new: add container.host_pid container.host_network and container.host_ipc fields

[loresuso]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

This PR introduces the container.host_pid container.host_network and container.host_ipc fields. Namespaces are the way the Linux kernel enforce isolation for containers. Sometimes, developers might want to turn off bits of this isolation by sharing pid, network or IPC namespaces with the host. This introduces several risks from a security perspective, and might be worth it monitoring and offering users the possibility to understand if a container was started with some namespaces shared with host. This PR was tested against Docker and CRI-compatible runtimes (CRI-O, in particular).
Some example on how this can be (mis)used: https://bishopfox.com/blog/kubernetes-pod-privilege-escalation

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new: add `container.host_pid` `container.host_network` and `container.host_ipc` fields

[github-actions]

Perf diff from master - unit tests

     4.53%     +1.25%  [.] sinsp_parser::process_event
    10.36%     -0.93%  [.] sinsp_parser::reset
     1.43%     -0.81%  [.] sinsp_evt::get_param
     1.11%     +0.52%  [.] sinsp_evt::get_ts
     6.91%     +0.50%  [.] sinsp::next
     0.83%     +0.47%  [.] std::_Hashtable<long, std::pair<long const, std::shared_ptr<sinsp_threadinfo> >, std::allocator<std::pair<long const, std::shared_ptr<sinsp_threadinfo> > >, std::__detail::_Select1st, std::equal_to<long>, std::hash<long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::find
     1.25%     -0.46%  [.] 0x00000000000e9384
     0.89%     +0.43%  [.] libsinsp::sinsp_suppress::process_event
     0.80%     +0.41%  [.] sinsp_filter_check::parse_field_name
     0.94%     -0.41%  [.] libsinsp::state::stl_container_table_adapter<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, libsinsp::state::value_table_entry_adapter<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, libsinsp::state::value_table_entry_adapter<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::dynamic_fields_t>::stl_container_table_adapter

Heap diff from master - unit tests

peak heap memory consumption: -369B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: -369B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            +0.0145         +0.0145           154           156           154           156
BM_sinsp_split_median                                          +0.0091         +0.0090           154           156           154           156
BM_sinsp_split_stddev                                          -0.1033         -0.1035             2             2             2             2
BM_sinsp_split_cv                                              -0.1161         -0.1163             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  +0.0015         +0.0015            60            60            60            60
BM_sinsp_concatenate_paths_relative_path_median                -0.0020         -0.0020            60            60            60            60
BM_sinsp_concatenate_paths_relative_path_stddev                +0.9607         +0.9604             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_cv                    +0.9578         +0.9576             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     +0.0114         +0.0114            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_median                   +0.0123         +0.0123            25            25            25            25
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.7869         -0.7867             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.7893         -0.7892             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.0397         -0.0397            63            60            63            60
BM_sinsp_concatenate_paths_absolute_path_median                -0.0407         -0.0407            62            60            62            60
BM_sinsp_concatenate_paths_absolute_path_stddev                +2.8234         +2.8187             0             1             0             1
BM_sinsp_concatenate_paths_absolute_path_cv                    +2.9816         +2.9767             0             0             0             0
BM_sinsp_split_container_image_mean                            +0.0396         +0.0396           391           406           391           406
BM_sinsp_split_container_image_median                          +0.0380         +0.0380           391           406           391           406
BM_sinsp_split_container_image_stddev                          +0.5488         +0.5472             2             3             2             3
BM_sinsp_split_container_image_cv                              +0.4898         +0.4882             0             0             0             0

[codecov]

Codecov Report

Attention: Patch coverage is 76.66667% with 14 lines in your changes missing coverage. Please review.

Project coverage is 73.70%. Comparing base (3b80aa0) to head (aa264ca).
Report is 14 commits behind head on master.

Files with missing lines	Patch %	Lines
.../libsinsp/container_engine/docker/async_source.cpp	0.00%	9 Missing ⚠️
userspace/libsinsp/cri.hpp	58.33%	5 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2047   +/-   ##
=======================================
  Coverage   73.69%   73.70%           
=======================================
  Files         253      253           
  Lines       31914    31974   +60     
  Branches     5627     5656   +29     
=======================================
+ Hits        23519    23566   +47     
- Misses       8375     8408   +33     
+ Partials       20        0   -20     

Flag	Coverage Δ
libsinsp	73.70% <76.66%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[FedeDP]

/milestone 0.19.0

[FedeDP]

Can't we use is_host here?

[loresuso]

Done! As a side note, I initially skipped using this because it uses the pid_namespace

bool is_host = tinfo->m_container_id.empty() && !tinfo->is_in_pid_namespace();

That part is not 100% true in my opinion, but I think it's there for a reason (skipped execve events where we miss container_id coming from the group?). When we miss that, the pid namespace check is not enough to say we are in host or not, since container can be started sharing the host pid namespace

[loresuso]

This is when that check was modified last time #1604
@jasondellaluce I agree with your fix but at the same time, I'm not feeling 100% convinced since containers can be started sharing namespaces with the host.
Namespaces are shared, but cgroups should always be there, and our extraction of the container id too IMO.
Otherwise, something that will work in 99% of the cases would check also for the other shareable namespace here (will not work when all the three of them are shared, which is rare but possible)

[FedeDP]

/hold for @jasondellaluce response

[leogr]

/hold for @jasondellaluce response

👍

anyway, I believe any further fix regarding is_host should be addressed by a new PR.

[FedeDP]

/approve

[poiana]

LGTM label has been added.

Git tree hash: 5699feaf2ee19bcc674eed81ed9990f42b822fc6

[jasondellaluce]

/unhold

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, jasondellaluce, loresuso

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [FedeDP,jasondellaluce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment