kubearmor
diff --git a/‎KubeArmor/BPF/anonmapexec.bpf.c
+2-2 b/‎KubeArmor/BPF/anonmapexec.bpf.c
+2-2
diff --git a/‎KubeArmor/BPF/filelessexec.bpf.c
+5-37 b/‎KubeArmor/BPF/filelessexec.bpf.c
+5-37
diff --git a/‎KubeArmor/BPF/protectenv.bpf.c
+4-26 b/‎KubeArmor/BPF/protectenv.bpf.c
+4-26
diff --git a/‎KubeArmor/BPF/shared.h
+12 b/‎KubeArmor/BPF/shared.h
+12
diff --git a/‎KubeArmor/core/kubeArmor.go
+1-1 b/‎KubeArmor/core/kubeArmor.go
+1-1
diff --git a/‎KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
-147 KB b/‎KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
-147 KB
diff --git a/‎KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
-147 KB b/‎KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
-147 KB
diff --git a/‎KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o
-48.2 KB b/‎KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o
-48.2 KB
diff --git a/‎KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o
-48.2 KB b/‎KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o
-48.2 KB
diff --git a/‎KubeArmor/feeder/feeder.go
-17 b/‎KubeArmor/feeder/feeder.go
-17
diff --git a/‎KubeArmor/go.mod
-1 b/‎KubeArmor/go.mod
-1
diff --git a/‎KubeArmor/go.sum
-2 b/‎KubeArmor/go.sum
-2
diff --git a/‎KubeArmor/presets/anonmapexec/anonmapexec_bpfeb.o
-392 Bytes b/‎KubeArmor/presets/anonmapexec/anonmapexec_bpfeb.o
-392 Bytes
diff --git a/‎KubeArmor/presets/anonmapexec/anonmapexec_bpfel.o
-392 Bytes b/‎KubeArmor/presets/anonmapexec/anonmapexec_bpfel.o
-392 Bytes
diff --git a/‎KubeArmor/presets/anonmapexec/preset.go
+3-3 b/‎KubeArmor/presets/anonmapexec/preset.go
+3-3
diff --git a/‎KubeArmor/presets/base/basePreset.go
+16-4 b/‎KubeArmor/presets/base/basePreset.go
+16-4
diff --git a/‎KubeArmor/presets/base/containers.go
-72 b/‎KubeArmor/presets/base/containers.go
-72
diff --git a/‎KubeArmor/presets/filelessexec/filelessexec_bpfeb.o
-3.19 KB b/‎KubeArmor/presets/filelessexec/filelessexec_bpfeb.o
-3.19 KB
diff --git a/‎KubeArmor/presets/filelessexec/filelessexec_bpfel.o
-3.19 KB b/‎KubeArmor/presets/filelessexec/filelessexec_bpfel.o
-3.19 KB
@@ -109,14 +109,14 @@ int BPF_PROG(enforce_mmap_file, struct file *file, unsigned long reqprot,
       event_data->args[2] = flags;
       event_data->event_id = ANON_MAP_EXEC;
       if (*present == BLOCK) {
-        event_data->retval = -13;
+        event_data->retval = -EPERM;
       } else {
         event_data->retval = 0;
       }
       bpf_ringbuf_submit(event_data, 0);
       // mapping not backed by any file with executable permission, denying mapping
       if (*present == BLOCK) {
-        return -13;
+        return -EPERM;
       } else {
         return 0;
       }
 
@@ -17,51 +17,19 @@ const event *unused __attribute__((unused));
 struct preset_map fileless_exec_preset_containers SEC(".maps");
 
 #define MEMFD "memfd:"
+#define RUN_SHM "/run/shm/"
+#define DEV_SHM "/dev/shm/"
 
 static __always_inline int is_memfd(char *name) {
-  char memfd[] = MEMFD;
-  int i = 0;
-  while (i < sizeof(MEMFD) - 1 && name[i] != '\0' && name[i] == memfd[i]) {
-    i++;
-  }
-
-  if (i == sizeof(MEMFD) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(name, MEMFD, sizeof(MEMFD));
 }
 
-#define RUN_SHM "/run/shm/"
-
 static __always_inline int is_run_shm(char *name) {
-  char run_shm[] = RUN_SHM;
-  int i = 0;
-  while (i < sizeof(RUN_SHM) - 1 && name[i] != '\0' && name[i] == run_shm[i]) {
-    i++;
-  }
-
-  if (i == sizeof(RUN_SHM) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(name, RUN_SHM, sizeof(RUN_SHM));
 }
 
-#define DEV_SHM "/dev/shm/"
-
 static __always_inline int is_dev_shm(char *name) {
-  char dev_shm[] = DEV_SHM;
-  int i = 0;
-  while (i < sizeof(DEV_SHM) - 1 && name[i] != '\0' && name[i] == dev_shm[i]) {
-    i++;
-  }
-
-  if (i == sizeof(DEV_SHM) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(name, DEV_SHM, sizeof(DEV_SHM));
 }
 
 struct pathname {
 
@@ -21,36 +21,14 @@ struct {
 struct preset_map protectenv_preset_containers SEC(".maps");
 
 #define DIR_PROC "/proc/"
+#define FILE_ENVIRON "/environ"
 
 static __always_inline int isProcDir(char *path) {
-  char procDir[] = DIR_PROC;
-  int i = 0;
-  while (i < sizeof(DIR_PROC) - 1 && path[i] != '\0' && path[i] == procDir[i]) {
-    i++;
-  }
-
-  if (i == sizeof(DIR_PROC) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(path, DIR_PROC, sizeof(DIR_PROC));
 }
 
-#define FILE_ENVIRON "/environ"
-
 static __always_inline int isEnviron(char *path) {
-  char envFile[] = FILE_ENVIRON;
-  int i = 0;
-  while (i < sizeof(FILE_ENVIRON) - 1 && path[i] != '\0' &&
-         path[i] == envFile[i]) {
-    i++;
-  }
-
-  if (i == sizeof(FILE_ENVIRON) - 1) {
-    return 1;
-  }
-
-  return 0;
+  return string_prefix_match(path, FILE_ENVIRON, sizeof(FILE_ENVIRON));
 }
 
 SEC("lsm/file_open")
@@ -101,7 +79,7 @@ int BPF_PROG(enforce_file, struct file *file) {
     task_info->pid_ns = okey.pid_ns;
     task_info->mnt_ns = okey.mnt_ns;
     bpf_ringbuf_submit(task_info, 0);
-    return -13;
+    return -EPERM;
   }
 
   return 0;
 
@@ -74,6 +74,18 @@ struct {
   __uint(max_entries, 3);
 } bufk SEC(".maps");
 
+// ============
+// match prefix
+// ============
+
+static __always_inline int string_prefix_match(const char *name, const char *prefix, size_t prefix_len) {
+    int i = 0;
+    while (i < prefix_len - 1 && name[i] != '\0' && name[i] == prefix[i]) {
+        i++;
+    }
+    return (i == prefix_len - 1) ? 1 : 0;
+}
+
 // ============
 // == preset ==
 // ============
 
@@ -318,7 +318,7 @@ func (dm *KubeArmorDaemon) InitPresets(logger *fd.Feeder, monitor *mon.SystemMon
 // ClosePresets Function
 func (dm *KubeArmorDaemon) ClosePresets() bool {
 	if err := dm.Presets.Destroy(); err != nil {
-		dm.Logger.Errf("Failed to destry preset (%s)", err.Error())
+		dm.Logger.Errf("Failed to destroy preset (%s)", err.Error())
 		return false
 	}
 	return true
 
@@ -534,11 +534,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
 	   in case of enforcer = AppArmor only Default Posture logs will be converted to
 	   container/host log depending upon the defaultPostureLogs flag
 	*/
-	presetlog := false
-	if strings.Contains(log.Enforcer, "PRESET") {
-		kg.Printf("PRESET log 1: %+v\n", log)
-		presetlog = true
-	}
 
 	if (cfg.GlobalCfg.EnforcerAlerts && fd.Enforcer == "BPFLSM" && log.Enforcer == "eBPF Monitor") || (fd.Enforcer != "BPFLSM" && !cfg.GlobalCfg.DefaultPostureLogs) {
 		log = fd.UpdateMatchedPolicy(log)
@@ -567,10 +562,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
 		fd.Debug("Pushing Telemetry without source")
 	}
 
-	if presetlog {
-		kg.Printf("PRESET LOG 2: %+v\n", log)
-	}
-
 	// set hostname
 	log.HostName = cfg.GlobalCfg.Host
 
@@ -590,10 +581,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
 		fd.StrToFile(string(arr))
 	}
 
-	if strings.Contains(log.Enforcer, "PRESET") {
-		kg.Printf("PRESET_LOG: \n%+v\n", &log)
-	}
-
 	// gRPC output
 	if log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy" || log.Type == "SystemEvent" {
 
@@ -695,10 +682,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
 		counter := 0
 		lenAlert := len(fd.EventStructs.AlertStructs)
 
-		if strings.Contains(log.Enforcer, "PRESET") {
-			kg.Printf("PRESET_ALERT: \n%s\n", &pbAlert)
-		}
-
 		for uid := range fd.EventStructs.AlertStructs {
 			select {
 			case fd.EventStructs.AlertStructs[uid].Broadcast <- &pbAlert:
 
