From 8a69303e1ff7557585d44d15a20c7949e31e58d0 Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Mon, 14 Oct 2024 13:03:47 +0200 Subject: [PATCH] WIP Linux tracing fix Signed-off-by: Matthias Glastra --- attestation/commandrun/commandrun.go | 9 +- attestation/commandrun/tracing_linux.go | 11 ++- attestation/context.go | 2 - attestation/environment/environment.go | 125 ++++++++++++------------ 4 files changed, 75 insertions(+), 72 deletions(-) diff --git a/attestation/commandrun/commandrun.go b/attestation/commandrun/commandrun.go index 007d4e6e..e237db8f 100644 --- a/attestation/commandrun/commandrun.go +++ b/attestation/commandrun/commandrun.go @@ -80,8 +80,7 @@ func WithSilent(silent bool) Option { } func New(opts ...Option) *CommandRun { - cr := &CommandRun{ - } + cr := &CommandRun{} for _, opt := range opts { opt(cr) @@ -110,9 +109,9 @@ type CommandRun struct { ExitCode int `json:"exitcode"` Processes []ProcessInfo `json:"processes,omitempty"` - silent bool - materials map[string]cryptoutil.DigestSet - enableTracing bool + silent bool + materials map[string]cryptoutil.DigestSet + enableTracing bool } func (a *CommandRun) Schema() *jsonschema.Schema { diff --git a/attestation/commandrun/tracing_linux.go b/attestation/commandrun/tracing_linux.go index 40fb3180..c76825a6 100644 --- a/attestation/commandrun/tracing_linux.go +++ b/attestation/commandrun/tracing_linux.go @@ -26,8 +26,8 @@ import ( "strings" "github.com/in-toto/go-witness/attestation" - "github.com/in-toto/go-witness/environment" "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/environment" "github.com/in-toto/go-witness/log" "golang.org/x/sys/unix" ) @@ -200,9 +200,14 @@ func (p *ptraceContext) handleSyscall(pid int, regs unix.PtraceRegs) error { environ, err := os.ReadFile(envinLocation) if err == nil { allVars := strings.Split(string(environ), "\x00") - filteredEnviron := p.environmentCapturer.Capture(allVars) - procInfo.Environ = strings.Join(filteredEnviron, " ") + env := make([]string, 0) + var capturedEnv map[string]string = p.environmentCapturer.Capture(allVars) + for k, v := range capturedEnv { + env = append(env, fmt.Sprintf("%s=%s", k, v)) + } + + procInfo.Environ = strings.Join(env, " ") } cmdline, err := os.ReadFile(cmdlineLocation) diff --git a/attestation/context.go b/attestation/context.go index ae201ddf..e57e792d 100644 --- a/attestation/context.go +++ b/attestation/context.go @@ -231,8 +231,6 @@ func (ctx *AttestationContext) DirHashGlob() []glob.Glob { return ctx.dirHashGlobCompiled } - - func (ctx *AttestationContext) CompletedAttestors() []CompletedAttestor { ctx.mutex.RLock() out := make([]CompletedAttestor, len(ctx.completedAttestors)) diff --git a/attestation/environment/environment.go b/attestation/environment/environment.go index ec954162..a62f20f6 100644 --- a/attestation/environment/environment.go +++ b/attestation/environment/environment.go @@ -32,10 +32,10 @@ const ( // This is a hacky way to create a compile time error in case the attestor // doesn't implement the expected interfaces. var ( - _ attestation.Attestor = &Attestor{} - _ EnvironmentAttestor = &Attestor{} - defaultFilterSensitiveVarsEnabled = false - defaultDisableSensitiveVarsDefault = false + _ attestation.Attestor = &Attestor{} + _ EnvironmentAttestor = &Attestor{} + // defaultFilterSensitiveVarsEnabled = false + // defaultDisableSensitiveVarsDefault = false ) type EnvironmentAttestor interface { @@ -48,64 +48,65 @@ type EnvironmentAttestor interface { } func init() { - // attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor { return New() }, - // registry.BoolConfigOption( - // "filter-sensitive-vars", - // "Switch from obfuscate to filtering variables which removes them from the output completely.", - // defaultFilterSensitiveVarsEnabled, - // func(a attestation.Attestor, filterSensitiveVarsEnabled bool) (attestation.Attestor, error) { - // envAttestor, ok := a.