bpflock only allows security audit tools similar to container managers, systemd, and others that areHost PID or network namespaceRunning containers/programs access complete Linux features and restrict those containers or programs running in their own namespaces. If bpflock runs under a restricted configuration file, all programs/containers (including privileged programs/containers) will be denied access.
In addition to this, bpflock can also protect the security of Linux devices through various security features, such asLinux security module + BPFetc.
Function introduction
1. Memory protection: Kernel image locking, kernel module protection, BPF protection;
2. Process protection: Fileless memory execution, namespace protection;
3. Hardware attack testing: USB protection;
4. System and application tracing: Trace application execution, trace privileged system operations;
5. File system protection: Read-only Root file system protection, sysfs protection;
6. Network protection;
Tool development
Dependent components
bpflock requires the following components:
1. Linux kernel version >= 5.13, the relevant configuration is as follows:
CONFIG_BPF_SYSCALL=y CONFIG_DEBUG_INFO=y CONFIG_DEBUG_INFO_BTF=y CONFIG_KPROBES=y CONFIG_LSM="...,bpf" CONFIG_BPF_LSM=y
2. A kernel with BTF enabled
Enable BPF LSM support
1. Open the /etc/default/grub file with advanced privileges;
2. Add the following content to the GRUB_CMDLINE_LINUX variable and save:
"lsm=lockdown,capability,yama,apparmor,bpf"
Or
GRUB_CMDLINE_LINUX="lsm=lockdown,capability,yama,apparmor,bpf"
3. Update grub configuration:
sudo update-grub2
4. Restart the device
Docker usage
The following command can be used to run the tool with the default configuration file:
docker run --name bpflock -it --rm --cgroupns=host \ --pid=host --privileged \ -v /sys/kernel/:/sys/kernel/ \ -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
Execution of code without file
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \ -e "BPFLOCK_FILELESSLOCK_PROFILE=restricted" \ -v /sys/kernel/:/sys/kernel/ \ -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
Kernel module execution
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \ -e "BPFLOCK_KMODLOCK_PROFILE=restricted" \ -v /sys/kernel/:/sys/kernel/ \ -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
Usage example:
$ sudo unshare -p -n -f # modprobe xfs modprobe: ERROR: could not insert 'xfs': Operation not permitted
Output result:
time="2022-02-07T06:50:25+01:00" level=info msg="event=syscall_execve tgid=52323 pid=52323 ppid=52288 uid=0 cgroupid=7014 comm=modprobe pcomm=bash filename=/usr/sbin/modprobe retval=0" bpfprog=execsnoop subsys=bpf time="2022-02-07T06:50:25+01:00" level=info msg="event=lsm_kernel_read_file operation=loading module tgid=52323 pid=52323 ppid=52288 uid=0 cgroupid=7014 comm=modprobe pcomm=bash filename=xfs.ko retval=-1 reason=denied (restricted)" bpfprog=kmodlock subsys=bpf
Kernel image locking
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \ -e "BPFLOCK_KIMGLOCK_PROFILE=baseline" \ -v /sys/kernel/:/sys/kernel/ \ -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
Usage example:
$ sudo unshare -f -p -n bash # head -c 1 /dev/mem head: cannot open '/dev/mem' for reading: Operation not permitted
Output result:
time="2022-02-07T06:57:22+01:00" level=info msg="event=syscall_execve tgid=52428 pid=52428 ppid=52288 uid=0 cgroupid=7014 comm=head pcomm=bash filename=/usr/bin/head retval=0" bpfprog=execsnoop subsys=bpf time="2022-02-07T06:57:22+01:00" level=info msg="event=lsm_locked_down operation=/dev/mem,kmem,port tgid=52428 pid=52428 ppid=52288 uid=0 cgroupid=7014 comm=head pcomm=bash retval=-1 reason=denied (baseline)" bpfprog=kimglock subsys=bpf
BPF Protection
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \ -e "BPFLOCK_BPFRESTRICT_PROFILE=baseline" \ -v /sys/kernel/:/sys/kernel/ \ -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
Usage example:
$ sudo unshare -f -p -n bash # bpftool prog Error: can't get next program: Operation not permitted
Output result:
time="2022-02-04T15:40:56Z" level=info msg="event=lsm_bpf tgid=2378 pid=2378 ppid=2364 uid=0 cgroupid=9458 comm=bpftool pcomm=bash filename= retval=-1 reason=baseline" bpfprog=bpfrestrict subsys=bpf time="2022-02-04T15:40:56Z" level=info msg="event=lsm_bpf tgid=2378 pid=2378 ppid=2364 uid=0 cgroupid=9458 comm=bpftool pcomm=bash filename= retval=-1 reason=baseline" bpfprog=bpfrestrict subsys=bpf
Tool configuration & environment configuration
Assuming that the bpflock directory of your project already contains the bpflock.yaml and bpf.d configuration files, run the following command next:
ls bpflock/ bpf.d bpflock.d bpflock.yaml docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \ -v $(pwd)/bpflock/:/etc/bpflock \ -v /sys/kernel/:/sys/kernel/ \ -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
We can also use the "--env-file" command to pass environment variables:
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \ --env-file bpflock.env.list \ -v /sys/kernel/:/sys/kernel/ \ -v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock
License Agreement
The development and release of this project followApache-2.0Open Source License Agreement.
Project address
bpflock:【GitHub link】
Reference materials
https://man7.org/linux/man-pages/man7/namespaces.7.html
https://docs.kernel.org/bpf/prog_lsm.html
https://github.com/linux-lock/bpflock/tree/main/deploy/configs/
https://github.com/linux-lock/bpflock/tree/main/docs/
https://github.com/linux-lock/bpflock/tree/main/docs/memory-protections.md#3-bpf-protection
https://github.com/libbpf/bpftool
https://docs.docker.com/develop/develop-images/build_enhancements/
评论已关闭