@@ -65,7 +65,6 @@ require (
 	github.com/emicklei/go-restful/v3 v3.11.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 
@@ -1,5 +1,3 @@
-github.com/5GSEC/SentryFlow/protobuf v0.0.0-20240513071927-c6689c164ec8 h1:vOjDsj/1zs1O4V2UG2SINC7/maAx3WEQsE0bz5n0skI=
-github.com/5GSEC/SentryFlow/protobuf v0.0.0-20240513071927-c6689c164ec8/go.mod h1:cvmCAKkLBDXx6Rlk97XQQuAtcOhkM/wsWNbxGOC3yfE=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 
@@ -41,7 +41,7 @@ type ContainerVal struct {
 }
 
 type AnonMapExecPreset struct {
-	base.BasePreset
+	base.Preset
 
 	BPFContainerMap *ebpf.Map
 
@@ -91,10 +91,10 @@ func (p *AnonMapExecPreset) Name() string {
 	return NAME
 }
 
-func (p *AnonMapExecPreset) RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (base.BasePresetInterface, error) {
+func (p *AnonMapExecPreset) RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (base.PresetInterface, error) {
 
 	if logger.Enforcer != "BPFLSM" {
-		// it's based on actibe enforcer, it might possible that node support bpflsm but
+		// it's based on active enforcer, it might possible that node support bpflsm but
 		// current enforcer is not bpflsm
 		return nil, errors.New("AnonExecutionPreset not supported if bpflsm not supported")
 	}
 
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // Copyright 2021 Authors of KubeArmor
 
+// Package base provides interface for presets
 package base
 
 import (
@@ -10,33 +11,43 @@ import (
 )
 
 const (
+	// PRESET_ENFORCER prefix for a preset
 	PRESET_ENFORCER string = "PRESET-"
 )
 
+// PresetType represents type of a preset
 type PresetType uint8
 
 const (
+	// FilelessExec preset type
 	FilelessExec PresetType = 1
-	AnonMapExec  PresetType = 2
+	// AnonMapExec preset type
+	AnonMapExec PresetType = 2
 )
 
+// PresetAction preset action
 type PresetAction uint32
 
 const (
+	// Audit action
 	Audit PresetAction = 1
+	// Block action
 	Block PresetAction = 2
 )
 
-type BasePreset struct {
+// Preset type
+type Preset struct {
 	Logger  *fd.Feeder
 	Monitor *mon.SystemMonitor
 }
 
+// InnerKey type
 type InnerKey struct {
 	Path   [256]byte
 	Source [256]byte
 }
 
+// EventPreset type
 type EventPreset struct {
 	Ts uint64
 
@@ -59,10 +70,11 @@ type EventPreset struct {
 	Data InnerKey
 }
 
-type BasePresetInterface interface {
+// PresetInterface interface
+type PresetInterface interface {
 	Name() string
 	// Init() error
-	RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (BasePresetInterface, error)
+	RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (PresetInterface, error)
 	RegisterContainer(containerID string, pidns, mntns uint32)
 	UnregisterContainer(containerID string)
 	UpdateSecurityPolicies(endPoint tp.EndPoint)
Original file line number	Diff line number	Diff line change
`@@ -318,7 +318,7 @@ func (dm KubeArmorDaemon) InitPresets(logger fd.Feeder, monitor *mon.SystemMon`
`318`	`318`	`// ClosePresets Function`
`319`	`319`	`func (dm *KubeArmorDaemon) ClosePresets() bool {`
`320`	`320`	`if err := dm.Presets.Destroy(); err != nil {`
`321`		`- dm.Logger.Errf("Failed to destry preset (%s)", err.Error())`
	`321`	`+ dm.Logger.Errf("Failed to destroy preset (%s)", err.Error())`
`322`	`322`	`return false`
`323`	`323`	`}`
`324`	`324`	`return true`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,3 @@`
`1`		`-github.com/5GSEC/SentryFlow/protobuf v0.0.0-20240513071927-c6689c164ec8 h1:vOjDsj/1zs1O4V2UG2SINC7/maAx3WEQsE0bz5n0skI=`
`2`		`-github.com/5GSEC/SentryFlow/protobuf v0.0.0-20240513071927-c6689c164ec8/go.mod h1:cvmCAKkLBDXx6Rlk97XQQuAtcOhkM/wsWNbxGOC3yfE=`
`3`	`1`	`github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=`
`4`	`2`	`github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=`
`5`	`3`	`github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ type ContainerVal struct {`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`type AnonMapExecPreset struct {`
`44`		`- base.BasePreset`
	`44`	`+ base.Preset`
`45`	`45`
`46`	`46`	`BPFContainerMap *ebpf.Map`
`47`	`47`
`@@ -91,10 +91,10 @@ func (p *AnonMapExecPreset) Name() string {`
`91`	`91`	`return NAME`
`92`	`92`	`}`
`93`	`93`
`94`		`-func (p AnonMapExecPreset) RegisterPreset(logger fd.Feeder, monitor *mon.SystemMonitor) (base.BasePresetInterface, error) {`
	`94`	`+func (p AnonMapExecPreset) RegisterPreset(logger fd.Feeder, monitor *mon.SystemMonitor) (base.PresetInterface, error) {`
`95`	`95`
`96`	`96`	`if logger.Enforcer != "BPFLSM" {`
`97`		`- // it's based on actibe enforcer, it might possible that node support bpflsm but`
	`97`	`+ // it's based on active enforcer, it might possible that node support bpflsm but`
`98`	`98`	`// current enforcer is not bpflsm`
`99`	`99`	`return nil, errors.New("AnonExecutionPreset not supported if bpflsm not supported")`
`100`	`100`	`}`