(*Attestor) - // if !ok { - // return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a) - // } - - // envCapture.WithFilterVarsEnabled()(envAttestor.capture) - // return envAttestor, nil - // }, - // ), - // registry.BoolConfigOption( - // "disable-default-sensitive-vars", - // "Disable the default list of sensitive vars and only use the items mentioned by --attestor-environment-sensitive-key.", - // defaultDisableSensitiveVarsDefault, - // func(a attestation.Attestor, disableSensitiveVarsDefault bool) (attestation.Attestor, error) { - // envAttestor, ok := a.(*Attestor) - // if !ok { - // return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a) - // } - - // envCapture.WithDisableDefaultSensitiveList()(envAttestor.capture) - // return envAttestor, nil - // }, - // ), - // registry.StringSliceConfigOption( - // "add-sensitive-key", - // "Add keys or globs (e.g. '*TEXT') to the list of sensitive environment keys.", - // []string{}, - // func(a attestation.Attestor, additionalKeys []string) (attestation.Attestor, error) { - // envAttestor, ok := a.(*Attestor) - // if !ok { - // return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a) - // } - - // envCapture.WithAdditionalKeys(additionalKeys)(envAttestor.capture) - // return envAttestor, nil - // }, - // ), - // registry.StringSliceConfigOption( - // "exclude-sensitive-key", - // "Exclude specific keys from the list of sensitive environment keys. Note: This does not support globs.", - // []string{}, - // func(a attestation.Attestor, excludeKeys []string) (attestation.Attestor, error) { - // envAttestor, ok := a.(*Attestor) - // if !ok { - // return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a) - // } - - // envCapture.WithExcludeKeys(excludeKeys)(envAttestor.capture) - // return envAttestor, nil - // }, - // ), - // ) + attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor { return New() }) + + // registry.BoolConfigOption( + // "filter-sensitive-vars", + // "Switch from obfuscate to filtering variables which removes them from the output completely.", + // defaultFilterSensitiveVarsEnabled, + // func(a attestation.Attestor, filterSensitiveVarsEnabled bool) (attestation.Attestor, error) { + // envAttestor, ok := a.(*Attestor) + // if !ok { + // return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a) + // } + + // envCapture.WithFilterVarsEnabled()(envAttestor.capture) + // return envAttestor, nil + // }, + // ), + // registry.BoolConfigOption( + // "disable-default-sensitive-vars", + // "Disable the default list of sensitive vars and only use the items mentioned by --attestor-environment-sensitive-key.", + // defaultDisableSensitiveVarsDefault, + // func(a attestation.Attestor, disableSensitiveVarsDefault bool) (attestation.Attestor, error) { + // envAttestor, ok := a.(*Attestor) + // if !ok { + // return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a) + // } + + // envCapture.WithDisableDefaultSensitiveList()(envAttestor.capture) + // return envAttestor, nil + // }, + // ), + // registry.StringSliceConfigOption( + // "add-sensitive-key", + // "Add keys or globs (e.g. '*TEXT') to the list of sensitive environment keys.", + // []string{}, + // func(a attestation.Attestor, additionalKeys []string) (attestation.Attestor, error) { + // envAttestor, ok := a.(*Attestor) + // if !ok { + // return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a) + // } + + // envCapture.WithAdditionalKeys(additionalKeys)(envAttestor.capture) + // return envAttestor, nil + // }, + // ), + // registry.StringSliceConfigOption( + // "exclude-sensitive-key", + // "Exclude specific keys from the list of sensitive environment keys. Note: This does not support globs.", + // []string{}, + // func(a attestation.Attestor, excludeKeys []string) (attestation.Attestor, error) { + // envAttestor, ok := a.(*Attestor) + // if !ok { + // return a, fmt.Errorf("unexpected attestor type: %T is not a environment attestor", a) + // } + + // envCapture.WithExcludeKeys(excludeKeys)(envAttestor.capture) + // return envAttestor, nil + // }, + // ), + } type Attestor struct {