Remove restricted sessions (gravitational#36814)

* Remove restricted sessions

* Remove missing reference to restricted session

* Update CHANGELOG.md to remove outdated SSH feature

The commit removes the reference to the deprecated and removed SSH restricted sessions feature from the CHANGELOG.md file. The restricted session feature had been phased out since Teleport 14, and this update reflects its removal in Teleport 15.

* Rephrase the changelog note that it's recommends the implementation of network restrictions outside of Teleport like iptables and security groups.

CHANGELOG.md

@@ -72,6 +72,12 @@ by `insecure-drop`, which still creates temporary users but does not create a
 home directory. Users who need home directory creation should either wrap `useradd`/`userdel`
 or use PAM.
 
+#### Remove restricted sessions for SSH
+
+The restricted session feature for SSH has been deprecated since Teleport 14 and 
+has been removed in Teleport 15. We recommend implementing network restrictions 
+outside of Teleport (iptables, security groups, etc).
+
 #### Packages no longer published to legacy Debian and RPM repos
 
 `deb.releases.teleport.dev` and `rpm.releases.teleport.dev` were deprecated in

Makefile

@@ -321,27 +321,16 @@ ifeq ("$(with_bpf)","yes")
 $(ER_BPF_BUILDDIR):
 	mkdir -p $(ER_BPF_BUILDDIR)
 
-$(RS_BPF_BUILDDIR):
-	mkdir -p $(RS_BPF_BUILDDIR)
-
 # Build BPF code
 $(ER_BPF_BUILDDIR)/%.bpf.o: bpf/enhancedrecording/%.bpf.c $(wildcard bpf/*.h) | $(ER_BPF_BUILDDIR)
 	$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(KERNEL_ARCH) -I/usr/libbpf-${LIBBPF_VER}/include $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) -c $(filter %.c,$^) -o $@
 	$(LLVM_STRIP) -g $@ # strip useless DWARF info
 
-# Build BPF code
-$(RS_BPF_BUILDDIR)/%.bpf.o: bpf/restrictedsession/%.bpf.c $(wildcard bpf/*.h) | $(RS_BPF_BUILDDIR)
-	$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(KERNEL_ARCH) -I/usr/libbpf-${LIBBPF_VER}/include $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) -c $(filter %.c,$^) -o $@
-	$(LLVM_STRIP) -g $@ # strip useless DWARF info
-
-.PHONY: bpf-rs-bytecode
-bpf-rs-bytecode: $(RS_BPF_BUILDDIR)/restricted.bpf.o
-
 .PHONY: bpf-er-bytecode
 bpf-er-bytecode: $(ER_BPF_BUILDDIR)/command.bpf.o $(ER_BPF_BUILDDIR)/disk.bpf.o $(ER_BPF_BUILDDIR)/network.bpf.o $(ER_BPF_BUILDDIR)/counter_test.bpf.o
 
 .PHONY: bpf-bytecode
-bpf-bytecode: bpf-er-bytecode bpf-rs-bytecode
+bpf-bytecode: bpf-er-bytecode
 
 # Generate vmlinux.h based on the installed kernel
 .PHONY: update-vmlinux-h
@@ -410,9 +399,6 @@ clean-build:
 # Check if the variable is set to prevent calling remove on the root directory.
 ifneq ($(ER_BPF_BUILDDIR),)
 	rm -f $(ER_BPF_BUILDDIR)/*.o
-endif
-ifneq ($(RS_BPF_BUILDDIR),)
-	rm -f $(RS_BPF_BUILDDIR)/*.o
 endif
 	-cargo clean
 	-go clean -cache

common.mk

@@ -28,7 +28,6 @@ LLVM_STRIP ?= $(shell which llvm-strip || which llvm-strip-12)
 KERNEL_ARCH := $(shell uname -m | sed 's/x86_64/x86/g; s/aarch64/arm64/g')
 INCLUDES :=
 ER_BPF_BUILDDIR := lib/bpf/bytecode
-RS_BPF_BUILDDIR := lib/restrictedsession/bytecode
 
 # Get Clang's default includes on this system. We'll explicitly add these dirs
 # to the includes list when compiling with `-target bpf` because otherwise some

constants.go

@@ -240,9 +240,6 @@ const (
 	// ComponentBPF is the eBPF packagae.
 	ComponentBPF = "bpf"
 
-	// ComponentRestrictedSession is restriction of user access to kernel objects
-	ComponentRestrictedSession = "restrictedsess"
-
 	// ComponentCgroup is the cgroup package.
 	ComponentCgroup = "cgroups"
 

fuzz/oss-fuzz-build.sh

@@ -26,9 +26,6 @@ build_teleport_fuzzers() {
   compile_native_go_fuzzer $TELEPORT_PREFIX/lib/srv/desktop/tdp \
     FuzzDecode fuzz_decode
 
-  compile_native_go_fuzzer $TELEPORT_PREFIX/lib/restrictedsession \
-    FuzzParseIPSpec fuzz_parse_ip_spec
-
   compile_native_go_fuzzer $TELEPORT_PREFIX/lib/services \
     FuzzParseRefs fuzz_parse_refs
 

integration/utmp_integration_test.go

@@ -42,7 +42,6 @@ import (
 	"github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/bpf"
-	restricted "github.com/gravitational/teleport/lib/restrictedsession"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/srv"
@@ -336,7 +335,6 @@ func newSrvCtx(ctx context.Context, t *testing.T) *SrvCtx {
 			}, nil,
 		),
 		regular.SetBPF(&bpf.NOP{}),
-		regular.SetRestrictedSessionManager(&restricted.NOP{}),
 		regular.SetClock(s.clock),
 		regular.SetUserAccountingPaths(utmpPath, wtmpPath, btmpPath),
 		regular.SetLockWatcher(lockWatcher),

lib/bpf/bpf.go

@@ -117,15 +117,11 @@ type Service struct {
 }
 
 // New creates a BPF service.
-func New(config *servicecfg.BPFConfig, restrictedSession *servicecfg.RestrictedSessionConfig) (BPF, error) {
+func New(config *servicecfg.BPFConfig) (BPF, error) {
 	if err := config.CheckAndSetDefaults(); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	if err := restrictedSession.CheckAndSetDefaults(); err != nil {
-		return nil, trace.Wrap(err)
-	}
-
 	// If BPF-based auditing is not enabled, don't configure anything return
 	// right away.
 	if !config.Enabled {
@@ -185,10 +181,8 @@ func New(config *servicecfg.BPFConfig, restrictedSession *servicecfg.RestrictedS
 	}
 
 	log.Debugf("Started enhanced session recording with buffer sizes (command=%v, "+
-		"disk=%v, network=%v), restricted session (bufferSize=%v) "+
-		"and cgroup mount path: %v. Took %v.",
+		"disk=%v, network=%v) and cgroup mount path: %v. Took %v.",
 		*s.CommandBufferSize, *s.DiskBufferSize, *s.NetworkBufferSize,
-		*restrictedSession.EventsBufferSize,
 		s.CgroupPath, time.Since(start))
 
 	go s.processNetworkEvents()
@@ -590,7 +584,7 @@ func (s *Service) emit6NetworkEvent(eventBytes []byte) {
 func ipv4HostToIP(addr uint32) net.IP {
 	val := make([]byte, 4)
 	binary.LittleEndian.PutUint32(val, addr)
-	return net.IP(val)
+	return val
 }
 
 func ipv6HostToIP(addr [4]uint32) net.IP {
@@ -599,7 +593,7 @@ func ipv6HostToIP(addr [4]uint32) net.IP {
 	binary.LittleEndian.PutUint32(val[4:], addr[1])
 	binary.LittleEndian.PutUint32(val[8:], addr[2])
 	binary.LittleEndian.PutUint32(val[12:], addr[3])
-	return net.IP(val)
+	return val
 }
 
 // unmarshalEvent will unmarshal the perf event.

lib/bpf/bpf_nop.go

@@ -30,7 +30,7 @@ type Service struct {
 }
 
 // New returns a new NOP service. Note this function does nothing.
-func New(_ *servicecfg.BPFConfig, _ *servicecfg.RestrictedSessionConfig) (BPF, error) {
+func New(_ *servicecfg.BPFConfig) (BPF, error) {
 	return &NOP{}, nil
 }
 

lib/bpf/bpf_test.go

@@ -154,7 +154,7 @@ func TestRootWatch(t *testing.T) {
 	service, err := New(&servicecfg.BPFConfig{
 		Enabled:    true,
 		CgroupPath: cgroupPath,
-	}, &servicecfg.RestrictedSessionConfig{})
+	})
 	require.NoError(t, err)
 
 	t.Cleanup(func() {

lib/config/configuration.go

@@ -1458,14 +1458,7 @@ func applySSHConfig(fc *FileConfig, cfg *servicecfg.Config) (err error) {
 		cfg.SSH.BPF = fc.SSH.BPF.Parse()
 	}
 	if fc.SSH.RestrictedSession != nil {
-		rs, err := fc.SSH.RestrictedSession.Parse()
-		if err != nil {
-			return trace.Wrap(err)
-		}
-		cfg.SSH.RestrictedSession = rs
-
-		log.Warnf("Restricted Sessions for SSH were deprecated in Teleport 14 " +
-			"and will be removed in Teleport 15.")
+		log.Error("Restricted Sessions for SSH were removed in Teleport 15.")
 	}
 
 	cfg.SSH.AllowTCPForwarding = fc.SSH.AllowTCPForwarding()

lib/config/fileconf.go

@@ -1524,19 +1524,6 @@ type RestrictedSession struct {
 	EventsBufferSize *int `yaml:"events_buffer_size,omitempty"`
 }
 
-// Parse will parse the enhanced session recording configuration.
-func (r *RestrictedSession) Parse() (*servicecfg.RestrictedSessionConfig, error) {
-	enabled, err := apiutils.ParseBool(r.Enabled)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	return &servicecfg.RestrictedSessionConfig{
-		Enabled:          enabled,
-		EventsBufferSize: r.EventsBufferSize,
-	}, nil
-}
-
 // X11 is a configuration for X11 forwarding
 type X11 struct {
 	// Enabled controls whether X11 forwarding requests can be granted by the server.