Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update(userspace/libsinsp): rely on proc root for user and group container lookup #803

Merged
merged 3 commits into from
Dec 20, 2022
Merged

update(userspace/libsinsp): rely on proc root for user and group container lookup #803

merged 3 commits into from
Dec 20, 2022

Conversation

deepskyblue86
Copy link
Contributor

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?
/area libsinsp

Does this PR require a change in the driver versions?

What this PR does / why we need it:
Instead of checking /proc//ns/mnt, just check /proc//root inode. The mount namespace gets created before the process actually gets into that namespace, so it was flaky and we also had a workaround getting it to work only for containers being created with non-root user.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

update(userspace/libsinsp): rely on proc root for user and group container lookup

@deepskyblue86
update(userspace/libsinsp): rely on proc root for user and group cont…
b9f481d 
…ainer lookup

Instead of checking /proc/<pid>/ns/mnt, just check /proc/<pid>/root
inode. The mount namespace gets created before the process actually
gets into that namespace, so it was flaky and we also had a workaround
getting it to work only for containers being created with non-root user.

Signed-off-by: Angelo Puglisi <[email protected]>
@poiana poiana added the size/M label Dec 19, 2022
@deepskyblue86
Copy link
Contributor Author

@FedeDP cf35391 and 54e19b5 should address the issue you've been encountering from time to time on test_non_sudo_setuid 🙂

@FedeDP
Copy link
Contributor

FedeDP commented Dec 20, 2022

I saw that, thank you very much!
/cc @gnosek care to take a look?

FedeDP
FedeDP approved these changes Dec 20, 2022
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work and simplification!
/approve

@poiana poiana added the lgtm label Dec 20, 2022
@poiana
Copy link
Contributor

poiana commented Dec 20, 2022

LGTM label has been added.

Git tree hash: 5aeb70c7ebe6c16b76c36c56a8d3fd8a496966df

@FedeDP
Copy link
Contributor

FedeDP commented Dec 20, 2022

/milestone 0.11.0

@poiana poiana added this to the 0.11.0 milestone Dec 20, 2022
Andreagit97
Andreagit97 approved these changes Dec 20, 2022
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@gnosek
Copy link
Contributor

gnosek commented Dec 20, 2022

LGTM, but I have a few questions:

  1. Why do we need the new -E option in that test? I assume something we did was unreliable but isn't this PR supposed to address that?

  2. How is /proc/pid/root more reliable than /proc/pid/ns/mnt? The only scenarios I can imagine where the two are inconsistent are:

  • unshare(CLONE_NEWNS) changes ns/mnt but not root
  • we're catching the thread after the switch to the new ns but before pivot_root; it feels like the window is tiny here but 🤷

@poiana
Copy link
Contributor

poiana commented Dec 20, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, deepskyblue86, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Andreagit97
Copy link
Member

/hold

@Andreagit97
Copy link
Member

hold this until all doubts are solved

@deepskyblue86
Copy link
Contributor Author

LGTM, but I have a few questions:

  1. Why do we need the new -E option in that test? I assume something we did was unreliable but isn't this PR supposed to address that?

That test was already failing from time to time (e.g. https://github.com/falcosecurity/libs/actions/runs/3563324665/jobs/5985981759).
I checked it a few weeks ago, but this time I didn't spend much time on it, I just thought the user/group name resolution wasn't relevant for that test and I decided to remove the noise.

  1. How is /proc/pid/root more reliable than /proc/pid/ns/mnt? The only scenarios I can imagine where the two are inconsistent are:
  • unshare(CLONE_NEWNS) changes ns/mnt but not root
  • we're catching the thread after the switch to the new ns but before pivot_root; it feels like the window is tiny here but 🤷

From my tests /proc/pid/ns/mnt exists before the process actually changes root, that's why I originally added the workaround on the uid/gid. I suppose the handle gets created before actually changing the root. I gave it a try with /proc/pid/root, thinking that if that one changes, maybe the process finally was in its own root.
I didn't know pivot_root, and I based my changes on where sinsp_threadinfo::set_user was already called from. Actually I also tried to put it only where PPME_SYSCALL_UNSHARE_X is handled but that didn't work. I also did several other attempts in these months 😅


Specifically about this:

  • we're catching the thread after the switch to the new ns but before pivot_root; it feels like the window is tiny here but 🤷

