secanomalyd/daemon.cc - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2021 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "secanomalyd/daemon.h"

 #include <string>
 #include <vector>

 #include <base/command_line.h>
 #include <base/files/file_util.h>
 #include <base/files/file_path.h>
 #include <base/logging.h>
 #include <base/strings/string_piece.h>
 #include <base/strings/string_split.h>
 #include <base/strings/string_util.h>
 #include <base/time/time.h>

 #include <brillo/process/process.h>
 #include <brillo/message_loops/message_loop.h>

 #include <vboot/crossystem.h>

 #include "secanomalyd/metrics.h"
 #include "secanomalyd/mount_entry.h"

 namespace {

 constexpr base::TimeDelta kCheckInterval = base::TimeDelta::FromSeconds(30);
 // Per Platform.DailyUseTime histogram this interval should ensure that enough
 // users run the reporting.
 constexpr base::TimeDelta kReportWXMountCountInterval =
     base::TimeDelta::FromHours(2);

 constexpr char kProcSelfMountsPath[] = "/proc/self/mounts";

 constexpr char kCrashReporterPath[] = "/sbin/crash_reporter";
 constexpr char kSecurityAnomalyFlag[] = "--security_anomaly";

 bool ShouldReport(bool report_in_dev_mode) {
   // Reporting should only happen when booted in Verified mode and not running
   // a developer image, unless explicitly instructed otherwise.
   return ::VbGetSystemPropertyInt("cros_debug") == 0 || report_in_dev_mode;
 }

 bool ReportMount(const MountEntry& e, bool report_in_dev_mode) {
   if (!ShouldReport(report_in_dev_mode)) {
     VLOG(1) << "Not in Verified mode, not reporting " << e.dest();
     return true;
   }

   VLOG(1) << "secanomalyd invoking crash_reporter";

   brillo::ProcessImpl crash_reporter;
   crash_reporter.AddArg(kCrashReporterPath);
   crash_reporter.AddArg(kSecurityAnomalyFlag);

   crash_reporter.RedirectUsingPipe(STDIN_FILENO, true);
   CHECK(crash_reporter.Start());
   int stdin_fd = crash_reporter.GetPipe(STDIN_FILENO);
   CHECK(base::WriteFileDescriptor(stdin_fd, e.src().value()));
   std::string newline = "\n";
   CHECK(base::WriteFileDescriptor(stdin_fd, newline));
   CHECK(base::WriteFileDescriptor(stdin_fd, e.dest().value()));
   CHECK_GE(IGNORE_EINTR(close(stdin_fd)), 0);
   CHECK_EQ(0, crash_reporter.Wait());

   return true;
 }

 }  // namespace

 int Daemon::OnEventLoopStarted() {
   CheckWXMounts();
   ReportWXMountCount();

   return 0;
 }

 void Daemon::CheckWXMounts() {
   VLOG(1) << "Checking for W+X mounts";

   DoWXMountCheck();

   brillo::MessageLoop::current()->PostDelayedTask(
       FROM_HERE, base::BindOnce(&Daemon::CheckWXMounts, base::Unretained(this)),
       kCheckInterval);
 }

 void Daemon::ReportWXMountCount() {
   VLOG(1) << "Reporting W+X mount count";

   DoWXMountCountReporting();

   brillo::MessageLoop::current()->PostDelayedTask(
       FROM_HERE,
       base::BindOnce(&Daemon::ReportWXMountCount, base::Unretained(this)),
       kReportWXMountCountInterval);
 }

 void Daemon::DoWXMountCheck() {
   std::string proc_mounts;
   if (!base::ReadFileToStringNonBlocking(base::FilePath(kProcSelfMountsPath),
                                          &proc_mounts)) {
     PLOG(ERROR) << "Failed to read " << kProcSelfMountsPath;
     return;
   }

   std::vector<base::StringPiece> mounts = base::SplitStringPiece(
       proc_mounts, "\n", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);

   for (const auto& m : mounts) {
     MountEntry e(m);
     if (e.IsWX()) {
       // Have we seen the mount yet?
       if (wx_mounts_.count(e.dest()) == 0) {
         if (e.IsUsbDriveOrArchive()) {
           // Figure out what to log in this case.
           // We could log the fact that the mount exists without logging
           // |src| or |dest|.
           continue;
         }
         // If we haven't seen the mount, save it.
         wx_mounts_[e.dest()] = e;
         VLOG(1) << "Found W+X mount at '" << e.dest() << "', type " << e.type();

         if (e.type() == "nsfs" || e.type() == "proc") {
           // "nsfs" mounts happen when a namespace file in /proc/<pid>/ns/ gets
           // bind-mounted somewhere else. These mounts can be W+X but are not
           // concerning since they are single files and these files cannot be
           // executed.
           // On 3.18 kernels these mounts show up as type "proc" rather than
           // type "nsfs".
           // TODO(crbug.com/1204604): Remove the "proc" exception after 3.18
           // kernels go away.
           VLOG(1) << "Not reporting '" << e.dest() << "', mount type "
                   << e.type();
           continue;
         }

         // Report metrics on it, if not running in dev mode.
         if (ShouldReport(dev_)) {
           // Report /usr/local mounts separately because those can indicate
           // systems where |cros_debug == 0| but the system is still a dev
           // system.
           SecurityAnomaly mount_anomaly =
               e.IsDestInUsrLocal()
                   ? SecurityAnomaly::kMount_InitNs_WxInUsrLocal
                   : SecurityAnomaly::kMount_InitNs_WxNotInUsrLocal;
           if (!SendSecurityAnomalyToUMA(mount_anomaly)) {
             LOG(WARNING) << "Could not upload metrics";
           }
         }

         // And report the actual anomalous mount, when required to.
         if (generate_reports_) {
           ReportMount(e, dev_);
         }
       }
     }
   }
 }

 void Daemon::DoWXMountCountReporting() {
   if (ShouldReport(dev_)) {
     if (!SendWXMountCountToUMA(wx_mounts_.size())) {
       LOG(WARNING) << "Could not upload W+X mount count";
     }
   }
 }
	// Copyright 2021 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "secanomalyd/daemon.h"

	#include <string>
	#include <vector>

	#include <base/command_line.h>
	#include <base/files/file_util.h>
	#include <base/files/file_path.h>
	#include <base/logging.h>
	#include <base/strings/string_piece.h>
	#include <base/strings/string_split.h>
	#include <base/strings/string_util.h>
	#include <base/time/time.h>

	#include <brillo/process/process.h>
	#include <brillo/message_loops/message_loop.h>

	#include <vboot/crossystem.h>

	#include "secanomalyd/metrics.h"
	#include "secanomalyd/mount_entry.h"

	namespace {

	constexpr base::TimeDelta kCheckInterval = base::TimeDelta::FromSeconds(30);
	// Per Platform.DailyUseTime histogram this interval should ensure that enough
	// users run the reporting.
	constexpr base::TimeDelta kReportWXMountCountInterval =
	base::TimeDelta::FromHours(2);

	constexpr char kProcSelfMountsPath[] = "/proc/self/mounts";

	constexpr char kCrashReporterPath[] = "/sbin/crash_reporter";
	constexpr char kSecurityAnomalyFlag[] = "--security_anomaly";

	bool ShouldReport(bool report_in_dev_mode) {
	// Reporting should only happen when booted in Verified mode and not running
	// a developer image, unless explicitly instructed otherwise.
	return ::VbGetSystemPropertyInt("cros_debug") == 0 \|\| report_in_dev_mode;
	}

	bool ReportMount(const MountEntry& e, bool report_in_dev_mode) {
	if (!ShouldReport(report_in_dev_mode)) {
	VLOG(1) << "Not in Verified mode, not reporting " << e.dest();
	return true;
	}

