Skip to content

Commit 2d96753

Browse files
DelusionalOptimistDelusionalOptimist
authored
Revert "Enabling BPFLSM based KSP protection on Kubearmor itself"
1 parent 2cfc2e2 commit 2d96753

17 files changed

+36
-70
lines changed

KubeArmor/BPF/enforcer.bpf.c

+3-5
Original file line numberDiff line numberDiff line change
@@ -75,10 +75,7 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
7575
if (src_offset == NULL)
7676
fromSourceCheck = false;
7777

78-
void *src_ptr;
79-
if (src_buf->buf[*src_offset]) {
80-
src_ptr = &src_buf->buf[*src_offset];
81-
}
78+
void *src_ptr = &src_buf->buf[*src_offset];
8279
if (src_ptr == NULL)
8380
fromSourceCheck = false;
8481

@@ -155,9 +152,10 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
155152
goto decision;
156153
}
157154

155+
158156
// match exec name
159157
struct qstr d_name;
160-
d_name = BPF_CORE_READ(f_path.dentry, d_name);
158+
d_name = BPF_CORE_READ(f_path.dentry,d_name);
161159
bpf_map_update_elem(&bufk, &two, z, BPF_ANY);
162160
bpf_probe_read_str(pk->path, MAX_STRING_SIZE, d_name.name);
163161

KubeArmor/BPF/shared.h

+15-16
Original file line numberDiff line numberDiff line change
@@ -272,9 +272,6 @@ static inline void get_outer_key(struct outer_key *pokey,
272272
struct task_struct *t) {
273273
pokey->pid_ns = get_task_pid_ns_id(t);
274274
pokey->mnt_ns = get_task_mnt_ns_id(t);
275-
// TODO: Use cgroup ns as well for host process identification to support enforcement on deployments using hostpidns
276-
// u32 cg_ns = BPF_CORE_READ(t, nsproxy, cgroup_ns, ns).inum;
277-
// if (pokey->pid_ns == PROC_PID_INIT_INO && cg_ns == PROC_CGROUP_INIT_INO) {
278275
if (pokey->pid_ns == PROC_PID_INIT_INO) {
279276
pokey->pid_ns = 0;
280277
pokey->mnt_ns = 0;
@@ -291,13 +288,20 @@ static __always_inline u32 init_context(event *event_data) {
291288
event_data->host_ppid = get_task_ppid(task);
292289
event_data->host_pid = bpf_get_current_pid_tgid() >> 32;
293290

294-
struct outer_key okey;
295-
get_outer_key(&okey, task);
296-
event_data->pid_id = okey.pid_ns;
297-
event_data->mnt_id = okey.mnt_ns;
291+
u32 pid = get_task_ns_tgid(task);
292+
if (event_data->host_pid == pid) { // host
293+
event_data->pid_id = 0;
294+
event_data->mnt_id = 0;
295+
296+
event_data->ppid = get_task_ppid(task);
297+
event_data->pid = bpf_get_current_pid_tgid() >> 32;
298+
} else { // container
299+
event_data->pid_id = get_task_pid_ns_id(task);
300+
event_data->mnt_id = get_task_mnt_ns_id(task);
298301

299-
event_data->ppid = get_task_ppid(task);
300-
event_data->pid = get_task_ns_tgid(task);
302+
event_data->ppid = get_task_ns_ppid(task);
303+
event_data->pid = pid;
304+
}
301305

302306
event_data->uid = bpf_get_current_uid_gid();
303307

@@ -483,15 +487,10 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
483487
if (src_offset == NULL)
484488
fromSourceCheck = false;
485489

486-
void *src_ptr;
487-
if (src_buf->buf[*src_offset]) {
488-
src_ptr = &src_buf->buf[*src_offset];
489-
}
490-
if (src_ptr == NULL)
491-
fromSourceCheck = false;
490+
void *ptr = &src_buf->buf[*src_offset];
492491

