CN116820668A - Container escape detection method and system based on fanotify - Google Patents
Container escape detection method and system based on fanotify Download PDFInfo
- Publication number
- CN116820668A CN116820668A CN202310712063.9A CN202310712063A CN116820668A CN 116820668 A CN116820668 A CN 116820668A CN 202310712063 A CN202310712063 A CN 202310712063A CN 116820668 A CN116820668 A CN 116820668A
- Authority
- CN
- China
- Prior art keywords
- container
- file
- event
- pid
- fanotify
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 33
- 238000000034 method Methods 0.000 claims abstract description 257
- 230000008569 process Effects 0.000 claims abstract description 232
- 238000012544 monitoring process Methods 0.000 claims abstract description 24
- 230000008859 change Effects 0.000 claims abstract description 19
- 230000000903 blocking effect Effects 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 14
- 238000005516 engineering process Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The application provides a container escape detection method and system based on fanotify, wherein the method comprises the following steps: monitoring file change conditions of a host through Fantify; acquiring a file event in the condition of monitoring file change of a host; acquiring a process pid in a file event; monitoring a process event through a Netlink, and constructing a process tree through process information of the process event; judging whether the process pid is a container process or not through a process tree; if the process pid is a container process, acquiring a container mount directory; judging whether the changed file of the file event is in the container mounting catalog; if not, warning and/or blocking. Monitoring the change of the host machine file through fanotify, if the host machine file is found to be created, opened, checked, modified and the like by the container process, and the file is not in the mount directory of the container or is a special file, the process escape is considered to occur.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of computer technology, and in particular, to a container escape detection method and system based on fanotify.
Background
In the prior art, whether container escape occurs or not is judged mainly by identifying files, processes and the like generated in the escape process as characteristics or by methods that the current namespaces of the processes are inconsistent with the namespaces pre-associated with the processes, the operation objects of the processes exceed the white list range of the files associated with the processes, the system call of the processes exceeds the authority range of the processes, the parameter content in the system call of the processes comprises attack content and the like so as to take further protective measures.
However, when the above method is adopted, when the modes such as files and process characteristics need to be updated in real time, a detection scheme needs to be updated every time an escape vulnerability is newly generated, and unknown escape methods are difficult to match.
Disclosure of Invention
In view of this, it is an object of one or more embodiments of the present disclosure to provide a container escape detection method and system based on fanotify for detecting container escape.
In a first aspect, a container escape detection method based on fantify is provided, the container escape detection method based on fantify includes the following steps:
monitoring file change conditions of a host through Fantify;
acquiring a file event in the condition of monitoring file change of a host; the file event comprises program opening, writing or closing of a file;
acquiring a process pid in the file event;
monitoring a process event through a Netlink, and constructing a process tree through process information of the process event;
judging whether the process pid is a container process or not through a process tree;
if the process pid is a container process, acquiring a container mount directory;
judging whether the changed file of the file event is in the container mounting catalog; if not, warning and/or blocking.
In the above technical solution, the change of the host machine file is monitored by fanotify, if the host machine file is found to be created, opened, checked, modified and the like by the container process, and the file is not in the mount directory of the container or is a certain special file, the process escape is considered to occur.
In a specific embodiment, the method further comprises:
judging whether the changed file of the file event is in the container mounting catalog; if yes, ending.
In a specific embodiment, the blocking is specifically:
file manipulation is prevented by the Access precision function of Fanotify.
In a specific implementation manner, the process event is monitored through Netlink, and a process tree is constructed through the process information of the process event; the method comprises the following steps:
acquiring a newly created or deleted process pid through a process-related event;
reading/proc directory to obtain all process pid in system;
obtaining the process name, the process command line and the father process pid information corresponding to the pid by reading the content of the/proc/pid/status,/proc/pid/cmdline file;
determining father-son relationship of the process through father process pid of each process; a process tree which is connected by virtue of father-son relationship and stores process information is formed.
In a specific implementation, a process event is monitored through Netlink, and a process tree is constructed through process information of the process event; further comprises:
storing a process command line of a process;
determining a container start process in a process tree through a container start process command line feature,
and constructing a container process tree according to the sub-process tree below the container starting process.
In a specific embodiment, the acquiring container mount catalog specifically includes:
acquiring a container starting process;
the container id is obtained, and the container mount catalog is obtained through the container id.
In a second aspect, there is provided a fanotify-based container escape detection system comprising:
the data acquisition module monitors file change conditions of the host through Fantify; acquiring a file event in the condition of monitoring file change of a host; the file event comprises program opening, writing or closing of a file; monitoring a process event by adopting a Netlink;
the data processing module acquires a process pid in the file event; constructing a process tree through the process information of the process event; judging whether the process pid is a container process or not through a process tree; if the process pid is a container process, acquiring a container mount directory; judging whether the changed file of the file event is in the container mounting catalog; if not, warning and/or blocking.
In the above technical solution, the change of the host machine file is monitored by fanotify, if the host machine file is found to be created, opened, checked, modified and the like by the container process, and the file is not in the mount directory of the container or is a certain special file, the process escape is considered to occur.
In a specific embodiment, the data processing module is further specifically configured to determine whether the file changed by the file event is in the container mount directory; if yes, ending.
In a specific embodiment, the data processing module is further specifically configured to block file operations through the Access precision function of Fantify.
In a third aspect, there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the fanotify-based container escape detection method as described in any one of the preceding claims when executing the program.
In a fourth aspect, a non-transitory computer readable storage medium is provided, the non-transitory computer readable storage medium storing computer instructions for causing the computer to perform any of the fantify-based container escape detection methods described above.
In a fifth aspect, there is also provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any one of the first aspect and any one of the possible designs of the first aspect.
In addition, the technical effects of any of the possible design manners in the third aspect to the fifth aspect may be referred to as effects of different design manners in the method section, and are not described herein.
Drawings
For a clearer description of one or more embodiments of the present description or of the solutions of the prior art, the drawings that are necessary for the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are only one or more embodiments of the present description, from which other drawings can be obtained, without inventive effort, for a person skilled in the art.
FIG. 1 is a flowchart of a container escape detection method based on fanotify according to an embodiment of the present application;
FIG. 2 is a block diagram of a container escape detection system based on fanotify according to an embodiment of the present application;
fig. 3 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of promoting an understanding of the principles and advantages of the disclosure, reference will now be made to the embodiments illustrated in the drawings and specific language will be used to describe the same.
It is noted that unless otherwise defined, technical or scientific terms used in one or more embodiments of the present disclosure should be taken in a general sense as understood by one of ordinary skill in the art to which the present disclosure pertains. The use of the terms "first," "second," and the like in one or more embodiments of the present description does not denote any order, quantity, or importance, but rather the terms "first," "second," and the like are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
The technical carriers involved in payment in the embodiments of the present disclosure may include, for example, near field communication (Near Field Communication, NFC), WIFI, 3G/4G/5G, POS machine card swiping technology, two-dimensional code scanning technology, bar code scanning technology, bluetooth, infrared, short message (Short Message Service, SMS), multimedia message (Multimedia Message Service, MMS), and the like.
"Container escape" refers to one of the following processes and results: firstly, an attacker obtains the command execution capability under a certain authority in a container through hijacking containerized service logic or direct control (a scene that the CaaS and other legal rights are obtained by the container) and the like; an attacker uses this command execution capability to gain, by some means, command execution capability under certain rights on the direct host on which the container is located. The process of a container in a container environment is generally limited to only having the right to modify a file in the container, whereas when an out-of-container file is modified by an in-container process and this file is not in the mount directory we can certainly happen that the container escapes. Our detection scheme is also based on this idea. The container escape detection method based on fanotify provided by the embodiment of the application is described in detail below.
Referring to fig. 1, fig. 1 shows a flow chart of a container escape detection method based on fanotify. The container escape detection method based on fanotify comprises the following steps of:
step 001: monitoring file change conditions of a host through Fantify;
step 002: acquiring a file event in the condition of monitoring file change of a host; the file event comprises program opening, writing or closing of a file;
step 003: acquiring a process pid in the file event;
step 004: monitoring a process event through a Netlink, and constructing a process tree through process information of the process event;
specifically, a newly created or deleted process pid is obtained through a process-related event; reading/proc directory to obtain all process pid in system; obtaining the process name, the process command line and the father process pid information corresponding to the pid by reading the content of the/proc/pid/status,/proc/pid/cmdline file; determining father-son relationship of the process through father process pid of each process; a process tree which is connected by virtue of father-son relationship and stores process information is formed.
The process command line of the process can be saved according to the process;
determining a container start process in a process tree through a container start process command line feature,
and constructing a container process tree according to the sub-process tree below the container starting process.
Step 005: judging whether the process pid is a container process or not through a process tree;
step 006: if the process pid is a container process, acquiring a container mount directory;
specifically, a container starting process is obtained; the container id is obtained, and the container mount catalog is obtained through the container id.
Step 007: judging whether the changed file of the file event is in the container mounting catalog; if not, warning and/or blocking.
