security: Container Monitoring LSM
The container monitoring LSM collects information about containerized
processes and relay it to a VMM backend through vsock or user-mode
through a shared pipe. It can be enabled and configured directly from
the VMM backend or from user-mode.
Information captured:
- Process arguments.
- Environment variables.
- File layer for overlayfs.
- stdin, stdout and stderr modes.
- Unique identifier for processes.
- Relay container information and link it to existing instances.
- Process exit.
Enhancement included from original implementation:
- Use workqueue to dispatch events to pipe or vsock.
- Optimize memory usage to match target events in 99% cases.
- Identify kubectl/docker exec session by using new pid_namespace field.
- Fix process unique identifier to use the task group leader start time.
- Fetch more information files. For example, on socket files fetch the
family and full ip.
- Track the first process writing a file on the upper overlayfs layer
(ephemeral), using security extended attribtues (security.csm).
- Track clone events.
- Track mapping of files as executable (libraries).
- When enabled, enumerate all existing processes.
- Clean the pipe and all data when the LSM is disabled.
- Add option to fully enabled the LSM at boot (used for testing only).
- Disable vsock by default.
- Expose stats through sysfs to identify dropped events or issues.
- Add dependencies to MMU and x86_64.
- Optimizations to nanopb build.
Include contributions from:
- John Davis <kyuzo@google.com>
- Peter Martincic <martincic@chromium.org>
- Leo Linsky
- Chi-fan Chu
- Ming Zou
Messages are encoded using protobuf and nanopb. Github depot for
nanopb: https://github.com/nanopb/nanopb
BUG=b:148390640
TEST=Build, boot and GCP internal testing.
SOURCE=KTD
Signed-off-by: Thomas Garnier <thgarnie@chromium.org>
Tested-by: Thomas Garnier <thgarnie@chromium.org>
Change-Id: I15b97b6ad45edc2b5cec5b50a52a60cd4880024e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/lakitu-kernel/+/2062511
Commit-Queue: Vaibhav Rustagi <vaibhavrustagi@google.com>
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
Tested-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
29 files changed