From 6e369c9e855ecee01d8f378daf45182f1c0be24b Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Sun, 25 Feb 2024 22:29:36 +0100 Subject: [PATCH] tetragon: log current security context if any at startup Signed-off-by: Djalal Harouni --- cmd/tetragon/main.go | 4 ++++ pkg/reader/proc/proc.go | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/cmd/tetragon/main.go b/cmd/tetragon/main.go index 6a4ca854ca0..f754e7ea506 100644 --- a/cmd/tetragon/main.go +++ b/cmd/tetragon/main.go @@ -44,6 +44,7 @@ import ( "github.com/cilium/tetragon/pkg/process" "github.com/cilium/tetragon/pkg/ratelimit" "github.com/cilium/tetragon/pkg/reader/namespace" + "github.com/cilium/tetragon/pkg/reader/proc" "github.com/cilium/tetragon/pkg/rthooks" "github.com/cilium/tetragon/pkg/sensors/base" "github.com/cilium/tetragon/pkg/sensors/program" @@ -173,6 +174,9 @@ func tetragonExecute() error { log.WithField("version", version.Version).Info("Starting tetragon") log.WithField("config", viper.AllSettings()).Info("config settings") + // Log early security context in case something fails + proc.LogCurrentSecurityContext() + // When an instance terminates or restarts it may cleanup bpf programs, // having a check here to see if another instance is already running, can // help debug errors. diff --git a/pkg/reader/proc/proc.go b/pkg/reader/proc/proc.go index 42d49b3e7fd..cc8a5030d91 100644 --- a/pkg/reader/proc/proc.go +++ b/pkg/reader/proc/proc.go @@ -10,6 +10,10 @@ import ( "path/filepath" "strconv" "strings" + + "github.com/cilium/tetragon/pkg/logger" + "github.com/cilium/tetragon/pkg/option" + "github.com/sirupsen/logrus" ) // Status reflects fields of `/proc/[pid]/status` and other @@ -249,3 +253,35 @@ func PrependPath(s string, b []byte) []byte { fullCmd := strings.Join(split[0:], "\u0000") return []byte(fullCmd) } + +// LogCurrentLSMContext() Logs the current LSM security context. +func LogCurrentSecurityContext() { + lsms := map[string]string{ + "selinux": "", + "apparmor": "", + "smack": "", + } + + logLSM := false + for k := range lsms { + path := "" + if k == "selinux" { + path = filepath.Join(option.Config.ProcFS, "/self/attr/current") + } else { + path = filepath.Join(option.Config.ProcFS, fmt.Sprintf("/self/attr/%s/current", k)) + } + data, err := os.ReadFile(path) + if err == nil && len(data) > 0 { + lsms[k] = strings.TrimSpace(string(data)) + logLSM = true + } + } + + if logLSM { + logger.GetLogger().WithFields(logrus.Fields{ + "SELinux": lsms["selinux"], + "AppArmor": lsms["apparmor"], + "Smack": lsms["smack"], + }).Info("Tetragon current Security context") + } +}