run presets test suite on bpflsm only

Signed-off-by: rksharma95 <[email protected]>

KubeArmor/BPF/anonmapexec.bpf.c

@@ -109,14 +109,14 @@ int BPF_PROG(enforce_mmap_file, struct file *file, unsigned long reqprot,
       event_data->args[2] = flags;
       event_data->event_id = ANON_MAP_EXEC;
       if (*present == BLOCK) {
-        event_data->retval = -13;
+        event_data->retval = -EPERM;
       } else {
         event_data->retval = 0;
       }
       bpf_ringbuf_submit(event_data, 0);
       // mapping not backed by any file with executable permission, denying mapping
       if (*present == BLOCK) {
-        return -13;
+        return -EPERM;
       } else {
         return 0;
       }

KubeArmor/BPF/filelessexec.bpf.c

@@ -17,51 +17,19 @@ const event *unused __attribute__((unused));
 struct preset_map fileless_exec_preset_containers SEC(".maps");
 
 #define MEMFD "memfd:"
+#define RUN_SHM "/run/shm/"
+#define DEV_SHM "/dev/shm/"
 
 static __always_inline int is_memfd(char *name) {
-  char memfd[] = MEMFD;
-  int i = 0;
-  while (i < sizeof(MEMFD) - 1 && name[i] != '\0' && name[i] == memfd[i]) {
-    i++;
-  }
-
-  if (i == sizeof(MEMFD) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(name, MEMFD, sizeof(MEMFD));
 }
 
-#define RUN_SHM "/run/shm/"
-
 static __always_inline int is_run_shm(char *name) {
-  char run_shm[] = RUN_SHM;
-  int i = 0;
-  while (i < sizeof(RUN_SHM) - 1 && name[i] != '\0' && name[i] == run_shm[i]) {
-    i++;
-  }
-
-  if (i == sizeof(RUN_SHM) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(name, RUN_SHM, sizeof(RUN_SHM));
 }
 
-#define DEV_SHM "/dev/shm/"
-
 static __always_inline int is_dev_shm(char *name) {
-  char dev_shm[] = DEV_SHM;
-  int i = 0;
-  while (i < sizeof(DEV_SHM) - 1 && name[i] != '\0' && name[i] == dev_shm[i]) {
-    i++;
-  }
-
-  if (i == sizeof(DEV_SHM) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(name, DEV_SHM, sizeof(DEV_SHM));
 }
 
 struct pathname {

KubeArmor/BPF/protectenv.bpf.c

@@ -21,36 +21,14 @@ struct {
 struct preset_map protectenv_preset_containers SEC(".maps");
 
 #define DIR_PROC "/proc/"
+#define FILE_ENVIRON "/environ"
 
 static __always_inline int isProcDir(char *path) {
-  char procDir[] = DIR_PROC;
-  int i = 0;
-  while (i < sizeof(DIR_PROC) - 1 && path[i] != '\0' && path[i] == procDir[i]) {
-    i++;
-  }
-
-  if (i == sizeof(DIR_PROC) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(path, DIR_PROC, sizeof(DIR_PROC));
 }
 
-#define FILE_ENVIRON "/environ"
-
 static __always_inline int isEnviron(char *path) {
-  char envFile[] = FILE_ENVIRON;
-  int i = 0;
-  while (i < sizeof(FILE_ENVIRON) - 1 && path[i] != '\0' &&
-         path[i] == envFile[i]) {
-    i++;
-  }
-
-  if (i == sizeof(FILE_ENVIRON) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(path, FILE_ENVIRON, sizeof(FILE_ENVIRON));
 }
 
 SEC("lsm/file_open")
@@ -101,7 +79,7 @@ int BPF_PROG(enforce_file, struct file *file) {
     task_info->pid_ns = okey.pid_ns;
     task_info->mnt_ns = okey.mnt_ns;
     bpf_ringbuf_submit(task_info, 0);
-    return -13;
+    return -EPERM;
   }
 
   return 0;

KubeArmor/BPF/shared.h

@@ -74,6 +74,18 @@ struct {
   __uint(max_entries, 3);
 } bufk SEC(".maps");
 
+// ============
+// match prefix
+// ============
+
+static __always_inline int string_prefix_match(const char *name, const char *prefix, size_t prefix_len) {
+    int i = 0;
+    while (i < prefix_len - 1 && name[i] != '\0' && name[i] == prefix[i]) {
+        i++;
+    }
+    return (i == prefix_len - 1) ? 1 : 0;
+}
+
 // ============
 // == preset ==
 // ============

KubeArmor/core/kubeArmor.go

@@ -318,7 +318,7 @@ func (dm *KubeArmorDaemon) InitPresets(logger *fd.Feeder, monitor *mon.SystemMon
 // ClosePresets Function
 func (dm *KubeArmorDaemon) ClosePresets() bool {
 	if err := dm.Presets.Destroy(); err != nil {
-		dm.Logger.Errf("Failed to destry preset (%s)", err.Error())
+		dm.Logger.Errf("Failed to destroy preset (%s)", err.Error())
 		return false
 	}
 	return true

KubeArmor/feeder/feeder.go

@@ -534,11 +534,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
 	   in case of enforcer = AppArmor only Default Posture logs will be converted to
 	   container/host log depending upon the defaultPostureLogs flag
 	*/
-	presetlog := false
-	if strings.Contains(log.Enforcer, "PRESET") {
-		kg.Printf("PRESET log 1: %+v\n", log)
-		presetlog = true
-	}
 
 	if (cfg.GlobalCfg.EnforcerAlerts && fd.Enforcer == "BPFLSM" && log.Enforcer == "eBPF Monitor") || (fd.Enforcer != "BPFLSM" && !cfg.GlobalCfg.DefaultPostureLogs) {
 		log = fd.UpdateMatchedPolicy(log)
@@ -567,10 +562,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
 		fd.Debug("Pushing Telemetry without source")
 	}
 
-	if presetlog {
-		kg.Printf("PRESET LOG 2: %+v\n", log)
-	}
-
 	// set hostname
 	log.HostName = cfg.GlobalCfg.Host
 
@@ -590,10 +581,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
 		fd.StrToFile(string(arr))
 	}
 
-	if strings.Contains(log.Enforcer, "PRESET") {
-		kg.Printf("PRESET_LOG: \n%+v\n", &log)
-	}
-
 	// gRPC output
 	if log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy" || log.Type == "SystemEvent" {
 
@@ -695,10 +682,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
 		counter := 0
 		lenAlert := len(fd.EventStructs.AlertStructs)
 
-		if strings.Contains(log.Enforcer, "PRESET") {
-			kg.Printf("PRESET_ALERT: \n%s\n", &pbAlert)
-		}
-
 		for uid := range fd.EventStructs.AlertStructs {
 			select {
 			case fd.EventStructs.AlertStructs[uid].Broadcast <- &pbAlert:

KubeArmor/go.mod

@@ -65,7 +65,6 @@ require (
 	github.com/emicklei/go-restful/v3 v3.11.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect

KubeArmor/go.sum

@@ -1,5 +1,3 @@
-github.com/5GSEC/SentryFlow/protobuf v0.0.0-20240513071927-c6689c164ec8 h1:vOjDsj/1zs1O4V2UG2SINC7/maAx3WEQsE0bz5n0skI=
-github.com/5GSEC/SentryFlow/protobuf v0.0.0-20240513071927-c6689c164ec8/go.mod h1:cvmCAKkLBDXx6Rlk97XQQuAtcOhkM/wsWNbxGOC3yfE=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=

KubeArmor/presets/anonmapexec/preset.go

@@ -41,7 +41,7 @@ type ContainerVal struct {
 }
 
 type AnonMapExecPreset struct {
-	base.BasePreset
+	base.Preset
 
 	BPFContainerMap *ebpf.Map
 
@@ -91,10 +91,10 @@ func (p *AnonMapExecPreset) Name() string {
 	return NAME
 }
 
-func (p *AnonMapExecPreset) RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (base.BasePresetInterface, error) {
+func (p *AnonMapExecPreset) RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (base.PresetInterface, error) {
 
 	if logger.Enforcer != "BPFLSM" {
-		// it's based on actibe enforcer, it might possible that node support bpflsm but
+		// it's based on active enforcer, it might possible that node support bpflsm but
 		// current enforcer is not bpflsm
 		return nil, errors.New("AnonExecutionPreset not supported if bpflsm not supported")
 	}

KubeArmor/presets/base/basePreset.go

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2021 Authors of KubeArmor
 
+// Package base provides interface for presets
 package base
 
 import (
@@ -10,33 +11,43 @@ import (
 )
 
 const (
+	// PRESET_ENFORCER prefix for a preset
 	PRESET_ENFORCER string = "PRESET-"
 )
 
+// PresetType represents type of a preset
 type PresetType uint8
 
 const (
+	// FilelessExec preset type
 	FilelessExec PresetType = 1
-	AnonMapExec  PresetType = 2
+	// AnonMapExec preset type
+	AnonMapExec PresetType = 2
 )
 
+// PresetAction preset action
 type PresetAction uint32
 
 const (
+	// Audit action
 	Audit PresetAction = 1
+	// Block action
 	Block PresetAction = 2
 )
 
-type BasePreset struct {
+// Preset type
+type Preset struct {
 	Logger  *fd.Feeder
 	Monitor *mon.SystemMonitor
 }
 
+// InnerKey type
 type InnerKey struct {
 	Path   [256]byte
 	Source [256]byte
 }
 
+// EventPreset type
 type EventPreset struct {
 	Ts uint64
 
@@ -59,10 +70,11 @@ type EventPreset struct {
 	Data InnerKey
 }
 
-type BasePresetInterface interface {
+// PresetInterface interface
+type PresetInterface interface {
 	Name() string
 	// Init() error
-	RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (BasePresetInterface, error)
+	RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (PresetInterface, error)
 	RegisterContainer(containerID string, pidns, mntns uint32)
 	UnregisterContainer(containerID string)
 	UpdateSecurityPolicies(endPoint tp.EndPoint)