493492
if (fromSourceCheck) {
494-
bpf_probe_read_str(store->source, MAX_STRING_SIZE, src_ptr);
493+
bpf_probe_read_str(store->source, MAX_STRING_SIZE, ptr);
495494

496495
val = bpf_map_lookup_elem(inner, store);
497496

KubeArmor/config/config.go

-9
Original file line numberDiff line numberDiff line change
@@ -60,8 +60,6 @@ type KubearmorConfig struct {
6060
MaxAlertPerSec int // Maximum alerts allowed per second
6161
ThrottleSec int // Number of seconds for which subsequent alerts will be dropped
6262
AnnotateResources bool // enable annotations by kubearmor if kubearmor-controller is not present
63-
64-
ProcFsMount string // path where procfs is hosted
6563
}
6664

6765
// GlobalCfg Global configuration for Kubearmor
@@ -107,7 +105,6 @@ const (
107105
ConfigMaxAlertPerSec string = "maxAlertPerSec"
108106
ConfigThrottleSec string = "throttleSec"
109107
ConfigAnnotateResources string = "annotateResources"
110-
ConfigProcFsMount string = "procfsMount"
111108
)
112109

113110
func readCmdLineParams() {
@@ -164,8 +161,6 @@ func readCmdLineParams() {
164161

165162
annotateResources := flag.Bool(ConfigAnnotateResources, false, "for kubearmor deployment without kubearmor-controller")
166163

167-
procFsMount := flag.String(ConfigProcFsMount, "/proc", "Path to the BPF filesystem to use for storing maps")
168-
169164
flags := []string{}
170165
flag.VisitAll(func(f *flag.Flag) {
171166
kv := fmt.Sprintf("%s:%v", f.Name, f.Value)
@@ -227,8 +222,6 @@ func readCmdLineParams() {
227222
viper.SetDefault(ConfigThrottleSec, *throttleSec)
228223

229224
viper.SetDefault(ConfigAnnotateResources, *annotateResources)
230-
231-
viper.SetDefault(ConfigProcFsMount, *procFsMount)
232225
}
233226

234227
// LoadConfig Load configuration
@@ -329,8 +322,6 @@ func LoadConfig() error {
329322
GlobalCfg.ThrottleSec = viper.GetInt(ConfigThrottleSec)
330323
GlobalCfg.AnnotateResources = viper.GetBool(ConfigAnnotateResources)
331324

332-
GlobalCfg.ProcFsMount = viper.GetString(ConfigProcFsMount)
333-
334325
kg.Printf("Final Configuration [%+v]", GlobalCfg)
335326

336327
return nil

KubeArmor/core/containerdHandler.go

+2-3
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ import (
88
"context"
99
"fmt"
1010
"os"
11-
"path/filepath"
1211
"strconv"
1312
"strings"
1413
"time"
@@ -194,13 +193,13 @@ func (ch *ContainerdHandler) GetContainerInfo(ctx context.Context, containerID s
194193

195194
pid := strconv.Itoa(int(taskRes.Processes[0].Pid))
196195

197-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/pid")); err == nil {
196+
if data, err := os.Readlink("/proc/" + pid + "/ns/pid"); err == nil {
198197
if _, err := fmt.Sscanf(data, "pid:[%d]\n", &container.PidNS); err != nil {
199198
kg.Warnf("Unable to get PidNS (%s, %s, %s)", containerID, pid, err.Error())
200199
}
201200
}
202201

203-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/mnt")); err == nil {
202+
if data, err := os.Readlink("/proc/" + pid + "/ns/mnt"); err == nil {
204203
if _, err := fmt.Sscanf(data, "mnt:[%d]\n", &container.MntNS); err != nil {
205204
kg.Warnf("Unable to get MntNS (%s, %s, %s)", containerID, pid, err.Error())
206205
}

