Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

main.go: fix missing security lockdown sysfs file #1402

Merged
merged 1 commit into from
Jan 27, 2022
Merged

main.go: fix missing security lockdown sysfs file #1402

merged 1 commit into from
Jan 27, 2022

Conversation

rafaeldtinoco
Copy link
Contributor

@rafaeldtinoco rafaeldtinoco commented Jan 25, 2022
edited
Loading

After commit a5bc030, tracee-make stopped being able to run tracee-ebpf because the lack of '/sys/kernel/security' dir inside the container. That also happened to any other system not providing that file.

Exit only if lockdown mode is explicitly set to CONFIDENTIALITY, otherwise ignore it.

Fix: #1396

@rafaeldtinoco
main.go: fix missing security lockdown sysfs file
8e3d31d 
After commit a5bc030, tracee-make stopped being able to run tracee-ebpf
because the lack of '/sys/kernel/security' dir inside the container.
That also happened to any other system not providing that file.

Exit only if lockdown mode is explicitly set to CONFIDENTIALITY,
otherwise ignore it.

Fix: #1396
@rafaeldtinoco
Copy link
Contributor Author

@simar7 would you mind checking this PR (to see if solves your issue) and +1'ing it so it can be merged ? Thanks!

@rafaeldtinoco rafaeldtinoco mentioned this pull request Jan 25, 2022
Merged
@simar7
Copy link
Member

simar7 commented Jan 26, 2022

As discussed offline, we would need to add some unit tests for libbpfgo where this logic is present: https://github.com/aquasecurity/libbpfgo/blob/main/helpers/osinfo.go this would make it easier for the downstream users of libbpfgo to be able to safely use and guard themselves against regressions.

@rafaeldtinoco
Copy link
Contributor Author

rafaeldtinoco commented Jan 26, 2022
edited
Loading

As discussed offline, we would need to add some unit tests for libbpfgo where this logic is present: https://github.com/aquasecurity/libbpfgo/blob/main/helpers/osinfo.go this would make it easier for the downstream users of libbpfgo to be able to safely use and guard themselves against regressions.

I'm adding this as a TODO of aquasecurity/libbpfgo#123 (because we're using that PR to stabilize the next libbpfgo release).

Let me know if you agree to my arguments on the comments you've made. I'll add the unit test to that PR so we're covered for it.

[Edit]
I see you opened aquasecurity/libbpfgo#124 for the osinfo tests (which I agree would be a good initial case to someone wanting to contribute).

@rafaeldtinoco rafaeldtinoco modified the milestone: stabilization Jan 26, 2022
@simar7
Copy link
Member

simar7 commented Jan 26, 2022

As discussed offline, we would need to add some unit tests for libbpfgo where this logic is present: https://github.com/aquasecurity/libbpfgo/blob/main/helpers/osinfo.go this would make it easier for the downstream users of libbpfgo to be able to safely use and guard themselves against regressions.

I'm adding this as a TODO of aquasecurity/libbpfgo#123 (because we're using that PR to stabilize the next libbpfgo release).

Let me know if you agree to my arguments on the comments you've made. I'll add the unit test to that PR so we're covered for it.

[Edit]

I see you opened aquasecurity/libbpfgo#124 for the osinfo tests (which I agree would be a good initial case to someone wanting to contribute).

Yeah sounds good to me. I like to write the tests with the code but it is just one way to go about them.

@rafaeldtinoco
Copy link
Contributor Author

@grantseltzer not sure if I need another approval (from you, for example) to get this merged. Could you +1 this based on Simars review ? Thanks!

grantseltzer
grantseltzer approved these changes Jan 27, 2022
View reviewed changes
Copy link
Contributor

@grantseltzer grantseltzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

L G T M ! @rafaeldtinoco

@grantseltzer grantseltzer merged commit 337a93e into aquasecurity:main Jan 27, 2022
@rafaeldtinoco rafaeldtinoco deleted the lockdown-fix branch March 14, 2023 00:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

@grantseltzer grantseltzer grantseltzer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

/sys/kernel/security/lockdown has to be bind mounted to container so tracee-ebpf is executed
3 participants
@rafaeldtinoco @simar7 @grantseltzer