Separate sandbox traffic to avoid capturing host packets during analysis. (#275)

- use a virtual bridge to separate sandbox traffic from host traffic.
- switch from pcap to pcapgo to avoid a deadlock (afpacket would be nice, but it segfaults)
- explicitly define the podman network so pcap can be started before podman
- `Close()` now explicitly aborts the packet reading.

Author: calebbrown

cmd/analyze/Dockerfile

@@ -13,7 +13,7 @@ RUN apt-get update && apt-get upgrade -y && \
         ca-certificates \
         curl \
         iptables \
-        libpcap0.8 \
+        iproute2 \
         podman \
         software-properties-common && \
     update-alternatives --set iptables /usr/sbin/iptables-legacy && \
@@ -27,8 +27,10 @@ RUN curl -fsSL https://gvisor.dev/archive.key | apt-key add - && \
 COPY --from=build /src/analyze /usr/local/bin/analyze
 COPY --from=build /src/worker /usr/local/bin/worker
 COPY --from=build /src/tools/gvisor/runsc_compat.sh /usr/local/bin/runsc_compat.sh
-COPY --from=build /src/tools/firewall/iptables.rules /usr/local/etc/iptables.rules
-RUN chmod 755 /usr/local/bin/runsc_compat.sh
+COPY --from=build /src/tools/network/iptables.rules /usr/local/etc/iptables.rules
+COPY --from=build /src/tools/network/podman-analysis.conflist /etc/cni/net.d/podman-analysis.conflist
+RUN chmod 755 /usr/local/bin/runsc_compat.sh && \
+    chmod 644 /usr/local/etc/iptables.rules /etc/cni/net.d/podman-analysis.conflist
 
 ARG SANDBOX_IMAGE_TAG
 ENV OSSF_SANDBOX_IMAGE_TAG=${SANDBOX_IMAGE_TAG}

cmd/analyze/main.go

@@ -35,6 +35,8 @@ func parseBucketPath(path string) (string, string) {
 
 func main() {
 	log.Initalize(os.Getenv("LOGGER_ENV"))
+	sandbox.InitEnv()
+
 	flag.Parse()
 	if *ecosystem == "" {
 		flag.Usage()

cmd/worker/main.go

@@ -229,6 +229,7 @@ func main() {
 	resultsBucket := os.Getenv("OSSF_MALWARE_ANALYSIS_RESULTS")
 	imageTag := os.Getenv("OSSF_SANDBOX_IMAGE_TAG")
 	log.Initalize(os.Getenv("LOGGER_ENV"))
+	sandbox.InitEnv()
 
 	// Log the configuration of the worker at startup so we can observe it.
 	log.Info("Starting worker",

internal/analysis/analysis.go

@@ -102,7 +102,7 @@ func Run(sb sandbox.Sandbox, args []string) (*Result, error) {
 		"args", args)
 
 	log.Debug("Preparing packet capture")
-	pcap := packetcapture.New()
+	pcap := packetcapture.New(sandbox.NetworkInterface)
 
 	dns := dnsanalyzer.New()
 	pcap.RegisterReceiver(dns)
@@ -119,6 +119,7 @@ func Run(sb sandbox.Sandbox, args []string) (*Result, error) {
 		return resultError, fmt.Errorf("sandbox failed (%w)", err)
 	}
 
+	log.Debug("Stop the packet capture")
 	pcap.Close()
 
 	// Grab the log file

internal/packetcapture/packetcapture.go

@@ -2,11 +2,8 @@ package packetcapture
 
 import (
 	"github.com/google/gopacket"
-	"github.com/google/gopacket/pcap"
-)
-
-const (
-	captureDevice = "eth0"
+	"github.com/google/gopacket/layers"
+	"github.com/google/gopacket/pcapgo"
 )
 
 // PacketReceiver implementations can be registered with a PacketCapture to be
@@ -20,18 +17,22 @@ type PacketReceiver interface {
 type Handler func(gopacket.Layer, gopacket.Packet)
 
 type PacketCapture struct {
-	handle          *pcap.Handle
+	netInterface    string
+	handle          *pcapgo.EthernetHandle
 	done            chan bool
+	stop            chan bool
 	packetReceivers map[gopacket.LayerType][]PacketReceiver
 }
 
-// New returns a new Trace instance.
+// New returns a new PacketCapture instance for the given netInterface
 //
-// Close() must be called on the Trace instance.
-func New() *PacketCapture {
+// Close() must be called on the PacketCapture instance.
+func New(netInterface string) *PacketCapture {
 	return &PacketCapture{
+		netInterface:    netInterface,
 		handle:          nil,
 		done:            make(chan bool),
+		stop:            make(chan bool),
 		packetReceivers: make(map[gopacket.LayerType][]PacketReceiver),
 	}
 }
@@ -53,34 +54,38 @@ func (pc *PacketCapture) RegisterReceiver(receiver PacketReceiver) {
 }
 
