Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RASP] mount script 不再使用脚本方式运行 #499

Closed
AlkenePan opened this issue May 23, 2023 · 4 comments
Closed

[RASP] mount script 不再使用脚本方式运行 #499

AlkenePan opened this issue May 23, 2023 · 4 comments
Assignees
@AlkenePan

Comments

@AlkenePan
Copy link
Member

感谢 @dark-lbp 的问题反馈。

mount script 脚本使用了 container 中的二进制,此容器和其中的二进制程序不可控。

修复方式:

  • 不再使用 mount script,单独编写一个二进制完成这个工作。
@AlkenePan AlkenePan self-assigned this May 23, 2023
@Hackerl
Copy link
Collaborator

Hackerl commented Jul 14, 2023

原有的方式会将宿主机根文件系统设备挂载到容器内,存在一个有风险的空窗期,恶意程序可以成功读写宿主机根文件系统。
经过调研,更好的方式是创建一个 loop device,将 RASP 插件所需的所有资源放入 loop device 的文件系统中(探针,unix socket):

dd if=/dev/zero of=loopbackfile.img bs=100M count=10
sudo mkfs.ext4 loopbackfile.img
sudo losetup -fP loopbackfile.img
sudo losetup -a
sudo mount -o loop /dev/loop0 /loopfs

通过 glibc 接口切换 mount namespace,在目标容器内创建 /dev/loop0,然后挂载出文件系统 /loopfs,即可所有容器共享资源。

注意控制好读写权限,unix socket 开放读写权限,其余探针二进制仅可读。

@Hackerl
Copy link
Collaborator

Hackerl commented Jul 14, 2023

  1. 在打包阶段,就创建好 rasp-fs.img,将探针二进制放入其中。
  2. RASP plugin 启动后将 rasp-fs.img 挂成 loop device,并且 mount 出文件系统 /elkeid-rasp
  3. 注入目标 pid 时,判断 /elkeid-rasp 是否存在,不存在则将 loop device 挂载进去。

@Hackerl
Copy link
Collaborator

Hackerl commented Jul 18, 2023

另一种解决方案,找到容器的 overlay 文件系统在宿主机上的位置:

$ cat /proc/1148105/mounts
overlay / overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/22PJ2J22FIZK67PN6ZR27K7PGJ:/var/lib/docker/overlay2/l/CHH4CEL2OWGN6SA3GMGLI2KHLG,upperdir=/var/lib/docker/overlay2/7fbefa7dec129a4d70df7d02279f0d2872a1dc2c54171a8766c2878219ed4621/diff,workdir=/var/lib/docker/overlay2/7fbefa7dec129a4d70df7d02279f0d2872a1dc2c54171a8766c2878219ed4621/work,index=off,nfs_export=off 0 0

根据 work 找到 merged

sudo mkdir /var/lib/docker/overlay2/cbb1b1c9c46c096fc7ba75f9ebef1846e2a62f30067d1021c0c0779c10ea40b2/merged/mount-test
sudo mount -t ext4 -o bind /tmp/mount-test /var/lib/docker/overlay2/cbb1b1c9c46c096fc7ba75f9ebef1846e2a62f30067d1021c0c0779c10ea40b2/merged/mount-test

@Hackerl
Copy link
Collaborator

Hackerl commented Jul 19, 2023

#518

@Hackerl Hackerl closed this as completed Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlkenePan AlkenePan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlkenePan @Hackerl