$ grep -e setuid -e pivot_root -e unshare -e execve docker-run-root.out

{"container.id":"c650ae1b4fd7","evt.args":"res=0 exe=runc args=init. tid=5394(6) pid=5394(6) ptid=5389(runc) cwd= fdlimit=1048576 pgft_maj=0 pgft_min=348 vm_size=9816 vm_rss=4 vm_swap=0 comm=6 cgroups=cpuset=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4.cpu=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4.cpuacct=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4.io=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4.memory=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4. env=GOMAXPROCS=4._LIBCONTAINER_INITPIPE=3._LIBCONTAINER_STATEDIR=/var/run/docker/runtime-runc/moby/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4._LIBCONTAINER_LOGPIPE=4._LIBCONTAINER_LOGLEVEL=4._LIBCONTAINER_FIFOFD=5._LIBCONTAINER_INITTYPE=standard._LIBCONTAINER_CLONED_BINARY=1. tty=0 pgid=5376(containerd-shim) loginuid=-1 flags=1(EXE_WRITABLE) cap_inheritable=0 cap_permitted=3FFFFFFFFF cap_effective=3FFFFFFFFF ","evt.category":"process","evt.type":"execve","group.gid":0,"group.name":"root","proc.cmdline":"6 init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"flags=248(CLONE_NEWIPC|CLONE_NEWNET|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS) ","evt.category":"process","evt.type":"unshare","group.gid":0,"group.name":"root","proc.cmdline":"runc:[0:PARENT] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"res=0 ","evt.category":"process","evt.type":"unshare","group.gid":0,"group.name":"root","proc.cmdline":"runc:[0:PARENT] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"uid=0(<NA>) ","evt.category":"user","evt.type":"setuid","group.gid":0,"group.name":"root","proc.cmdline":"runc:[1:CHILD] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"res=0 ","evt.category":"user","evt.type":"setuid","group.gid":0,"group.name":"root","proc.cmdline":"runc:[1:CHILD] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"","evt.category":"unknown","evt.type":"pivot_root","group.gid":0,"group.name":"root","proc.cmdline":"runc:[1:CHILD] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"","evt.category":"unknown","evt.type":"pivot_root","group.gid":0,"group.name":"root","proc.cmdline":"runc:[1:CHILD] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"uid=0(<NA>) ","evt.category":"user","evt.type":"setuid","group.gid":0,"group.name":"root","proc.cmdline":"runc:[1:CHILD] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"res=0 ","evt.category":"user","evt.type":"setuid","group.gid":0,"group.name":"root","proc.cmdline":"runc:[1:CHILD] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"filename=/bin/sh ","evt.category":"process","evt.type":"execve","group.gid":0,"group.name":"root","proc.cmdline":"runc:[1:CHILD] init","user.name":"root","user.uid":0}
{"container.id":"c650ae1b4fd7","evt.args":"res=0 exe=sh args=-c.exit. tid=5396(sh) pid=5396(sh) ptid=5376(containerd-shim) cwd= fdlimit=1048576 pgft_maj=0 pgft_min=483 vm_size=1520 vm_rss=4 vm_swap=0 comm=sh cgroups=cpuset=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4.cpu=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4.cpuacct=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4.io=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4.memory=/docker/c650ae1b4fd7cc661633a8a9535c74cfbab331313f5ff161a92b6c19081195d4. env=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin.HOSTNAME=c650ae1b4fd7.NGINX_VERSION=1.14.2.HOME=/root. tty=0 pgid=1(systemd) loginuid=-1 flags=1(EXE_WRITABLE) cap_inheritable=0 cap_permitted=A80425FB cap_effective=A80425FB ","evt.category":"process","evt.type":"execve","group.gid":0,"group.name":"root","proc.cmdline":"sh -c exit","user.name":"root","user.uid":0}

I think we are.

@gnosek
Copy link
Contributor

gnosek commented Dec 20, 2022

That test was already failing from time to time (e.g. https://github.com/falcosecurity/libs/actions/runs/3563324665/jobs/5985981759). I checked it a few weeks ago, but this time I didn't spend much time on it, I just thought the user/group name resolution wasn't relevant for that test and I decided to remove the noise.

Hmm okay. I wonder if this PR makes it stable though.

  • we're catching the thread after the switch to the new ns but before pivot_root; it feels like the window is tiny here but 🤷

$ grep -e setuid -e pivot_root -e unshare -e execve docker-run-root.out

(...)

I think we are.

Perfect. So we have an explanation and a patch. SHIP IT! ;)

@Andreagit97
Copy link
Member

/unhold

@poiana poiana merged commit 4be3d3c into falcosecurity:master Dec 20, 2022
@deepskyblue86 deepskyblue86 changed the title update(userspace/libsinsp): rely on proc root update(userspace/libsinsp): rely on proc root for user and group container lookup Dec 21, 2022
@poiana poiana mentioned this pull request Apr 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Andreagit97 Andreagit97 Andreagit97 approved these changes

@FedeDP FedeDP FedeDP approved these changes

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

Assignees

@FedeDP FedeDP

@Andreagit97 Andreagit97

Labels
approved area/libsinsp dco-signoff: yes kind/feature New feature or request lgtm release-note size/M
Projects
None yet
Milestone
0.11.0
Development

Successfully merging this pull request may close these issues.
5 participants
@deepskyblue86 @FedeDP @poiana @gnosek @Andreagit97