Skip to content

avery-blanchard/container-ima

Repository files navigation

Container IMA using eBPF

Overview

The goal of this project is to extend the Linux Integrity Measurement Architecture to Linux containers without changes to the host operating system.

It uses the eBPF mmap_file LSM hook to add namespace support to IMA.

Usage

Note: Machine must run a new kernel (v6+)

Fedora

Update
sudo dnf update
Install dependencies
sudo dnf install kernel-devel kernel-headers git libbpf libbpf-devel bpftool clang openssl dwarves glibc-devel.i686
Install developement tools
sudo dnf groupinstall "Development Tools" "Development Libraries"
Reboot
sudo reboot
Clone repository
git clone https://github.com/avery-blanchard/container-ima/
Initialize submodule
git submodule update --init --recursive
Build container IMA kernel module
make
Insert module
sudo insmod container_ima.ko
Insert eBPF probe
sudo ./probe

Ubuntu

Prerequisite: Upgrade the kernel to 6.2.x (or newer) and enable bpf in CONFIG_LSM.
Disclaimer: Be aware that packages from universe or multiverse will be installed along with linux-image-unsigned-6.2.0-*'s build dependencies. Those packages do not receive any reviews or updates from the Ubuntu security team. Alternatively, you may compile a kernel from source, which does not require any dependencies from universe or multiverse.
For Ubuntu 22.04LTS:
apt-get update
Note: make sure deb-src sources are not commented out in /etc/apt/sources.list.
apt-cache search linux-image-unsigned-6.2.0 generic
apt-get build-dep linux-image-unsigned-6.2.0-31-generic
Note: -31 is the latest unsigned-6.2.0 generic at the time of writing.
apt-get source linux-image-unsigned-6.2.0-31-generic
cd /usr/src/linux-hwe-6.2-6.2.0
make olddefconfig
grep -e "^CONFIG_LSM=.*bpf.*" .config || sed -i 's/^CONFIG_LSM="\(.*\)"/CONFIG_LSM="\1,bpf"/' .config
sed -i 's/^EXTRAVERSION.*/EXTRAVERSION = -containerima/' Makefile
make -j`nproc` && make modules_install && make install
sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT=""/GRUB_CMDLINE_LINUX_DEFAULT="lsm=apparmor,integrity,bpf ima_apparise=log ima_hash=sha256"/' /etc/default/grub
Note: integrity and bpf LSMs should be initialized at boot. Note that this overrides CONFIG_LSM.
update-grub
Optional: since 6.0.3 the i_version counter is always enabled on ext4.
sed -i 's/\(\/ ext4 defaults\)/\/ ext4 noatime,iversion/' /etc/fstab
shutdown -r now

Debian

Debian 12 (bookworm) follows the same logic as Ubuntu (see above):
apt-get update
cd /usr/src
apt-get source linux-image-6.4.0-0.deb12.2-amd64-unsigned
cd /usr/src/linux-6.4.4
make olddefconfig
sed -i 's/^CONFIG_LSM="\(.*\)"/CONFIG_LSM="\1,bpf"/' .config
make -j`nproc` && make modules_install && make install
sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT=""/GRUB_CMDLINE_LINUX_DEFAULT="lsm=apparmor,integrity,bpf ima_apparise=log ima_hash=sha256"/' /etc/default/grub
update-grub
Note: Debian kernels still define void security_current_getsecid_subj(u32 *secid) so you don't need to modify EXTRAVERSION.

Continue with the installation of container-ima:
sudo apt update
Install dependencies
sudo apt install llvm libelf-dev libssl-dev gcc-12 git clang dwarves libc6-dev-i386
Install kernel headers (you may skip this section if you have just installed a new kernel)
sudo apt install linux-headers-$(uname -r)
Clone repository
git clone https://github.com/avery-blanchard/container-ima/
Initialize submodule
git submodule update --init --recursive
Build bpftool from scratch
git clone --recurse-submodules https://github.com/libbpf/bpftool.git
cd bpftool/src
make && make install
Build container IMA kernel module
make
Insert module
sudo insmod container_ima.ko
Insert eBPF probe
sudo ./probe

About

Container IMA using eBPF

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •