Merge pull request #444 from step-security/cherry/armour

Add Armour

Author: varunsh-coder

.github/workflows/int.yml

@@ -7,7 +7,8 @@ on:
       - int
 
 permissions: read-all
-
+env:
+  GOPRIVATE: github.com/step-security
 jobs:
   integration-test:
     permissions:
@@ -22,7 +23,19 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
         with:
-          go-version: 1.19
+          go-version: 1.24.1
+          
+      - name: Configure .netrc
+        run: |
+          if [[ ! -e "~/.netrc" ]]; then
+              touch ~/.netrc
+          fi
+          printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc
+      
+      - name: Create go vendor dir
+        run: |
+          go mod vendor
+
       - run: sudo go test -v
       - run: go build -ldflags="-s -w" -o ./agent
       - name: Configure aws credentials

.github/workflows/release.yml

@@ -6,12 +6,13 @@ on:
       - '*'
 
 permissions: read-all
-
+env:
+  GOPRIVATE: github.com/step-security
 jobs:
   release:
     permissions:
       contents: write
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
       with:
@@ -28,7 +29,21 @@ jobs:
     - name: Set up Go 
       uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
       with:
-        go-version: 1.19    
+        go-version: 1.24.1
+    
+    - name: Configure .netrc
+      run: |
+        if [[ ! -e "~/.netrc" ]]; then
+            touch ~/.netrc
+        fi
+        printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc
+
+      
+    - name: Create go vendor dir
+      run: |
+        go mod vendor
+             
+    
     - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2
       with:
         distribution: goreleaser

.github/workflows/test.yml

@@ -7,6 +7,9 @@ on:
 
 permissions: read-all    
 
+env:
+  GOPRIVATE: github.com/step-security
+
 jobs:
   test:
     permissions:
@@ -18,7 +21,19 @@ jobs:
     - name: Set up Go 
       uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
       with:
-        go-version: 1.19
+        go-version: 1.24.1
+
+    - name: Configure .netrc
+      run: |
+        if [[ ! -e "~/.netrc" ]]; then
+            touch ~/.netrc
+        fi
+        printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc
+    
+    - name: Create go vendor dir
+      run: |
+        go mod vendor
+
     - name: Run coverage
       run: sudo CI=true go test -race -coverprofile=coverage.txt -covermode=atomic      
     - uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865

.gitignore

@@ -16,4 +16,7 @@
 pkg/.DS_Store
 coverage.txt
 
-.vscode/
+.vscode/
+
+vendor
+private-src

agent.go

@@ -9,6 +9,8 @@ import (
 	"time"
 
 	"github.com/florianl/go-nflog/v2"
+	"github.com/step-security/agent/lockfile"
+	"github.com/step-security/armour/armour"
 )
 
 const (
@@ -75,12 +77,25 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 	WriteLog(fmt.Sprintf("%s %s", StepSecurityLogCorrelationPrefix, config.CorrelationId))
 	WriteLog("\n")
 
+	InitGlobalFeatureFlags(config.APIURL, apiclient)
+	WriteLog("initialized global feature flags")
+	WriteLog("\n")
+	if IsArmourEnabled() {
+		lf := lockfile.New(agentLockFile)
+		if err := lf.TryLock(); err != nil {
+			WriteLog("[agent] instance is already running")
+			os.Exit(0)
+		}
+		defer lf.MustUnlock()
+	}
+
 	// if this is a private repo
 	if config.Private {
 		isActive := apiclient.getSubscriptionStatus(config.Repo)
 		if !isActive {
 			config.EgressPolicy = EgressPolicyAudit
 			config.DisableSudo = false
+			config.DisableSudoAndContainers = false
 			apiclient.DisableTelemetry = true
 			config.DisableFileMonitoring = true
 			WriteAnnotation("StepSecurity Harden Runner is disabled. A subscription is required for private repositories. Please start a free trial at https://www.stepsecurity.io")
@@ -119,6 +134,10 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 	sudo := Sudo{}
 	var ipAddressEndpoints []ipAddressEndpoint
 
+	if config.DisableSudoAndContainers {
+		go sudo.uninstallDocker()
+	}
+
 	// hydrate dns cache
 	if config.EgressPolicy == EgressPolicyBlock {
 		for domainName, endpoints := range allowedEndpoints {
@@ -204,6 +223,44 @@ func Run(ctx context.Context, configFilePath string, hostDNSServer DNSServer,
 		go refreshDNSEntries(ctx, iptables, allowedEndpoints, &dnsProxy)
 	}
 