KubeArmor/core/crioHandler.go

+2-3
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ import (
88
"encoding/json"
99
"fmt"
1010
"os"
11-
"path/filepath"
1211
"strconv"
1312
"time"
1413

@@ -131,15 +130,15 @@ func (ch *CrioHandler) GetContainerInfo(ctx context.Context, containerID string,
131130

132131
pid := strconv.Itoa(containerInfo.Pid)
133132

134-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/pid")); err == nil {
133+
if data, err := os.Readlink("/proc/" + pid + "/ns/pid"); err == nil {
135134
if _, err := fmt.Sscanf(data, "pid:[%d]\n", &container.PidNS); err != nil {
136135
kg.Warnf("Unable to get PidNS (%s, %s, %s)", containerID, pid, err.Error())
137136
}
138137
} else {
139138
return container, err
140139
}
141140

142-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/mnt")); err == nil {
141+
if data, err := os.Readlink("/proc/" + pid + "/ns/mnt"); err == nil {
143142
if _, err := fmt.Sscanf(data, "mnt:[%d]\n", &container.MntNS); err != nil {
144143
kg.Warnf("Unable to get MntNS (%s, %s, %s)", containerID, pid, err.Error())
145144
}

KubeArmor/core/dockerHandler.go

+2-3
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ import (
88
"errors"
99
"fmt"
1010
"os"
11-
"path/filepath"
1211
"slices"
1312
"strconv"
1413
"strings"
@@ -145,13 +144,13 @@ func (dh *DockerHandler) GetContainerInfo(containerID string, OwnerInfo map[stri
145144

146145
pid := strconv.Itoa(inspect.State.Pid)
147146

148-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/pid")); err == nil {
147+
if data, err := os.Readlink("/proc/" + pid + "/ns/pid"); err == nil {
149148
if _, err := fmt.Sscanf(data, "pid:[%d]\n", &container.PidNS); err != nil {
150149
kg.Warnf("Unable to get PidNS (%s, %s, %s)", containerID, pid, err.Error())
151150
}
152151
}
153152

154-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, pid, "/ns/mnt")); err == nil {
153+
if data, err := os.Readlink("/proc/" + pid + "/ns/mnt"); err == nil {
155154
if _, err := fmt.Sscanf(data, "mnt:[%d]\n", &container.MntNS); err != nil {
156155
kg.Warnf("Unable to get MntNS (%s, %s, %s)", containerID, pid, err.Error())
157156
}

KubeArmor/core/kubeUpdate.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -731,9 +731,9 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
731731
}
732732

733733
// exception: kubearmor
734-
// if _, ok := pod.Labels["kubearmor-app"]; ok {
735-
// pod.Annotations["kubearmor-policy"] = "audited"
736-
// }
734+
if _, ok := pod.Labels["kubearmor-app"]; ok {
735+
pod.Annotations["kubearmor-policy"] = "audited"
736+
}
737737

738738
// == Visibility == //
739739

KubeArmor/enforcer/appArmorEnforcer.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -114,11 +114,11 @@ profile apparmor-default flags=(attach_disconnected,mediate_deleted) {
114114

115115
existingProfiles := []string{}
116116

117-
if pids, err := os.ReadDir(filepath.Clean(cfg.GlobalCfg.ProcFsMount)); err == nil {
117+
if pids, err := os.ReadDir(filepath.Clean("/proc")); err == nil {
118118
for _, f := range pids {
119119
if f.IsDir() {
120120
if _, err := strconv.Atoi(f.Name()); err == nil {
121-
if content, err := os.ReadFile(filepath.Clean(cfg.GlobalCfg.ProcFsMount + "/" + f.Name() + "/attr/current")); err == nil {
121+
if content, err := os.ReadFile(filepath.Clean("/proc/" + f.Name() + "/attr/current")); err == nil {
122122
line := strings.Split(string(content), "\n")[0]
123123
words := strings.Split(line, " ")
124124

