I added these rules to steer around the issue:

:::Prevent execution/open by ld.so allow perm=open exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib allow perm=open exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib allow perm=open exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib allow perm=execute all : path=/usr/lib64/ld-2.26.so ftype=application/x-sharedlib allow perm=open all : path=/usr/lib64/ld-2.26.so ftype=application/x-sharedlib allow perm=open all : path=/usr/lib64/libnm.so.0.1.0 ftype=application/x-sharedlib allow perm=open all : path=/usr/lib64/libclamav.so.9.0.5 ftype=application/x-sharedlib allow perm=open all : path=/usr/lib64/libfreshclam.so.2.0.1 ftype=application/x-sharedlib deny_syslog perm=any pattern=ld_so : all

but this seems more of a work-around than a fix.

Can someone suggest what is going on with "exe=/" and is the above solution actually acceptable?

Thank you

stevegrubb commented 1 year ago

The option that 1.3 brings that may be helpful is allow_filesystem_mark. If that is a 1, it can see files that are on bind mounted directories. However, if the process is in a new pid namespace, we cannot directly resolve the pid and wind up with "/". The FANOTIFY interface is not namespace aware. Also, in a container environment, we do not have any source of trust information for the containers themselves. Typically its a hash for the whole image.

If the kernel's FANOTIFY API were made namespace aware, we could probably do a better job. The information is in the system somewhere since "oc" can introspect processes in containers. But with this fundamental limitation, fapolicyd and container environments do not mix.

ehousey commented 1 year ago

Thank you for the detailed response. So, we were hoping to have fapolicyd running on the Kubernetes worker nodes HOST OS, not in the container OS(es). Given this information, and the rules that I added above for the worker node HOST OS, namely:

allow perm=open exe=/ : path=/usr/lib64/libpthread-2.26.so ftype=application/x-sharedlib allow perm=open exe=/ : path=/usr/lib64/libseccomp.so.2.4.1 ftype=application/x-sharedlib allow perm=open exe=/ : path=/usr/lib64/libc-2.26.so ftype=application/x-sharedlib allow perm=execute all : path=/usr/lib64/ld-2.26.so ftype=application/x-sharedlib allow perm=open all : path=/usr/lib64/ld-2.26.so ftype=application/x-sharedlib allow perm=open all : path=/usr/lib64/libnm.so.0.1.0 ftype=application/x-sharedlib allow perm=open all : path=/usr/lib64/libclamav.so.9.0.5 ftype=application/x-sharedlib allow perm=open all : path=/usr/lib64/libfreshclam.so.2.0.1 ftype=application/x-sharedlib deny_syslog perm=any pattern=ld_so : all

we seem to have "plugged" any holes. Do you have any comment on the rules that we added (above)?

Thanks again, Ed

stevegrubb commented 1 year ago

The pattern=ld_so cannot really be ordered at the end with the expectation it allows loopholes and then triggers. All pattern rules are kind of like a boolean. It detects the pattern or not. And patterns are evaluated without any ordering.

Aside from that, I don't know if you can use "exe=/". You may have to revert to "all".

stevegrubb commented 9 months ago

I think this issue can be closed. If there is anything else to discuss, please feel free to reopen it.