+	if IsArmourEnabled() {
+		WriteLog("Armour is enabled")
+		conf := &armour.Config{
+			Pids:             getPidsOfInterest(),
+			Files:            []string{},
+			EnforceReadBlock: false,
+			ApiConf: &armour.ApiConf{
+				APIURL:           config.APIURL,
+				Repo:             config.Repo,
+				CorrelationID:    config.CorrelationId,
+				OneTimeKey:       config.OneTimeKey,
+				DisableTelemetry: config.DisableTelemetry,
+			},
+		}
+
+		conf.Files = append(conf.Files, getProcFilesOfInterest()...)
+
+		conf.Files = append(conf.Files, getFilesOfInterest()...)
+
+		mArmour := armour.NewArmour(ctx, conf)
+		err := mArmour.Attach()
+		if err != nil {
+			WriteLog("Armour attachment failed")
+		} else {
+			defer mArmour.Detach()
+			WriteLog("Armour attached")
+		}
+	}
+
+	if config.DisableSudoAndContainers {
+		err := sudo.disableSudoAndContainers(tempDir)
+		if err != nil {
+			WriteLog(fmt.Sprintf("%s Unable to disable sudo and docker %v", StepSecurityAnnotationPrefix, err))
+		} else {
+			WriteLog("disabled sudo and docker")
+		}
+	}
+
 	if config.DisableSudo {
 		err := sudo.disableSudo(tempDir)
 		if err != nil {

apiclient.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"time"
 )
@@ -104,6 +105,36 @@ func (apiclient *ApiClient) getSubscriptionStatus(repo string) bool {
 	return true
 }
 
+func (apiclient *ApiClient) getGlobalFeatureFlags() GlobalFeatureFlags {
+
+	url := fmt.Sprintf("%s/global-feature-flags?agent_type=%s", apiclient.APIURL, AgentTypeGitHubHosted)
+
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+
+	if err != nil {
+		return GlobalFeatureFlags{}
+	}
+
+	resp, err := apiclient.Client.Do(req)
+
+	if err != nil {
+		return GlobalFeatureFlags{}
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return GlobalFeatureFlags{}
+	}
+
+	var globalFeatureFlags GlobalFeatureFlags
+	err = json.Unmarshal(body, &globalFeatureFlags)
+	if err != nil {
+		return GlobalFeatureFlags{}
+	}
+
+	return globalFeatureFlags
+}
+
 func (apiclient *ApiClient) sendApiRequest(method, url string, body interface{}) error {
 
 	jsonData, _ := json.Marshal(body)

common.go

@@ -0,0 +1,102 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+const (
+	agentLockFile = "agent.lock"
+)
+
+func getPidsOfInterest() []uint32 {
+	out := []uint32{}
+
+	// our process
+	out = append(out, uint32(os.Getpid()))
+
+	// systemd-resolved
+	systemdResolvePid, _ := pidOf("systemd-resolved")
+
+	out = append(out, uint32(systemdResolvePid))
+
+	return out
+}
+
+func getFilesOfInterest() []string {
+	out := []string{}
+
+	// sudoers file
+	out = append(out, "/etc/sudoers.d/runner")
+
+	// resolved.conf
+	out = append(out, "/etc/resolv.conf")
+
+	// /etc/systemd/resolved.conf
+	out = append(out, "/etc/systemd/resolved.conf")
+
+	// /etc/docker/daemon.json
+	out = append(out, "/etc/docker/daemon.json")
+
+	return out
+}
+
+func getProcFilesOfInterest() []string {
+	out := []string{}
+
+	// our memory files
+	out = append(out, getProcMemFiles(uint64(os.Getpid()))...)
+
+	// runner worker memory files
+	runnerWorker, _ := pidOf("Runner.Worker")
+	out = append(out, getProcMemFiles(runnerWorker)...)
+
+	// runner listener memory files
+	runnerListener, _ := pidOf("Runner.Listener")
+	out = append(out, getProcMemFiles(runnerListener)...)
+
+	return out
+}
+
+func pidOf(procName string) (uint64, error) {
+
+	cmd := exec.Command("pidof", procName)
+
+	out, err := cmd.Output()
+	if err != nil {
+		return 0, err
+	}
+
+	if len(out) == 0 {
+		return 0, fmt.Errorf("no process exists")
+	}
+
+	parts := strings.Fields(string(out))
+
+	num, err := strconv.Atoi(parts[0])
+	if err != nil {
+		return 0, err
+	}
+
+	return uint64(num), nil
+
+}
+
+func getProcMemFiles(pid uint64) []string {
+
+	out := []string{}
+
+	if pid == 0 {
+		return out
+	}
+
+	out = []string{
+		fmt.Sprintf("/proc/%d/maps", pid),
+		fmt.Sprintf("/proc/%d/mem", pid),
+	}
+
+	return out
+}