	VLOG(1) << "secanomalyd invoking crash_reporter";

	brillo::ProcessImpl crash_reporter;
	crash_reporter.AddArg(kCrashReporterPath);
	crash_reporter.AddArg(kSecurityAnomalyFlag);

	crash_reporter.RedirectUsingPipe(STDIN_FILENO, true);
	CHECK(crash_reporter.Start());
	int stdin_fd = crash_reporter.GetPipe(STDIN_FILENO);
	CHECK(base::WriteFileDescriptor(stdin_fd, e.src().value()));
	std::string newline = "\n";
	CHECK(base::WriteFileDescriptor(stdin_fd, newline));
	CHECK(base::WriteFileDescriptor(stdin_fd, e.dest().value()));
	CHECK_GE(IGNORE_EINTR(close(stdin_fd)), 0);
	CHECK_EQ(0, crash_reporter.Wait());

	return true;
	}

	} // namespace

	int Daemon::OnEventLoopStarted() {
	CheckWXMounts();
	ReportWXMountCount();

	return 0;
	}

	void Daemon::CheckWXMounts() {
	VLOG(1) << "Checking for W+X mounts";

	DoWXMountCheck();

	brillo::MessageLoop::current()->PostDelayedTask(
	FROM_HERE, base::BindOnce(&Daemon::CheckWXMounts, base::Unretained(this)),
	kCheckInterval);
	}

	void Daemon::ReportWXMountCount() {
	VLOG(1) << "Reporting W+X mount count";

	DoWXMountCountReporting();

	brillo::MessageLoop::current()->PostDelayedTask(
	FROM_HERE,
	base::BindOnce(&Daemon::ReportWXMountCount, base::Unretained(this)),
	kReportWXMountCountInterval);
	}

	void Daemon::DoWXMountCheck() {
	std::string proc_mounts;
	if (!base::ReadFileToStringNonBlocking(base::FilePath(kProcSelfMountsPath),
	&proc_mounts)) {
	PLOG(ERROR) << "Failed to read " << kProcSelfMountsPath;
	return;
	}

	std::vector<base::StringPiece> mounts = base::SplitStringPiece(
	proc_mounts, "\n", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);

	for (const auto& m : mounts) {
	MountEntry e(m);
	if (e.IsWX()) {
	// Have we seen the mount yet?
	if (wx_mounts_.count(e.dest()) == 0) {
	if (e.IsUsbDriveOrArchive()) {
	// Figure out what to log in this case.
	// We could log the fact that the mount exists without logging
	// \|src\| or \|dest\|.
	continue;
	}
	// If we haven't seen the mount, save it.
	wx_mounts_[e.dest()] = e;
	VLOG(1) << "Found W+X mount at '" << e.dest() << "', type " << e.type();

	if (e.type() == "nsfs" \|\| e.type() == "proc") {
	// "nsfs" mounts happen when a namespace file in /proc/<pid>/ns/ gets
	// bind-mounted somewhere else. These mounts can be W+X but are not
	// concerning since they are single files and these files cannot be
	// executed.
	// On 3.18 kernels these mounts show up as type "proc" rather than
	// type "nsfs".
	// TODO(crbug.com/1204604): Remove the "proc" exception after 3.18
	// kernels go away.
	VLOG(1) << "Not reporting '" << e.dest() << "', mount type "
	<< e.type();
	continue;
	}

	// Report metrics on it, if not running in dev mode.
	if (ShouldReport(dev_)) {
	// Report /usr/local mounts separately because those can indicate
	// systems where \|cros_debug == 0\| but the system is still a dev
	// system.
	SecurityAnomaly mount_anomaly =
	e.IsDestInUsrLocal()
	? SecurityAnomaly::kMount_InitNs_WxInUsrLocal
	: SecurityAnomaly::kMount_InitNs_WxNotInUsrLocal;
	if (!SendSecurityAnomalyToUMA(mount_anomaly)) {
	LOG(WARNING) << "Could not upload metrics";
	}
	}

	// And report the actual anomalous mount, when required to.
	if (generate_reports_) {
	ReportMount(e, dev_);
	}
	}
	}
	}
	}

	void Daemon::DoWXMountCountReporting() {
	if (ShouldReport(dev_)) {
	if (!SendWXMountCountToUMA(wx_mounts_.size())) {
	LOG(WARNING) << "Could not upload W+X mount count";
	}
	}
	}