Specifically, fanotify has Access precision functionality in addition to file system notifications. The monitoring program can not only get this event notification, but also decide whether to allow the operation or not, so-called access cancelation, i.e. when the file is accessed. File manipulation can thus be prevented by the Access precision function of Fanotify.
Step 008: judging whether the changed file of the file event is in the container mounting catalog; if yes, ending.
According to the method, the detection method monitors the change of the host machine file through the fanotify, and if the host machine file is found to be created, opened, checked, modified and the like by the container process, the file is not in the mount directory of the container or is a certain special file, the process escape is considered to occur.
In order to facilitate understanding of the method provided by the embodiment of the present application, fanotify and Netlink will be described in detail.
Fanotify is a notifier, a mechanism that generates notifications of changes to the file system, and as a notifier, the most basic function is to notify the corresponding monitor when changes occur to the file system. When a process creates and modifies, a Fanotify event is triggered when a file is deleted, that is, when a program opens, writes or closes the file, fanotify will send an event telling the listening monitor that the file is opened, written or closed. Meanwhile, file information is stored in the event signals, meanwhile, process information for controlling the files is stored, and a monitoring program monitors and analyzes the events, so that the files in the system can be known to be controlled, and process file names, process PID, file sizes, process PID backtracking chains and the like for controlling the files can be obtained.
Fanotify has Access resolution functionality in addition to file system notifications. The monitoring program can not only get this event notification, but also decide whether to allow the operation or not, so-called access cancelation, i.e. when the file is accessed.
By using the fanotify event notification function and the access resolution function, we can monitor file changes on the host. For most container escaping, the success of the escaping is almost the same as the way to manipulate files outside the container, i.e., on the host. The action triggers the event notification of fantify, and the file on the host can be judged to be modified by analyzing the event and analyzing the file path in the acquired file information. At this time, if the process information is acquired and is judged to be a container process and the authority for manipulating the file is not available, the container escape can be judged to occur.
Netlink is a IPC (Inter Process Commumicate) mechanism for kernel-to-user space communication, and process CONNECTOR is a Netlink with Netlink protocol number netlink_connect.
The process connector reports process related events including process fork, exec, exit and changes in process user ID and group ID. Like fanotify, these events can be received by creating a monitor. By analyzing the events, newly created or deleted process pid can be obtained, the reading/proc directory can obtain all process pid in the system at the moment, and by reading the content of files such as/proc/pid/status,/proc/pid/cmdline, the information such as process name, process command line, father process pid and the like corresponding to the pid can be obtained. The parent-child relationship of each process can be known through the parent process pid of each process, so that a process tree which can store process information by means of parent-child relationship connection is formed.
The current whole process acquired by the proc directory can initialize a current process tree, and the process information in the process event acquired by the monitoring program can enable the process tree to have real-time performance without consuming a lot of performances.
The cmdline of the process, namely the process command line, is stored in the process tree, and the characteristics of the process command line started by the container can be used for judging which processes in the process tree are container starting processes, and the subprocess tree below the container starting processes is a container process tree naturally.
Whether a process Pid is a container process can be determined by determining whether the process Pid is in the container process tree. The container id of the starting container can be obtained through the process command line content of the container starting process, and then the specific information of the container, such as the aspect interface of the docker, can be obtained through the official interfaces provided by various containers. In the specific information of the container, we mainly acquire the information of the container mount catalog. Because a process within a container can only handle files within the container and files in the mount directory. Because the container directory is known, the path scope of the container process modifiable file is obtained as long as the container mount directory is obtained. Whenever a process modified file within a container is found not to be within the container modifiable file range, it can be concluded that a container escape has occurred.
In addition to finding that an escape has occurred, the above-described fastify accessresolution function may also be used to determine whether to allow the file operation, and when it is determined that a container escape has occurred, the progress of the container escape may be prevented by not allowing the file operation.
As can be seen from the above description, in the method provided by the embodiment of the application, the event of the host computer file is monitored through fanotify, and the process information of the modified file is obtained. And monitoring a process event through a netlink, constructing a process tree through process information, if a container starting process is acquired, acquiring a container id of the process tree, and acquiring a container mount directory through the container id. And searching the process pid acquired by the fanotify in the process tree, acquiring the mount directory if the process pid is found to be a container process, judging whether the modified file is in the mount directory or not, and judging that the container escapes if the modified file is not in the mount directory. Thereby improving the accuracy of determining the escape of the container.
The embodiment of the application also provides a container escape detection system based on fanotify, which comprises a data acquisition module and a data processing module.
Referring to fig. 2, the data acquisition module is configured to monitor file changes of the host through Fanotify; acquiring a file event in the condition of monitoring file change of a host; the file event comprises program opening, writing or closing of a file; the Netlink process event monitoring method specifically comprises a Fantify file monitoring module and a Netlink process monitoring module. The Fantify file monitoring module is used for sending file events and corresponding processing information to the data processing module; meanwhile, the Netlink process monitoring module sends the process event structure to the process tree module.
The data processing module acquires a process pid in the file event; constructing a process tree through the process information of the process event; judging whether the process pid is a container process or not through a process tree; if the process pid is a container process, acquiring a container mount directory; judging whether the changed file of the file event is in the container mounting catalog; if not, warning and/or blocking. The data processing module comprises an escape detection module and a process tree module; the process tree module builds a process tree according to the process event.
In addition, the data processing module is also specifically used for judging whether the file changed by the file event is in the container mounting catalog; if yes, ending. The data processing module is also specifically configured to prevent file operations through the Access precision function of Fanotify.
The data acquisition module and the data processing module may refer to the related description in the method of fig. 1, and are not described in detail herein.
In the above technical solution, the change of the host machine file is monitored by fanotify, if the host machine file is found to be created, opened, checked, modified and the like by the container process, and the file is not in the mount directory of the container or is a certain special file, the process escape is considered to occur.
The embodiment of the application also provides electronic equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and is characterized in that the processor realizes the container escape detection method based on fanotify according to any one of the above when executing the program.
The embodiment of the application also provides a non-transitory computer readable storage medium, which stores computer instructions for causing the computer to execute any of the container escape detection methods based on fanotify.
Embodiments of the present application also provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any one of the above possible designs of the present application.
It should be noted that the methods of one or more embodiments of the present description may be performed by a single device, such as a computer or server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of one or more embodiments of the present description, the devices interacting with each other to accomplish the methods.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in one or more pieces of software and/or hardware when implementing one or more embodiments of the present description.
The device of the foregoing embodiment is configured to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Fig. 3 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present disclosure are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present description, and not all the components shown in the drawings.
The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the disclosure, including the claims, is limited to these examples; combinations of features of the above embodiments or in different embodiments are also possible within the spirit of the present disclosure, steps may be implemented in any order, and there are many other variations of the different aspects of one or more embodiments described above which are not provided in detail for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure one or more embodiments of the present description. Furthermore, the apparatus may be shown in block diagram form in order to avoid obscuring the one or more embodiments of the present description, and also in view of the fact that specifics with respect to implementation of such block diagram apparatus are highly dependent upon the platform within which the one or more embodiments of the present description are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the disclosure, it should be apparent to one skilled in the art that one or more embodiments of the disclosure can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the present disclosure has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The present disclosure is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the one or more embodiments of the disclosure, are therefore intended to be included within the scope of the disclosure.
Claims (11)
1. The container escape detection method based on fanotify is characterized by comprising the following steps of:
monitoring file change conditions of a host through Fantify;
acquiring a file event in the condition of monitoring file change of a host; the file event comprises program opening, writing or closing of a file;
acquiring a process pid in the file event;
monitoring a process event through a Netlink, and constructing a process tree through process information of the process event;
judging whether the process pid is a container process or not through a process tree;
if the process pid is a container process, acquiring a container mount directory;
judging whether the changed file of the file event is in the container mounting catalog; if not, warning and/or blocking.
2. The fanotify-based container escape detection method of claim 1, further comprising:
judging whether the changed file of the file event is in the container mounting catalog; if yes, ending.
3. The fanotify-based container escape detection method according to claim 1, wherein the blocking is specifically:
file manipulation is prevented by the Access precision function of Fanotify.
4. The container escape detection method based on fanotify according to claim 3, wherein the process event is monitored through Netlink, and a process tree is constructed through process information of the process event; the method comprises the following steps:
acquiring a newly created or deleted process pid through a process-related event;
reading/proc directory to obtain all process pid in system;
obtaining the process name, the process command line and the father process pid information corresponding to the pid by reading the content of the/proc/pid/status,/proc/pid/cmdline file;
determining father-son relationship of the process through father process pid of each process; a process tree which is connected by virtue of father-son relationship and stores process information is formed.
5. The fanotify-based container escape detection method according to claim 4, wherein the process event is monitored by Netlink, and a process tree is constructed by process information of the process event; further comprises:
storing a process command line of a process;
determining a container start process in a process tree through a container start process command line feature,
and constructing a container process tree according to the sub-process tree below the container starting process.
6. The fanotify-based container escape detection method of claim 5, wherein the acquiring the container mount catalog specifically comprises:
acquiring a container starting process;
the container id is obtained, and the container mount catalog is obtained through the container id.
7. A fanotify-based container escape detection system, comprising:
the data acquisition module monitors file change conditions of the host through Fantify; acquiring a file event in the condition of monitoring file change of a host; the file event comprises program opening, writing or closing of a file; monitoring a process event by adopting a Netlink;
the data processing module acquires a process pid in the file event; constructing a process tree through the process information of the process event; judging whether the process pid is a container process or not through a process tree; if the process pid is a container process, acquiring a container mount directory; judging whether the changed file of the file event is in the container mounting catalog; if not, warning and/or blocking.
8. The fanotify based container escape detection system of claim 7 wherein said data processing module is further specifically configured to determine if a file altered by a file event is in a container mount directory; if yes, ending.
9. The fanofy-based container escape detection system of claim 8, wherein said data processing module is further specifically configured to block file operations via an accessdefinition function of fanofy.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the fanotify-based container escape detection method of any one of claims 1 to 6 when the program is executed by the processor.
11. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the fanotify-based container escape detection method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310712063.9A CN116820668A (en) | 2023-06-15 | 2023-06-15 | Container escape detection method and system based on fanotify |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310712063.9A CN116820668A (en) | 2023-06-15 | 2023-06-15 | Container escape detection method and system based on fanotify |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116820668A true CN116820668A (en) | 2023-09-29 |
Family
ID=88123463
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310712063.9A Pending CN116820668A (en) | 2023-06-15 | 2023-06-15 | Container escape detection method and system based on fanotify |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116820668A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117056030A (en) * | 2023-10-10 | 2023-11-14 | 苏州元脑智能科技有限公司 | Method and device for determining escape of container |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113886835A (en) * | 2021-10-14 | 2022-01-04 | 苏州浪潮智能科技有限公司 | Method and device for preventing container from escaping, computer equipment and storage medium |
| CN114968494A (en) * | 2022-06-23 | 2022-08-30 | 杭州默安科技有限公司 | Container escape detection method and system |
-
2023
- 2023-06-15 CN CN202310712063.9A patent/CN116820668A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113886835A (en) * | 2021-10-14 | 2022-01-04 | 苏州浪潮智能科技有限公司 | Method and device for preventing container from escaping, computer equipment and storage medium |
| CN114968494A (en) * | 2022-06-23 | 2022-08-30 | 杭州默安科技有限公司 | Container escape detection method and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117056030A (en) * | 2023-10-10 | 2023-11-14 | 苏州元脑智能科技有限公司 | Method and device for determining escape of container |
| CN117056030B (en) * | 2023-10-10 | 2024-02-09 | 苏州元脑智能科技有限公司 | Method and device for determining escape of container |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108984225B (en) | Method and device for quickly starting hosted application | |
| US20170308279A1 (en) | Customization of Mobile Applications Using Web-Based Technology | |
| CN111666497B (en) | Application program loading method and device, electronic equipment and readable storage medium | |
| KR102015739B1 (en) | Smart card reading / writing method and device | |
| US9733927B2 (en) | Detection of software or hardware incompatibilities in software packages | |
| US20150205963A1 (en) | Method and device for extracting message format | |
| CN108984234B (en) | Calling prompt method for mobile terminal and camera device | |
| CN108121633B (en) | Abnormity capturing method and device | |
| CN116820668A (en) | Container escape detection method and system based on fanotify | |
| CN110879781B (en) | Program debugging method, device, electronic equipment and computer readable storage medium | |
| CN112386916A (en) | Resource loading method and device and electronic equipment | |
| CN114385563A (en) | Hook control method and device based on preloads | |
| CN114066475A (en) | Information security protection method based on cloud payment and server | |
| CN104239784A (en) | Method for detecting applications installed in system, and client | |
| CN104573495B (en) | A kind for the treatment of method and apparatus of startup item | |
| CN108133123B (en) | Application program identification method and system | |
| CN111078900A (en) | Data risk identification method and system | |
| CN116340265A (en) | Log extraction method and device, electronic equipment and vehicle | |
| CN111639339B (en) | Process monitoring method and device, electronic equipment and storage medium | |
| CN106874184B (en) | Java code detection method and device | |
| CN114936368A (en) | Java memory Trojan detection method, terminal device and storage medium | |
| CN109150993B (en) | Method for obtaining network request tangent plane, terminal device and storage medium | |
| CN110020264B (en) | Method and device for determining invalid hyperlinks | |
| CN110046237B (en) | Conversational interactive processing method and device | |
| CN112306566A (en) | Data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |