fix(Attestation): Fix attestation from rootless pods

Signed-off-by: Vishnu Soman <[email protected]>

pkg/agent/endpoints/peertracker.go

@@ -31,7 +31,7 @@ func (a PeerTrackerAttestor) Attest(ctx context.Context) ([]*common.Selector, er
 
 	// Ensure that the original caller is still alive so that we know we didn't
 	// attest some other process that happened to be assigned the original PID
-	if err := watcher.IsAlive(); err != nil {
+	if err := watcher.IsAlive(meta); err != nil {
 		return nil, status.Errorf(codes.Unauthenticated, "could not verify existence of the original caller: %v", err)
 	}
 

pkg/agent/endpoints/peertracker_test.go

@@ -56,7 +56,7 @@ type FakeWatcher bool
 
 func (w FakeWatcher) Close() {}
 
-func (w FakeWatcher) IsAlive() error {
+func (w FakeWatcher) IsAlive(meta map[string]string) error {
 	if !w {
 		return errors.New("dead")
 	}

pkg/agent/endpoints/sdsv2/handler_test.go

@@ -642,6 +642,6 @@ type FakeWatcher struct{}
 
 func (w FakeWatcher) Close() {}
 
-func (w FakeWatcher) IsAlive() error { return nil }
+func (w FakeWatcher) IsAlive(meta map[string]string) error { return nil }
 
 func (w FakeWatcher) PID() int32 { return 123 }

pkg/agent/endpoints/sdsv3/handler_test.go

@@ -1407,7 +1407,7 @@ type FakeWatcher struct{}
 
 func (w FakeWatcher) Close() {}
 
-func (w FakeWatcher) IsAlive() error { return nil }
+func (w FakeWatcher) IsAlive(meta map[string]string) error { return nil }
 
 func (w FakeWatcher) PID() int32 { return 123 }
 

pkg/common/peertracker/peertracker.go

@@ -28,7 +28,7 @@ type PeerTracker interface {
 
 type Watcher interface {
 	Close()
-	IsAlive() error
+	IsAlive(meta map[string]string) error
 	PID() int32
 }
 

pkg/common/peertracker/peertracker_test.go

@@ -104,12 +104,12 @@ func TestExitDetection(t *testing.T) {
 	require.True(t, ok)
 
 	// We're connected to ourselves - we should be alive!
-	require.NoError(t, conn.Info.Watcher.IsAlive())
+	require.NoError(t, conn.Info.Watcher.IsAlive(make(map[string]string)))
 
 	// Should return an error once we're no longer tracking
 	peer.disconnect()
 	conn.Close()
-	require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller is no longer being watched")
+	require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller is no longer being watched")
 
 	// Start a forking child and allow it to exit while the grandchild holds the socket
 	peer.connectFromForkingChild(t, test.addr, test.childPath, doneCh)
@@ -132,7 +132,7 @@ func TestExitDetection(t *testing.T) {
 	// Call to IsAlive should now return an error
 	switch runtime.GOOS {
 	case "darwin":
-		require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller exit detected via kevent notification")
+		require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller exit detected via kevent notification")
 		require.Len(t, test.logHook.Entries, 2)
 		firstEntry := test.logHook.Entries[0]
 		require.Equal(t, logrus.WarnLevel, firstEntry.Level)
@@ -141,7 +141,7 @@ func TestExitDetection(t *testing.T) {
 		require.Equal(t, logrus.WarnLevel, secondEntry.Level)
 		require.Equal(t, "Caller exit detected via kevent notification", secondEntry.Message)
 	case "linux":
-		require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller exit suspected due to failed readdirent")
+		require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller exit suspected due to failed readdirent")
 		require.Len(t, test.logHook.Entries, 2)
 		firstEntry := test.logHook.Entries[0]
 		require.Equal(t, logrus.WarnLevel, firstEntry.Level)
@@ -151,7 +151,7 @@ func TestExitDetection(t *testing.T) {
 		require.Equal(t, "Caller exit suspected due to failed readdirent", secondEntry.Message)
 		require.Equal(t, syscall.ENOENT, secondEntry.Data["error"])
 	case "windows":
-		require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller exit detected: exit code: 0")
+		require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller exit detected: exit code: 0")
 		require.Len(t, test.logHook.Entries, 2)
 		firstEntry := test.logHook.Entries[0]
 		require.Equal(t, logrus.WarnLevel, firstEntry.Level)
@@ -177,7 +177,7 @@ func TestExitDetection(t *testing.T) {
 	// the tracker has been closed
 	test.listener.Close()
 	test.listener = nil
-	require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller is no longer being watched")
+	require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller is no longer being watched")
 }
 
 func newFakePeer(t *testing.T) *fakePeer {

pkg/common/peertracker/tracker_linux.go

@@ -99,7 +99,8 @@ func (l *linuxWatcher) Close() {
 	l.procfd = -1
 }
 
-func (l *linuxWatcher) IsAlive() error {
+func (l *linuxWatcher) IsAlive(meta map[string]string) error {
+	l.meta = meta
 	l.mtx.Lock()
 	defer l.mtx.Unlock()
 
@@ -152,14 +153,14 @@ func (l *linuxWatcher) IsAlive() error {
 		l.log.WithError(err).Warn("Caller exit suspected due to failed proc stat")
 		return errors.New("caller exit suspected due to failed proc stat")
 	}
-	if stat.Uid != l.uid {
+	if stat.Uid != l.uid && meta == nil {
 		l.log.WithFields(logrus.Fields{
 			telemetry.ExpectUID:   l.uid,
 			telemetry.ReceivedUID: stat.Uid,
 		}).Warn("New process detected: process uid does not match original caller")
 		return fmt.Errorf("new process detected: process uid %v does not match original caller %v", stat.Uid, l.uid)
 	}
-	if stat.Gid != l.gid {
+	if stat.Gid != l.gid && meta == nil {
 		l.log.WithFields(logrus.Fields{
 			telemetry.ExpectGID:   l.gid,
 			telemetry.ReceivedGID: stat.Gid,

pkg/server/api/middleware/audit.go

@@ -74,7 +74,7 @@ func fieldsFromTracker(ctx context.Context) (logrus.Fields, error) {
 		fields[telemetry.CallerPath] = addr
 	}
 
-	if err := watcher.IsAlive(); err != nil {
+	if err := watcher.IsAlive(make(map[string]string)); err != nil {
 		return nil, status.Errorf(codes.Internal, "peertracker fails: %v", err)
 	}
 	return fields, nil