Kernel Proc Connector and Containers
•Als PPTX, PDF herunterladen•
7 gefällt mir•2,551 views
Elad Wexler talks about the Proc Connector with regards to containers, shows it isn't supported inside a docker container and how it can be supported.
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Kernel Proc Connector and Containers
Ähnlich wie Kernel Proc Connector and Containers (20)
Mehr von Kernel TLV
Mehr von Kernel TLV (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Kernel Proc Connector and Containers
- 1. 1 Security Technologies Feb 2018 Nadav Markus, Elad Wexler
- 2. Kernel Proc Connector and Containers 2
- 3. Agenda • How to get process events? Such as: fork(), exec(), exit(), setuid(), ptrace()? From user space in nearly real time? seamlessly? • Can we do that inside a docker container? 3 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 4. Options: • Polling /proc file-system • Not efficient, wasteful CPU cycles • Not deterministic • Inotify? – can’t monitor /proc file-system by design • strace? – possibility - but for each process in the system? • Audit framework – Good possibility, but reserved for auditd 4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 5. Another Option: • Use: process-connector kernel primitive • Provides: • Flexible socket based API • Get real, valid kernel data to user-space • Can be used for: • Monitoring system activity • Resource Management • Security 5 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 6. Kernel Connector 6 | © 2015, Palo Alto Networks. Confidential and Proprietary. netlink Connector Process Connector Dallas 1-wire bus Microsoft Hyper-V Client driver VBE 2.0 Video Cards
- 7. 7 | © 2015, Palo Alto Networks. Confidential and Proprietary. PROCESS CONNECTOR CONNECTOR AF_NETLINK Socket API sys_fork() sys_exec() sys_exit() sys_setuid() sys_ptrace() ….. Socket API User Listener KERNEL USER /drivers/connector/cn_proc.c /drivers/connector/connector.c /net/netlink/af_netlink.c /net/socket.c Process Connector: System Architecture
- 8. Connector • Built on netlink infra, as easy kernel user-space IPC • Added netlink protocol – NETLINK_CONNECTOR • Netlink Connector callback will be called on recv from a netlink socket • Driver API 8 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 9. Process Connector • Initially added by IBM kernel 2.6.14 (CONFIG_PROC_EVENTS) • Built on the connector driver • Register mcast callback & connector identifiers • Send process events via the netlink connector socket Example 9 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 10. Netlink • Kernel User space IPC (A flexible ioctl replacement) • Kernel Kernel • (User space User space) • Address Users PIDs • Socket Family AF_NETLINK – Connectionless Service 10 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 11. Demo – Host namespaces 11 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 12. Demo – Host namespaces 12 | © 2015, Palo Alto Networks. Confidential and Proprietary. struct nlmsghdr struct cn_msg User Data enum proc_cn_mcst_op Netlink layer Connector User space Send message definition
- 13. Demo – Host namespaces 13 | © 2015, Palo Alto Networks. Confidential and Proprietary. struct proc_event User space Recv message struct nlmsghdr struct cn_msg User DataNetlink layer Connector
- 14. Demo in Container • Flow of ECONNREFUSED 14 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 15. [PATCH]: Supporting proc-connector in a container 15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 16. Demo 16 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 17. More Issues • Mcast design is broken PROC_CN_MCAST_IGNORE • Host namespace information disclosure 17 | © 2015, Palo Alto Networks. Confidential and Proprietary.
- 18. Questions? 18
Hinweis der Redaktion
- As opposed to unix which is based on files,
- Dallas 1-wire bus is useful to connect slow 1-pin devices such as iButtons and thremal sensors The connector allows communication with userspace: such as events that generated upon each new master or slave device discovery Or userspace commands such as read/write through the bus and also replies to userspace commands Hyper-V for example the host can initiate a guest snapshot through the connector, the connector will respond to the daemon on the host Once the operation is complete The VSS daemon (hv_vss_daemon) implements the hypervvssd service, which allows you to create snapshots and backups of volumes from the host without preventing processes that are running in a guest from writing to or reading from those volumes. https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/integration-services
- For registration and for sending messages via the netlink socket
- 1534 – copy_process do_fork
- As opposed to unix which is based on files,
- Show a connection refused at netlink_sendmsg netlink_unicast netlink_getsockbyportid netlink_lookup (and there isn’t a net on which this netlink socket has ever created)
- Show a connection refused at netlink_sendmsg netlink_unicast netlink_getsockbyportid netlink_lookup (and there isn’t a net on which this netlink socket has ever created)
- Show that when deriving the host net namespace you see the host pids docker run -tid --cap-add=NET_ADMIN --net=host ubuntu