tetragon:process_exec: display uids/gids credentials and detect privileged execution

[tixxdz]

Print process_credentials and detect privileged setuid and setgid execution during process_exec events.

    {
      "process_exec": {
        "process": {
          "exec_id": "OjU0NTE4NTE3MzEwMzg5OjQ0ODUwNw==",
          "pid": 448507,
          "uid": 1000,
          "cwd": "/home/tixxdz/work/station/code/src/github.com/tixxdz/tetragon",
          "binary": "/usr/bin/sudo",
          "arguments": "id",
          "flags": "execve clone",
          "start_time": "2023-09-12T22:19:37.574413120Z",
          "auid": 1000,
          "parent_exec_id": "OjMyMjU3OTgwMDAwMDAwOjQ4NjMy",
          "tid": 448507,
          "process_credentials": {
            "uid": 1000,
            "gid": 1000,
            "euid": 0,
            "egid": 1000,
            "suid": 0,
            "sgid": 1000,
            "fsuid": 0,
            "fsgid": 1000
          },
          "binary_properties": {
            "setuid": 0
          }
        }
    }

Still tasks todo:

• apply the --enable-process-creds flag on it, if set do not display it.
• Do we need to show this information in process_exit?
• During other events process_kprobe, etc?
• Mask parent.binary_properties by default during process_exec

[netlify]

✅ Deploy Preview for tetragon ready!

Name	Link
🔨 Latest commit	8508837
🔍 Latest deploy log	https://app.netlify.com/sites/tetragon/deploys/6519e7cbb1e87000081da4cc
😎 Deploy Preview	https://deploy-preview-1296--tetragon.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[kkourt]

Maybe something like:

 "binary_properties" : {
     "setuid": 0, /* if it's not setuid -> nil */
     "memfd": true,
 }

[tixxdz]

Maybe something like:

 "binary_properties" : {
     "setuid": 0, /* if it's not setuid -> nil */
     "memfd": true,
 }

Great, so I'll add in this PR:

1. process_credentials and for now only the uids/gids without caps into the process
2. binary_properties as you suggested so we correlate the setuid data.
3. for all the rest I will track it separately, better we do this incrementally in regards to the other threading work

[tpapagian]

Thanks! Some initial comments, I will have another look shortly.

[tpapagian]

It doesn't seem that you use struct msg_process *p somewhere. Maybe remove that?

[tixxdz]

Yes, I was planning to cache errors on p->flags, but then we can't predict really errors and since these are multiple stages of hooking execve, the proper way to catch all those errors is to have a map per entier pid (pid and tid) so we can transfert the errors happing at stage X of execve to the last execve_send() event per pid... which means we need a bigger map and more memory to reflect if lot of pids are doing execve at same time...

So I opted now with:

• tg_execve_joined_info_map with less entries and not really core information , just extra enhanced info and if the LRU map is full between all the execve then so be it, we won't have that info , but the metrics on the map will show it.
• stats tg_execve_joined_info_map_stats() map with 2 entries counter of entries for metrics and errors counter there... and we see in the future... @jrfastab in case for metrics on error maps.

[tixxdz]

and yes I removed the extra p argument, thank you ;-)

[kkourt]

Thanks!

Overall, looks good to me, but I have some comments / suggestions.

[kkourt]

Is the bool argument really needed here? There is only one caller.

[tixxdz]

yes so reader knows get() could also delete

[kkourt]

Please use a different function name then. If the argument has always the same value, there is no need for it. execve_joined_info_map_get_clear for example.

[tixxdz]

thanks @kkourt @tpapagian @jrfastab for the review ;-), all fixed

[tpapagian]

Thanks!

[kkourt]

Thanks! I think it's in great shape. Just have a couple minor comments.

[kkourt]

Please use a different function name then. If the argument has always the same value, there is no need for it. execve_joined_info_map_get_clear for example.

[tixxdz]

@kkourt fixed last bits, if it's green I will merge it thank you ;-)

[mtardy]

@tixxdz
would have it been possible to use an array [4]uint32 instead of a slice and indicate which UIDS correspond to what in the doc? Same for GetGids

Because reading on the user side we need to add a length check to make sure the slice is not empty to not panic and maybe an array would have been more appropriate.

[mtardy]

I think the best here would have been to have 5 named return parameters (so that we get doc for free), I think the slice/array part makes the function less nice to use. Let's use Golang return capabilities, they are free.

[tixxdz]

AFAICT it can't return an empty, as all fields are explicitly initialized to invalid uids, so no need for a length check unless I'm missing something? plus we need to explicitly initialize this otherwise we may endup with uid 0, IIRC slices are generic so I don't think this is a real issue?

for doc https://github.com/cilium/tetragon/blob/main/pkg/reader/proc/proc.go#L17 , unless you are referring to function godoc? then there is too much work and issues to fix that I didn't think about the godoc to be honest, for me as long as the code is covered with e2e tests then I'm good ;-)

[mtardy]

AFAICT it can't return an empty, as all fields are explicitly initialized to invalid uids, so no need for a length check unless I'm missing something?

sure! So why use a slice (since you know the size in advance) instead of an array or just return the values flat? I don't say it's wrong but it's just a bit weird interface, I would say if you use such a function, you have to trust it to not crash your program (if you don't check the length of the slice) while if you return an array or a flat 5 values return, it will guarantee by design that it cannot crash your program.

No, exactly I was searching for this kind of doc, because if you just read the function you don't know what is inside the slice.

[mtardy]

but anyway, it's just a small function that's no big deal but I just wondered why you chose a slice here.

[tixxdz]

let's say due to background returning a reference to memory is perfectly fine! it is initialized and have its length set, so no issue here... in the other hand returning multiple vars even if ok with Go is weird interface, it means you are returning too much context in one single function and you probably have to split the logic there...

[mtardy]

Ok we are going in circles 😁

it is initialized and have its length set, so no issue here...

Let me show you what I mean, it's not that it doesn't work, something is not initialized or whatever, it's just using the benefits of the Go language: https://go.dev/play/p/ov0JGylWXup

returning multiple vars even if ok with Go is weird interface, it means you are returning too much context in one single function and you probably have to split the logic there...

I strongly disagree, hiding it in an array doesn't change anything from returning directly flat. And bundling this tuple of uids here totally make sense.

[kkourt]

@kkourt fixed last bits, if it's green I will merge it thank you ;-)

@tixxdz In this case is fine, but in the future please give people that have been involved in the PR some time to ✅ before merging.