 func (pc *PacketCapture) Start() error {
-	inactive, err := pcap.NewInactiveHandle(captureDevice)
-	if err != nil {
-		return err
-	}
-	defer inactive.CleanUp()
-
-	// Force packets to be sent immediately to ensure we don't miss any.
-	if err := inactive.SetImmediateMode(true); err != nil {
-		return err
-	}
-
-	handle, err := inactive.Activate()
+	// Use the pcapgo library for capturing traffic as it is the most reliable.
+	// afpacket is the fastest but segfaults: https://github.com/google/gopacket/issues/717
+	// pcap will block during Cancel(): https://github.com/google/gopacket/issues/890
+	handle, err := pcapgo.NewEthernetHandle(pc.netInterface)
 	if err != nil {
 		return err
 	}
 	pc.handle = handle
-	packetSource := gopacket.NewPacketSource(pc.handle, pc.handle.LinkType())
-	go func(packets chan gopacket.Packet, done chan bool) {
-		for packet := range packets {
-			pc.handlePacket(packet)
+	packetSource := gopacket.NewPacketSource(pc.handle, layers.LinkTypeEthernet)
+	go func(packets chan gopacket.Packet, done chan bool, stop chan bool) {
+		defer func() { done <- true }()
+		for {
+			select {
+			case packet, ok := <-packets:
+				if ok {
+					pc.handlePacket(packet)
+				} else {
+					return
+				}
+			case v, ok := <-stop:
+				if !ok || v {
+					return
+				}
+			}
 		}
-		done <- true
-	}(packetSource.Packets(), pc.done)
+	}(packetSource.Packets(), pc.done, pc.stop)
 	return nil
 }
 
 func (pc *PacketCapture) Close() {
 	if pc.handle != nil {
+		pc.stop <- true
 		pc.handle.Close()
 		// Wait for packet processing to be finished.
 		<-pc.done

internal/sandbox/init.go

@@ -0,0 +1,130 @@
+package sandbox
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+
+	"github.com/ossf/package-analysis/internal/log"
+)
+
+const (
+	ipBin           = "/usr/sbin/ip"
+	iptablesLoadBin = "/usr/sbin/iptables-restore"
+	iptablesRules   = "/usr/local/etc/iptables.rules"
+	dummyInterface  = "cnidummy0"
+
+	// bridgeInterface is the name of the podman bridge defined in
+	// tools/network/podman-analysis.conflist. This bridge is used by the
+	// sandbox during analysis to separate the sandbox traffic from the host.
+	bridgeInterface = "cni-analysis"
+)
+
+const (
+	// NetworkInterface is the name of a network interface that has access to
+	// the sandbox network traffic.
+	NetworkInterface = bridgeInterface
+)
+
+func loadIptablesRules() error {
+	log.Debug("Loading iptable rules")
+
+	// Open the iptables-restore configuration
+	f, err := os.Open(iptablesRules)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	logOut := log.Writer(log.InfoLevel)
+	defer logOut.Close()
+	logErr := log.Writer(log.WarnLevel)
+	defer logErr.Close()
+
+	cmd := exec.Command(iptablesLoadBin)
+	cmd.Stdout = logOut
+	cmd.Stderr = logErr
+	stdin, err := cmd.StdinPipe()
+	if err != nil {
+		return err
+	}
+	defer stdin.Close()
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	// Send the iptables rules to the command via stdin
+	if _, err := io.Copy(stdin, f); err != nil {
+		return err
+	}
+	stdin.Close()
+	return cmd.Wait()
+}
+
+// createBridgeNetwork ensures that NetworkInterface and the bridge network
+// exists prior to the sandbox.
+//
+// podman would create this bridge interface anyway, but doing it early allows
+// a packet capture to be started on the interface prior to the sandbox
+// starting.
+func createBridgeNetwork() error {
+	log.Debug("Creating bridge network")
+
+	// Create the bridge
+	cmd := exec.Command(ipBin, "link", "add", "name", bridgeInterface, "type", "bridge")
+	if err := cmd.Run(); err != nil {
+		// If the error is not an ExitError, or the Exit Code is not 2, then abort.
+		if exitErr, ok := err.(*exec.ExitError); !ok || exitErr.ExitCode() != 2 {
+			return fmt.Errorf("failed to add bridge interface: %w", err)
+		}
+	}
+
+	// Bring the bridge up.
+	cmd = exec.Command(ipBin, "link", "set", bridgeInterface, "up")
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to bring up bridge interface: %w", err)
+	}
+
+	// Add a dummy device so the bridge stays up
+	cmd = exec.Command(ipBin, "link", "add", "dev", dummyInterface, "type", "dummy")
+	if err := cmd.Run(); err != nil {
+		// If the error is not an ExitError, or the Exit Code is not 2, then abort.
+		if exitErr, ok := err.(*exec.ExitError); !ok || exitErr.ExitCode() != 2 {
+			return fmt.Errorf("failed to create dummy inteface: %w", err)
+		}
+	}
+
+	// Add the dummy device to the bridge network
+	cmd = exec.Command(ipBin, "link", "set", "dev", dummyInterface, "master", bridgeInterface)
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to add dummy interface to bridge: %w", err)
+	}
+
+	// Bring the dummy device up.
+	cmd = exec.Command(ipBin, "link", "set", dummyInterface, "up")
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed to bring up dummy interface: %w", err)
+	}
+
+	return nil
+}
+
+// InitEnv initializes the host for running sandboxes.
+//
+// It will ensure that the network interface exists, and any firewall
+// rules are configured.
+//
+// This function is idempotent and is safe to be called more than once.
+//
+// This function must be called after logging is complete, and may exit if
+// any of the commands fail.
+func InitEnv() {
+	// Create the bridge network
+	if err := createBridgeNetwork(); err != nil {
+		log.Fatal("Failed to create bridge network", "error", err)
+	}
+	// Load iptables rules to further isolate the sandbox
+	if err := loadIptablesRules(); err != nil {
+		log.Fatal("Failed restoring iptables rules", "error", err)
+	}
+}