KubeArmor/enforcer/bpflsm/enforcer.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,8 @@ import (
2323
tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
2424
)
2525

26-
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer ../../BPF/enforcer.bpf.c -- -I/usr/include/ -O2 -g -fno-stack-protector
27-
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer_path ../../BPF/enforcer_path.bpf.c -- -I/usr/include/ -O2 -g -fno-stack-protector
26+
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer ../../BPF/enforcer.bpf.c -- -I/usr/include/ -O2 -g
27+
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer_path ../../BPF/enforcer_path.bpf.c -- -I/usr/include/ -O2 -g
2828

2929
// ===================== //
3030
// == BPFLSM Enforcer == //

KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o

10.9 KB
Binary file not shown.

KubeArmor/enforcer/bpflsm/enforcer_bpfel.o

10.9 KB
Binary file not shown.

KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o

2.6 KB
Binary file not shown.

KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o

2.6 KB
Binary file not shown.

KubeArmor/main_test.go

+1-5
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ import (
1313

1414
var clusterPtr, gRPCPtr, logPathPtr *string
1515
var enableKubeArmorPolicyPtr, enableKubeArmorHostPolicyPtr, enableKubeArmorVMPtr, coverageTestPtr, enableK8sEnv, tlsEnabled *bool
16-
var defaultFilePosturePtr, defaultCapabilitiesPosturePtr, defaultNetworkPosturePtr, hostDefaultCapabilitiesPosturePtr, hostDefaultNetworkPosturePtr, hostDefaultFilePosturePtr, procFsMountPtr *string
16+
var defaultFilePosturePtr, defaultCapabilitiesPosturePtr, defaultNetworkPosturePtr, hostDefaultCapabilitiesPosturePtr, hostDefaultNetworkPosturePtr, hostDefaultFilePosturePtr *string
1717

1818
func init() {
1919
// options (string)
@@ -32,8 +32,6 @@ func init() {
3232
hostDefaultNetworkPosturePtr = flag.String("hostDefaultNetworkPosture", "block", "configuring default enforcement action in global network context {allow|audit|block}")
3333
hostDefaultCapabilitiesPosturePtr = flag.String("hostDefaultCapabilitiesPosture", "block", "configuring default enforcement action in global capability context {allow|audit|block}")
3434

35-
procFsMountPtr = flag.String("procfsMount", "/proc", "Path to the BPF filesystem to use for storing maps")
36-
3735
// options (boolean)
3836
enableKubeArmorPolicyPtr = flag.Bool("enableKubeArmorPolicy", true, "enabling KubeArmorPolicy")
3937
enableKubeArmorHostPolicyPtr = flag.Bool("enableKubeArmorHostPolicy", true, "enabling KubeArmorHostPolicy")
@@ -44,7 +42,6 @@ func init() {
4442

4543
// options (boolean)
4644
coverageTestPtr = flag.Bool("coverageTest", false, "enabling CoverageTest")
47-
4845
}
4946

5047
// TestMain - test to drive external testing coverage
@@ -67,7 +64,6 @@ func TestMain(t *testing.T) {
6764
fmt.Sprintf("-enableKubeArmorHostPolicy=%s", strconv.FormatBool(*enableKubeArmorHostPolicyPtr)),
6865
fmt.Sprintf("-coverageTest=%s", strconv.FormatBool(*coverageTestPtr)),
6966
fmt.Sprintf("-tlsEnabled=%s", strconv.FormatBool(*tlsEnabled)),
70-
fmt.Sprintf("-procfsMount=%s", *procFsMountPtr),
7167
}
7268

7369
t.Log("[INFO] Executed KubeArmor")

KubeArmor/monitor/processTree.go

+3-4
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ package monitor
55

66
import (
77
"os"
8-
"path/filepath"
98
"strconv"
109
"strings"
1110
"sync"
@@ -232,7 +231,7 @@ func (mon *SystemMonitor) GetParentExecPath(containerID string, ctx SyscallConte
232231

233232
if readlink {
234233
// just in case that it couldn't still get the full path
235-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, strconv.FormatUint(uint64(ctx.HostPPID), 10), "/exe")); err == nil && data != "" && data != "/" {
234+
if data, err := os.Readlink("/proc/" + strconv.FormatUint(uint64(ctx.HostPPID), 10) + "/exe"); err == nil && data != "" && data != "/" {
236235
// // Store it in the ActiveHostPidMap so we don't need to read procfs again
237236
// // We don't call BuildPidNode Here cause that will put this into a cyclic function call loop
238237
// if pidMap, ok := ActiveHostPidMap[containerID]; ok {
@@ -277,7 +276,7 @@ func (mon *SystemMonitor) GetExecPath(containerID string, ctx SyscallContext, re
277276

278277
if readlink {
279278
// just in case that it couldn't still get the full path
280-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, strconv.FormatUint(uint64(ctx.HostPID), 10), "/exe")); err == nil && data != "" && data != "/" {
279+
if data, err := os.Readlink("/proc/" + strconv.FormatUint(uint64(ctx.HostPID), 10) + "/exe"); err == nil && data != "" && data != "/" {
281280
// // Store it in the ActiveHostPidMap so we don't need to read procfs again
282281
// if pidMap, ok := ActiveHostPidMap[containerID]; ok {
283282
// if node, ok := pidMap[ctx.HostPID]; ok {
@@ -319,7 +318,7 @@ func (mon *SystemMonitor) GetCommand(containerID string, ctx SyscallContext, rea
319318

320319
if readlink {
321320
// just in case that it couldn't still get the full path
322-
if data, err := os.Readlink(filepath.Join(cfg.GlobalCfg.ProcFsMount, strconv.FormatUint(uint64(ctx.HostPID), 10), "/exe")); err == nil && data != "" && data != "/" {
321+
if data, err := os.Readlink("/proc/" + strconv.FormatUint(uint64(ctx.HostPID), 10) + "/exe"); err == nil && data != "" && data != "/" {
323322
return data
324323
} else if err != nil {
325324
mon.Logger.Debugf("Could not read path from procfs due to %s", err.Error())

deployments/get/objects.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -264,7 +264,6 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet {
264264
var terminationGracePeriodSeconds = int64(60)
265265
var args = []string{
266266
"-gRPC=" + strconv.Itoa(int(port)),
267-
"-procfsMount=/host/procfs",
268267
}
269268

270269
var containerVolumeMounts = []corev1.VolumeMount{
@@ -382,6 +381,7 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet {
382381
Operator: "Exists",
383382
},
384383
},
384+
HostPID: true,
385385
HostNetwork: true,
386386
RestartPolicy: "Always",
387387
DNSPolicy: "ClusterFirstWithHostNet",

pkg/KubeArmorOperator/common/defaults.go

-14
Original file line numberDiff line numberDiff line change
@@ -237,27 +237,13 @@ var CommonVolumes = []corev1.Volume{
237237
},
238238
},
239239
},
240-
{
241-
Name: "proc-fs-mount",
242-
VolumeSource: corev1.VolumeSource{
243-
HostPath: &corev1.HostPathVolumeSource{
244-
Path: "/proc",
245-
Type: &HostPathDirectory,
246-
},
247-
},
248-
},
249240
}
250241

251242
var CommonVolumesMount = []corev1.VolumeMount{
252243
{
253244
Name: "sys-kernel-debug-path",
254245
MountPath: "/sys/kernel/debug",
255246
},
256-
{
257-
Name: "proc-fs-mount",
258-
MountPath: "/host/procfs",
259-
ReadOnly: true,
260-
},
261247
}
262248

263249
var KubeArmorCaVolume = []corev1.Volume{

0 commit comments

Comments
 (0)