fix(virtualized): detect gVisor more reliably, and introduce a maybe present state (#34)

azenla · web-flow · commit 391573d088da · 2024-11-10T08:40:14.000-05:00
Inherently, detecting running under virtualization is hard on some virtualization runtimes.
This change attempts to improve that situation by detecting container runtime env vars,
and detecting gVisor using /proc/cmdline. Kata Containers cannot be reliably determined
using this version of Am I Isolated, but the fallback uptime check test might present
a maybe present result, to indicate that signs were detected.
diff --git a/src/cap.rs b/src/cap.rs
@@ -41,8 +41,10 @@ impl Test for CapTest {
         let mut result = CapResult { flags: 0 };
 
         if let Ok(stat) = read_file_as_tuples("/proc/self/status") {
-            if let Ok(flags) = u64::from_str_radix(stat["CapAmb"].as_str(), 16) {
-                result.flags |= flags;
+            if stat.contains_key("CapAmb") {
+                if let Ok(flags) = u64::from_str_radix(stat["CapAmb"].as_str(), 16) {
+                    result.flags |= flags;
+                }
             }
 
             if let Ok(flags) = u64::from_str_radix(stat["CapEff"].as_str(), 16) {
diff --git a/src/util.rs b/src/util.rs
@@ -1,7 +1,7 @@
-use std::collections::HashMap;
 use std::fs::read_to_string;
 use std::path::Path;
 use std::ptr::addr_of_mut;
+use std::{collections::HashMap, fs};
 
 use libc::uname;
 
@@ -68,3 +68,21 @@ pub fn kernel_release_info() -> (String, (u32, u32, u32)) {
 
     (release, (parts[0], parts[1], parts[2]))
 }
+
+pub fn kernel_cmdline() -> Vec<String> {
+    fs::read_to_string("/proc/cmdline")
+        .ok()
+        .unwrap_or_default()
+        .split(" ")
+        .map(|part| part.to_string())
+        .collect()
+}
+
+pub fn is_running_gvisor() -> bool {
+    let cmdline = kernel_cmdline();
+    if let Some(first) = cmdline.first() {
+        first.starts_with("BOOT_IMAGE=/vmlinuz-") && first.ends_with("-gvisor")
+    } else {
+        false
+    }
+}
diff --git a/src/virtualized.rs b/src/virtualized.rs
@@ -1,13 +1,80 @@
+/// Container Virtualization Test
+///
+/// It is very difficult to detect from within a container whether we are running
+/// under virtualization. Am I Isolated relies on heuristics to detect virtualization.
+/// This is an incremental process, we expect this test to sometimes fail, particularly
+/// in systems like Kata Containers which have no easy way to detect.
+///
+/// There is a simple fallback mechanism that can give a "maybe" result (represented as a failure.)
+/// We read /proc/uptime to attempt to get the system uptime. If the uptime is less than 60 seconds,
+/// we assume that the container might be running under virtualization. This makes the assumption
+/// that container lifetime is closely related to VM lifetime. In some VM systems, this might not
+/// be true. In microVMs, like Edera Protect or firecracker, this should be true if the container
+/// is running inside a single Linux kernel boot.
 use anyhow::Result;
 
-use crate::{util::read_file_as_space_separated_lines, Test, TestCategory, TestResult};
+use crate::{
+    util::{is_running_gvisor, read_file_as_space_separated_lines},
+    Test, TestCategory, TestResult,
+};
 
-pub struct VirtualizedTest {}
+const KNOWN_VIRT_RUNTIMES: &[&'static str] = &["edera"];
+
+#[derive(Default, Debug, PartialEq, Eq)]
+pub enum VirtualizationEnabled {
+    DefinitelyPresent(String),
+    MaybePresent,
+    #[default]
+    NotPresent,
+}
 
 #[derive(Default)]
 pub struct VirtualizedResult {
-    pub visible: bool,
-    pub uptime: u64,
+    pub enabled: VirtualizationEnabled,
+}
+
+pub struct VirtualizedTest;
+
+impl VirtualizedTest {
+    pub fn check_definite_runtime_env(&self) -> Option<String> {
+        let container_runtime = std::env::var("container").unwrap_or_default();
+        KNOWN_VIRT_RUNTIMES
+            .iter()
+            .find(|runtime| **runtime == container_runtime.as_str())
+            .map(|runtime| runtime.to_string())
+    }
+
+    pub fn check_definite_gvisor(&self) -> Option<String> {
+        if is_running_gvisor() {
+            Some("gvisor".to_string())
+        } else {
+            None
+        }
+    }
+
+    pub fn check_maybe_present(&self) -> bool {
+        let Ok(lines) = read_file_as_space_separated_lines("/proc/uptime") else {
+            return false;
+        };
+
+        if lines.is_empty() {
+            return false;
+        }
+
+        let line = &lines[0];
+        if line.len() != 2 {
+            return false;
+        }
+
+        let Ok(uptime) = line[0].parse::<f64>() else {
+            return false;
+        };
+
+        if uptime < 60.0 {
+            return true;
+        }
+        false
+    }
 }
 
 impl Test for VirtualizedTest {
@@ -16,22 +83,18 @@ impl Test for VirtualizedTest {
     }
 
     fn run(&self) -> Result<Box<dyn TestResult>, ()> {
-        let mut result = VirtualizedResult {
-            visible: false,
-            uptime: 0,
+        let enabled = if let Some(definite_runtime) = self
+            .check_definite_runtime_env()
+            .or(self.check_definite_gvisor())
+        {
+            VirtualizationEnabled::DefinitelyPresent(definite_runtime)
+        } else if self.check_maybe_present() {
+            VirtualizationEnabled::MaybePresent
+        } else {
+            VirtualizationEnabled::NotPresent
         };
-        if let Ok(lines) = read_file_as_space_separated_lines("/proc/uptime") {
-            if !lines.is_empty() {
-                let line = &lines[0];
-                if line.len() == 2 {
-                    if let Ok(uptime) = line[0].parse::<f64>() {
-                        result.visible = true;
-                        result.uptime = uptime as u64;
-                    }
-                }
-            }
-        }
-        Ok(Box::new(result))
+
+        Ok(Box::new(VirtualizedResult { enabled }))
     }
 
     fn category(&self) -> crate::TestCategory {
@@ -41,29 +104,22 @@ impl Test for VirtualizedTest {
 
 impl TestResult for VirtualizedResult {
     fn success(&self) -> bool {
-        !self.visible || self.uptime <= 10
+        matches!(self.enabled, VirtualizationEnabled::DefinitelyPresent(_))
     }
 
     fn explain(&self) -> String {
-        if self.success() {
-            return "separate kernel used for each container".to_string();
+        match &self.enabled {
+            VirtualizationEnabled::DefinitelyPresent(runtime) => format!("virtualization runtime '{}' found", runtime),
+            VirtualizationEnabled::MaybePresent => "signs of virtualization detected, but couldn't definitively determine a virtualization method".to_string(),
+            VirtualizationEnabled::NotPresent => "virtualization not detected".to_string(),
         }
-        "without virtualization, the kernel state is shared, opening escape attacks".to_string()
     }
 
     fn fault_code(&self) -> String {
         "AII2280".to_string()
     }
 
     fn as_string(&self) -> String {
-        if !self.visible {
-            return "result not reliable".to_string();
-        }
-
-        if self.uptime <= 10 {
-            return "virtualization in use".to_string();
-        }
-
-        "virtualization not in use".to_string()
+        self.explain()
     }
 }