internal/sandbox/sandbox.go

@@ -9,19 +9,22 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
-	"text/template"
 
 	"github.com/ossf/package-analysis/internal/log"
 )
 
 const (
-	podmanBin       = "podman"
-	runtimeBin      = "/usr/local/bin/runsc_compat.sh"
-	iptablesLoadBin = "/usr/sbin/iptables-restore"
-	iptablesRules   = "/usr/local/etc/iptables.rules"
-	rootDir         = "/var/run/runsc"
-	straceFile      = "runsc.log.boot"
-	logDirPattern   = "sandbox_logs_"
+	podmanBin     = "podman"
+	runtimeBin    = "/usr/local/bin/runsc_compat.sh"
+	rootDir       = "/var/run/runsc"
+	straceFile    = "runsc.log.boot"
+	logDirPattern = "sandbox_logs_"
+
+	// networkName is the name of the podman network defined in
+	// tools/network/podman-analysis.conflist. This network is the network
+	// used by the sandbox during analysis to separate the sandbox traffic
+	// from the host.
+	networkName = "analysis-net"
 )
 
 type RunStatus uint8
@@ -166,37 +169,6 @@ func removeAllLogs() error {
 	return nil
 }
 
-func loadIptablesRules() error {
-	// Get the subnet for the default podman network
-	subnet, err := podmanNetworkSubnet()
-	if err != nil {
-		return err
-	}
-	// Prepare the iptables-restore template
-	t := template.Must(template.ParseFiles(iptablesRules))
-
-	logOut := log.Writer(log.InfoLevel)
-	defer logOut.Close()
-	logErr := log.Writer(log.WarnLevel)
-	defer logErr.Close()
-
-	cmd := exec.Command(iptablesLoadBin)
-	cmd.Stdout = logOut
-	cmd.Stderr = logErr
-	stdin, err := cmd.StdinPipe()
-	if err != nil {
-		return err
-	}
-	defer stdin.Close()
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	// Send the iptables rules to the command via stdin
-	t.Execute(stdin, struct{ Subnet string }{Subnet: subnet})
-	stdin.Close()
-	return cmd.Wait()
-}
-
 func podman(args ...string) *exec.Cmd {
 	args = append([]string{
 		"--cgroup-manager=cgroupfs",
@@ -219,20 +191,6 @@ func podmanCleanContainers() error {
 	return podmanRun("rm", "--all", "--force")
 }
 
-// podmanNetworkSubnet returns the IPv4 subnet of the default "podman" network.
-func podmanNetworkSubnet() (string, error) {
-	args := []string{
-		"network", "inspect", "podman", "-f", "{{range .plugins}}{{with .ipam.subnet}}{{.}}{{end}}{{end}}",
-	}
-	cmd := podman(args...)
-	var buf bytes.Buffer
-	cmd.Stdout = &buf
-	if err := cmd.Run(); err != nil {
-		return "", err
-	}
-	return string(bytes.TrimSpace(buf.Bytes())), nil
-}
-
 func (s *podmanSandbox) pullImage() error {
 	return podmanRun("pull", s.imageWithTag())
 }
@@ -245,6 +203,7 @@ func (s *podmanSandbox) createContainer() (string, error) {
 		"--dns=8.8.8.8",  // Manually specify DNS to bypass kube-dns and
 		"--dns=8.8.4.4",  // allow for tighter firewall rules that block
 		"--dns-search=.", // network traffic to private IP address ranges.
+		"--network=" + networkName,
 	}
 	args = append(args, s.extraArgs()...)
 	args = append(args, s.imageWithTag())
@@ -311,10 +270,6 @@ func (s *podmanSandbox) init() error {
 	if s.container != "" {
 		return nil
 	}
-	// Load iptables rules to further isolate the sandbox
-	if err := loadIptablesRules(); err != nil {
-		return fmt.Errorf("failed restoring iptables rules: %w", err)
-	}
 	// Delete existing logs (if any).
 	if err := removeAllLogs(); err != nil {
 		return fmt.Errorf("failed removing all logs: %w", err)