feat/socket family restrict#128
Open
dorser wants to merge 7 commits into
Open
Conversation
Signed-off-by: Dor Serero <[email protected]>
Signed-off-by: Dor Serero <[email protected]>
Signed-off-by: Dor Serero <[email protected]>
There was a problem hiding this comment.
Pull request overview
Expands the socket-restrict gadget from blocking only AF_ALG sockets to a baked-in deny-list of high-risk socket families (e.g. AF_VSOCK, AF_PACKET, AF_TIPC, AF_RDS, AF_SMC, AF_CAN, AF_NFC, AF_BLUETOOTH, etc.) and selected AF_NETLINK protocols (NETLINK_NETFILTER, NETLINK_XFRM, NETLINK_AUDIT, NETLINK_KOBJECT_UEVENT) used in container-escape and LPE chains. Adds new event types, a protocol field, and output formatting for them, while preserving the existing AF_ALG visibility path.
Changes:
- BPF program now applies a switch-based family/protocol deny-list at
lsm/socket_createandlsm/socket_bind, readingsk->sk_protocolvia CO-RE on bind to determine netlink protocol. - New
EVENT_TYPE_SOCKET_FAMILY_DENIED_{CREATE,BIND}events (14, 15) plumbed through the C header, Go operator constants, and output formatter (withfamily/protocolfield decoding). - Documentation (root
README.md, gadgetREADME.md,gadget.yaml) updated to describe the new scope and the default deny-list.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Updates the socket-restrict bullet to cover the broader family/netlink deny-list and additional CVEs. |
| include/micromize/event_types.h | Adds EVENT_TYPE_SOCKET_FAMILY_DENIED_{CREATE,BIND} = 14/15. |
| gadgets/socket-restrict/program.bpf.h | Adds AF_* and NETLINK_* fallback macros and a protocol field on struct event. |
| gadgets/socket-restrict/program.bpf.c | Introduces is_denied_family, generalizes both LSM hooks, reads sk_protocol via CO-RE in bind, preserves AF_ALG details. |
| gadgets/socket-restrict/gadget.yaml | Documents the new protocol data field. |
| gadgets/socket-restrict/README.md | Rewrites scope, adds default deny-list table and updated hook descriptions. |
| internal/operators/operators.go | Adds new event-type constants and name mappings (14/15). |
| internal/operators/output.go | Adds family/netlink-protocol decode tables and output helpers for the new events. |
| internal/gadget/registry_test.go | Adds a registration test covering all default gadgets including socket-restrict. |
| cmd/micromize/root_test.go | Adds a case asserting socket-restrict can be disabled via --disable-gadgets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Dor Serero <[email protected]>
Signed-off-by: Dor Serero <[email protected]>
Signed-off-by: Dor Serero <[email protected]>
Signed-off-by: Dor Serero <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Evolves
socket-restrictfrom anAF_ALG-only block into a runtime-configurable socket-family /AF_NETLINK-protocol deny-list, populated from BPF maps. Defaults are intentionally conservative to avoid breaking common cloud-native workloads — anything that could regress Kubernetes networking (NETLINK_NETFILTER,AF_PACKET, IPsec sidecars, etc.) is opt-in.Behavior change
The new defaults preserve the original
AF_ALG/ CVE-2026-31431 mitigation (existing event-type IDsEVENT_TYPE_SOCKET_AF_ALG_{CREATE,BIND}are kept) and additionally deny only niche/legacy families with no realistic cloud-native use.Default deny-list (out of the box)
AF_ALGAF_TIPCAF_RDSAF_SMCAF_CANAF_NFCAF_BLUETOOTHAF_AX25AF_ATMPVCAF_ATMSVCAF_X25AF_KCMAF_CAIFOpt-in (set via flags)
AF_PACKET--socket-deny-families=AF_PACKET,…AF_VSOCK--socket-deny-families=AF_VSOCK,…NETLINK_NETFILTER--socket-deny-netlink-protocols=NETLINK_NETFILTER,…nf_tablesLPE family: CVE-2022-32250, CVE-2022-34918, CVE-2023-32233, CVE-2024-1086, CVE-2024-26925, CVE-2024-26581, CVE-2024-26809NETLINK_XFRM--socket-deny-netlink-protocols=NETLINK_XFRM,…NETLINK_AUDIT--socket-deny-netlink-protocols=NETLINK_AUDIT,…NETLINK_KOBJECT_UEVENT--socket-deny-netlink-protocols=NETLINK_KOBJECT_UEVENT,…Recommended rollout (audit → enforce)
--enforce=falseand the default--socket-deny-families. Watch forsocket_family_denied_create/_bindevents. The defaults should produce ~zero events on a normal Kubernetes data plane.--socket-deny-families=AF_ALG,…,AF_VSOCKfor clusters with no vsock workloads, or--socket-deny-netlink-protocols=NETLINK_NETFILTERfor clusters using iptables-legacy / pure IPVS. Keep--enforce=false. Validate against your specific data plane (CNI, kube-proxy mode, service-mesh CNI, MetalLB, IPsec sidecars).--enforce=true.What's in this PR
BPF
gadgets/socket-restrict/program.bpf.c— replaces the hard-coded switch with two BPF maps (denied_familieskeyed by__u16,denied_netlink_protocolskeyed by__u32). Lookups happen inlsm/socket_createandlsm/socket_bind.sk_protocolis only read viaBPF_CORE_READ_BITFIELD_PROBEDwhenfamily == AF_NETLINKand the family is not already denied. Non-netlink binds skip the field-read entirely.Userspace / wiring
internal/operators/socket_restrict.go— operator that populatesmap/denied_familiesandmap/denied_netlink_protocolson each gadget's init (no-op when those maps are absent, i.e. for the other 4 gadgets).AF_*) and netlink protocols (NETLINK_*); flags accept symbolic names or decimal numbers, case-insensitive, with whitespace-trimming and dedup.--socket-deny-families(conservative default above) and--socket-deny-netlink-protocols(empty default).EVENT_TYPE_SOCKET_AF_ALG_{CREATE,BIND}= 11/12 andEVENT_TYPE_SOCKET_FAMILY_DENIED_{CREATE,BIND}= 14/15) and thefamily/protocolevent fields are preserved.Tests
internal/operators/socket_restrict_test.go— covers parsing (mixed names/numbers, case insensitivity, dedup, errors).cmd/micromize/root_test.go— extendedTestBuildDisabledSetwithsocket-restrict.internal/gadget/registry_test.go— registry coverage for all 5 gadgets.tests/integration/probes/af_vsock/main.go+tests/integration/cases/11_af_vsock_audit_mode.sh— opt-inAF_VSOCK+--enforce=falseexercise (probe must observe socket() succeeding while the gadget emits an event).Docs
gadgets/socket-restrict/README.mdrewritten with the new defaults, per-flag compatibility caveats, and the audit → enforce rollout.README.mdupdated: bullet reflects conservative defaults and points at the gadget README; new CLI flags added to the flags table.Out of scope (future PRs)
auditvsenforcemodes (today--enforceis global).