KRSI (appeared in Kernel v5.7) stands for Kernel Runtime Security Instrumentation and the target of this patch is to allow users to implement lsm hooks by utilizing bpf compiled code. This gets interesting for a couple of reasons:
- Kernel function call flow mutation: first application of ebpf where injected code is actually capable reject / blocking the execution of some kernel logic
- Flexibility: ebpf can be attached / removed on the fly
LSM
- Before, Linux was limited to Discretionary Access Control,
- Now, MAC extensions in Linux are implemented as LSMs, and this includes KRSI, SELinux, etc.
ENABLE KRSI
BOOT PARAMETER
Check current boot parameter cat /proc/cmdline
Edit the boot parameters sudo vim /etc/default/grub
Example:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash foo=bar"
Check LSM config params
zgrep CONFIG_LSM= /boot/config-5.12.0-051200-lowlatency sudo update-grub
modify /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash lsm=yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf"
KRSI is LSMs
Figure: Security Enforcement by KRSI & eBPF
“Kernel Runtime Security Instrumentation,” or KRSI (Google: Singh, 2019 September).
It allowed an administrator to attach BPF programs to the various LSM hooks, and it could also inject an error to block the operation in question. This gave administrators the ability to define their own MAC policies with arbitrary code.
Scenario: pre-defined malicious operations will be monitored by Falco and enforced by KRSI module
How KRSI inter-operate with eBPF: eBPF program is attached to LSM hooks
Data is transferred to Userspace through Ring Buffer
Background
KRSI vs Landlock
KRSI is a tool for system administrators who are interested in monitoring the behavior of the system as a whole; attaching a BPF program requires the CAP_SYS_ADMIN capability.
Landlock, instead, is intended to allow unprivileged users to sandbox programs that they are running, so no privilege is needed to attach a BPF program to a hook via Landlock (more limited)
PROJECTS
KubeArmor (AccuNox) [6]
- Policy based on LSM (SElinux, AppArmor, KRSI)
- pod security policy?
Teleport (former RackSpace employees) [7]
- Access Control management: RBAC ACL, server access, database access, cert with expiry
REFERENCES
[1] KRSI https://lwn.net/Articles/808048/
[2] SANS: mitigating attacks on a supercomputer with KRSI Billy Wilson
https://www.sans.org/white-papers/40010/
https://sansorg.egnyte.com/dl/GX95bRNP5t/?
[3] CODE https://github.com/wilsonwr/bcc-lsm-scripts
[4] https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules
[5] CODE lsmtrace https://github.com/lumontec/lsmtrace
[6] KubeArmor CODE https://github.com/kubearmor/KubeArmor
[7] Teleport CODE https://goteleport.com/docs/access-controls/introduction/