tetragon: detect execve of anonymous binaries

[tixxdz]

Detect execution of anonymous binaries, these are binaries that are not linked on a filesystem, where nlink is zero.

1. An anonymous shared memory file
   https://man7.org/linux/man-pages/man7/shm_overview.7.html.
2. An anonymous file obtained with memfd API
   https://man7.org/linux/man-pages/man2/memfd_create.2.html.
3. Or it was deleted from the file system.

"process_exec": {
   "process": {
      "binary_properties": {
        "file": {
           "inode": {
              "number": "182698",
              "links": 0
            }
         }
      }
   }
}

[jrfastab]

Other than comment about pid for map key. LGTM.

[tixxdz]

Other than comment about pid for map key. LGTM.

Ok updated fixed all, but also removed that empty "info": {} , now entries that don't have: "inode.initialized == 1 && inode.nlinks == 0" will not have any displayed info field.

{
  "process_exec": {
    "process": {
      "exec_id": "OjYwMjQ1NTcxNTg2MDU6MTA5MzY2",
      "pid": 109366,
      "uid": 1000,
      "cwd": "/home/tixxdz/work/station/code/src/github.com/tixxdz/tetragon",
      "binary": "/proc/self/fd/3",
      "flags": "execve",
      "start_time": "2022-10-22T22:22:13.554073460Z",
      "auid": 1000,
      "parent_exec_id": "OjYwMjQ1NTYwNjA2ODI6MTA5MzY2",
      "info": {
        "inode": {
          "deleted": true
        }
      }
    },
    "parent": {
      "exec_id": "OjYwMjQ1NTYwNjA2ODI6MTA5MzY2",
      "pid": 109366,
      "uid": 1000,
      "cwd": "/home/tixxdz/work/station/code/src/github.com/tixxdz/tetragon",
      "binary": "/usr/bin/memfdloader",
      "arguments": "/bin/true",
      "flags": "execve clone",
      "start_time": "2022-10-22T22:22:13.552976581Z",
      "auid": 1000,
      "parent_exec_id": "OjExMjc0MDAwMDAwMDA6MTA0MTU=",
      "refcnt": 2
    }
  },
  "time": "2022-10-22T22:22:13.554073906Z"
}

[tixxdz]

Don't merge yet, I will convert it to follow base execve v6.0 kernel versions

[kkourt]

Don't merge yet, I will convert it to follow base execve v6.0 kernel versions

Moving to draft, then. Thanks!

[tixxdz]

This pr introduces:

"process_exec": {
    "process": {
      "info": {
        "inode": {
          "deleted": true
        }
      }

The info is meant to be generic type that includes extra fields about the process context, and it can be easily filtered out from output by process_exec.process.info so users won't see it; also only set when the inode.delete==true.

However after some thinking and in context of integrity measurement, and also given how we correlate the process_exec to a container/pod by tracking pids<=>cgroups<=>container/pod , it seems we should include more information about the file system information inside the process_exec.
As an example a container could execute a good measurement that belongs to another scope (another container, host). Including more fs information should help users to track back and correlate the necessary fs and mount information. Simply adding an inode won't help here, it is too simplistic...

Better plan this in a long term; so we can include in the process_exec:

• more info about the file system
• mount ids so we correlate the execution against the mounts of host, container => then mark the execution a scope (outside of container)
• File measurement digest
• Appraising the file measurement and mark a boolean field good or bad
• Inode related information , including the information that is being offered by this PR
  This all should be better planned.

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	00701c9
🔍 Latest deploy log	https://app.netlify.com/sites/tetragon/deploys/65b24cb50c8962000864665f
😎 Deploy Preview	https://deploy-preview-499--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[tixxdz]

After we have introduced the binary_properties let's use this to put the new "file" that's FileProperties and its inode information if the executed binary is anonymous.

Update:
Detect execution of anonymous binaries, these are binaries that are not linked on a filesystem, where nlink is zero.

1. An anonymous shared memory file
   https://man7.org/linux/man-pages/man7/shm_overview.7.html.
2. An anonymous file obtained with memfd API
   https://man7.org/linux/man-pages/man2/memfd_create.2.html.
3. Or it was deleted from the file system.

"process_exec": {
   "process": {
      "binary_properties": {
        "file": {
           "inode": {
              "number": "182698",
              "links": 0
            }
         }
      }
   }
}

[tixxdz]

Reviving this

[tpapagian]

Inode would be != 0 here, right? Does it make sense to check that as well? As we have an fd to that, a variant of stat should do that. I haven't tested it but I believe that it should work.

[tixxdz]

Indeed makes sense ;-)

[tpapagian]

Thanks! I have added some comments. Nothing very difficult to change, but good to have these as well before merging.

[tixxdz]

Thanks! I have added some comments. Nothing very difficult to change, but good to have these as well before merging.

@tpapagian much appreciated for the review ;-) ! all comments handled , let's see if green

[tpapagian]

Other than a small comment, this LGTM. Thanks!