seccheck

package
v0.0.0-...-ba09d25 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 29, 2021 License: Apache-2.0, MIT Imports: 6 Imported by: 0

Documentation

Overview

Package seccheck defines a structure for dynamically-configured security checks in the sentry.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Checker 

type Checker interface {
	Clone(ctx context.Context, mask CloneFieldSet, info CloneInfo) error
	Execve(ctx context.Context, mask ExecveFieldSet, info ExecveInfo) error
	ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info ExitNotifyParentInfo) error
}

A Checker performs security checks at checkpoints.

Each Checker method X is called at checkpoint X; if the method may return a non-nil error and does so, it causes the checked operation to fail immediately (without calling subsequent Checkers) and return the error. The info argument contains information relevant to the check. The mask argument indicates what fields in info are valid; the mask should usually be a superset of fields requested by the Checker's corresponding CheckerReq, but may be missing requested fields in some cases (e.g. if the Checker is registered concurrently with invocations of checkpoints).

type CheckerDefaults 

type CheckerDefaults struct{}

CheckerDefaults may be embedded by implementations of Checker to obtain no-op implementations of Checker methods that may be explicitly overridden.

func (CheckerDefaults) Clone 

func (CheckerDefaults) Clone(ctx context.Context, mask CloneFieldSet, info CloneInfo) error

Clone implements Checker.Clone.

func (CheckerDefaults) Execve 

func (CheckerDefaults) Execve(ctx context.Context, mask ExecveFieldSet, info ExecveInfo) error

Execve implements Checker.Execve.

func (CheckerDefaults) ExitNotifyParent 

func (CheckerDefaults) ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info ExitNotifyParentInfo) error

ExitNotifyParent implements Checker.ExitNotifyParent.

type CheckerReq 

type CheckerReq struct {
	// Points are the set of checkpoints for which the corresponding Checker
	// must be called. Note that methods not specified in Points may still be
	// called; implementations of Checker may embed CheckerDefaults to obtain
	// no-op implementations of Checker methods.
	Points []Point

	// All of the following fields indicate what fields in the corresponding
	// XInfo struct will be requested at the corresponding checkpoint.
	Clone            CloneFields
	Execve           ExecveFields
	ExitNotifyParent ExitNotifyParentFields
}

CheckerReq indicates what checkpoints a corresponding Checker runs at, and what information it requires at those checkpoints.

type CloneInfo 

type CloneInfo struct {
	// Invoker identifies the invoking thread.
	Invoker TaskInfo

	// Credentials are the invoking thread's credentials.
	Credentials *auth.Credentials

	// Args contains the arguments to kernel.Task.Clone().
	Args linux.CloneArgs

	// Created identifies the created thread.
	Created TaskInfo
}

CloneInfo contains information used by the Clone checkpoint.

+fieldenum Clone

type ExecveInfo 

type ExecveInfo struct {
	// Invoker identifies the invoking thread.
	Invoker TaskInfo

	// Credentials are the invoking thread's credentials.
	Credentials *auth.Credentials

	// BinaryPath is a path to the executable binary file being switched to in
	// the mount namespace in which it was opened.
	BinaryPath string

	// Argv is the new process image's argument vector.
	Argv []string

	// Env is the new process image's environment variables.
	Env []string

	// BinaryMode is the executable binary file's mode.
	BinaryMode uint16

	// BinarySHA256 is the SHA-256 hash of the executable binary file.
	//
	// Note that this requires reading the entire file into memory, which is
	// likely to be extremely slow.
	BinarySHA256 [32]byte
}

ExecveInfo contains information used by the Execve checkpoint.

+fieldenum Execve

type ExitNotifyParentInfo 

type ExitNotifyParentInfo struct {
	// Exiter identifies the exiting thread. Note that by the checkpoint's
	// definition, Exiter.ThreadID == Exiter.ThreadGroupID and
	// Exiter.ThreadStartTime == Exiter.ThreadGroupStartTime, so requesting
	// ThreadGroup* fields is redundant.
	Exiter TaskInfo

	// ExitStatus is the exiting thread group's exit status, as reported
	// by wait*().
	ExitStatus linux.WaitStatus
}

ExitNotifyParentInfo contains information used by the ExitNotifyParent checkpoint.

+fieldenum ExitNotifyParent

type Point 

type Point uint

A Point represents a checkpoint, a point at which a security check occurs. 

const (
	PointClone Point = iota
	PointExecve
	PointExitNotifyParent
)

PointX represents the checkpoint X.

type State 

type State struct {
	// contains filtered or unexported fields
}

State is the type of global, and is separated out for testing. 

var Global State

Global is the method receiver of all seccheck functions.

func (*State) AppendChecker 

func (s *State) AppendChecker(c Checker, req *CheckerReq)

AppendChecker registers the given Checker to execute at checkpoints. The Checker will execute after all previously-registered Checkers, and only if those Checkers return a nil error.

func (*State) Clone 

func (s *State) Clone(ctx context.Context, mask CloneFieldSet, info *CloneInfo) error

Clone is called at the Clone checkpoint.

func (*State) CloneReq 

func (s *State) CloneReq() CloneFieldSet

CloneReq returns fields required by the Clone checkpoint.

func (*State) Enabled 

func (s *State) Enabled(p Point) bool

Enabled returns true if any Checker is registered for the given checkpoint.

func (*State) Execve 

func (s *State) Execve(ctx context.Context, mask ExecveFieldSet, info *ExecveInfo) error

Execve is called at the Execve checkpoint.

func (*State) ExecveReq 

func (s *State) ExecveReq() ExecveFieldSet

ExecveReq returns fields required by the Execve checkpoint.

func (*State) ExitNotifyParent 

func (s *State) ExitNotifyParent(ctx context.Context, mask ExitNotifyParentFieldSet, info *ExitNotifyParentInfo) error

ExitNotifyParent is called at the ExitNotifyParent checkpoint.

The ExitNotifyParent checkpoint occurs when a zombied thread group leader, not waiting for exit acknowledgement from a non-parent ptracer, becomes the last non-dead thread in its thread group and notifies its parent of its exiting.

func (*State) ExitNotifyParentReq 

func (s *State) ExitNotifyParentReq() ExitNotifyParentFieldSet

ExitNotifyParentReq returns fields required by the ExitNotifyParent checkpoint.

type TaskInfo 

type TaskInfo struct {
	// ThreadID is the thread's ID in the root PID namespace.
	ThreadID int32

	// ThreadStartTime is the thread's CLOCK_REALTIME start time.
	ThreadStartTime ktime.Time

	// ThreadGroupID is the thread's group leader's ID in the root PID
	// namespace.
	ThreadGroupID int32

	// ThreadGroupStartTime is the thread's group leader's CLOCK_REALTIME start
	// time.
	ThreadGroupStartTime ktime.Time
}

TaskInfo contains information unambiguously identifying a single thread and/or its containing process.

+fieldenum Task

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.