Skip to content

Commit

Permalink
run presets test suite on bpflsm only
Browse files Browse the repository at this point in the history 
Signed-off-by: rksharma95 <[email protected]>
  • Loading branch information
@rksharma95
rksharma95 committed Dec 24, 2024
1 parent d44b2ca commit 7953d6f
Show file tree
Hide file tree
Showing 23 changed files with 44 additions and 165 deletions.
4 changes: 2 additions & 2 deletions KubeArmor/BPF/anonmapexec.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,14 +109,14 @@ int BPF_PROG(enforce_mmap_file, struct file *file, unsigned long reqprot,
event_data->args[2] = flags;
event_data->event_id = ANON_MAP_EXEC;
if (*present == BLOCK) {
event_data->retval = -13;
event_data->retval = -EPERM;
} else {
event_data->retval = 0;
}
bpf_ringbuf_submit(event_data, 0);
// mapping not backed by any file with executable permission, denying mapping
if (*present == BLOCK) {
return -13;
return -EPERM;
} else {
return 0;
}
Expand Down
42 changes: 5 additions & 37 deletions KubeArmor/BPF/filelessexec.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,51 +17,19 @@ const event *unused __attribute__((unused));
struct preset_map fileless_exec_preset_containers SEC(".maps");

#define MEMFD "memfd:"
#define RUN_SHM "/run/shm/"
#define DEV_SHM "/dev/shm/"

static __always_inline int is_memfd(char *name) {
char memfd[] = MEMFD;
int i = 0;
while (i < sizeof(MEMFD) - 1 && name[i] != '\0' && name[i] == memfd[i]) {
i++;
}

if (i == sizeof(MEMFD) - 1) {
return 1;
}

return 0;
return string_prefix_match(name, MEMFD, sizeof(MEMFD));
}

#define RUN_SHM "/run/shm/"

static __always_inline int is_run_shm(char *name) {
char run_shm[] = RUN_SHM;
int i = 0;
while (i < sizeof(RUN_SHM) - 1 && name[i] != '\0' && name[i] == run_shm[i]) {
i++;
}

if (i == sizeof(RUN_SHM) - 1) {
return 1;
}

return 0;
return string_prefix_match(name, RUN_SHM, sizeof(RUN_SHM));
}

#define DEV_SHM "/dev/shm/"

static __always_inline int is_dev_shm(char *name) {
char dev_shm[] = DEV_SHM;
int i = 0;
while (i < sizeof(DEV_SHM) - 1 && name[i] != '\0' && name[i] == dev_shm[i]) {
i++;
}

if (i == sizeof(DEV_SHM) - 1) {
return 1;
}

return 0;
return string_prefix_match(name, DEV_SHM, sizeof(DEV_SHM));
}

struct pathname {
Expand Down
30 changes: 4 additions & 26 deletions KubeArmor/BPF/protectenv.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,36 +21,14 @@ struct {
struct preset_map protectenv_preset_containers SEC(".maps");

#define DIR_PROC "/proc/"
#define FILE_ENVIRON "/environ"

static __always_inline int isProcDir(char *path) {
char procDir[] = DIR_PROC;
int i = 0;
while (i < sizeof(DIR_PROC) - 1 && path[i] != '\0' && path[i] == procDir[i]) {
i++;
}

if (i == sizeof(DIR_PROC) - 1) {
return 1;
}

return 0;
return string_prefix_match(path, DIR_PROC, sizeof(DIR_PROC));
}

#define FILE_ENVIRON "/environ"

static __always_inline int isEnviron(char *path) {
char envFile[] = FILE_ENVIRON;
int i = 0;
while (i < sizeof(FILE_ENVIRON) - 1 && path[i] != '\0' &&
path[i] == envFile[i]) {
i++;
}

if (i == sizeof(FILE_ENVIRON) - 1) {
return 1;
}

return 0;
return string_prefix_match(path, FILE_ENVIRON, sizeof(FILE_ENVIRON));
}

SEC("lsm/file_open")
Expand Down Expand Up @@ -101,7 +79,7 @@ int BPF_PROG(enforce_file, struct file *file) {
task_info->pid_ns = okey.pid_ns;
task_info->mnt_ns = okey.mnt_ns;
bpf_ringbuf_submit(task_info, 0);
return -13;
return -EPERM;
}

return 0;
Expand Down
12 changes: 12 additions & 0 deletions KubeArmor/BPF/shared.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,18 @@ struct {
__uint(max_entries, 3);
} bufk SEC(".maps");

// ============
// match prefix
// ============

static __always_inline int string_prefix_match(const char *name, const char *prefix, size_t prefix_len) {
int i = 0;
while (i < prefix_len - 1 && name[i] != '\0' && name[i] == prefix[i]) {
i++;
}
return (i == prefix_len - 1) ? 1 : 0;
}

// ============
// == preset ==
// ============
Expand Down
2 changes: 1 addition & 1 deletion KubeArmor/core/kubeArmor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,7 @@ func (dm *KubeArmorDaemon) InitPresets(logger *fd.Feeder, monitor *mon.SystemMon
// ClosePresets Function
func (dm *KubeArmorDaemon) ClosePresets() bool {
if err := dm.Presets.Destroy(); err != nil {
dm.Logger.Errf("Failed to destry preset (%s)", err.Error())
dm.Logger.Errf("Failed to destroy preset (%s)", err.Error())
return false
}
return true
Expand Down
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o
View file
Binary file not shown.
17 changes: 0 additions & 17 deletions KubeArmor/feeder/feeder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -534,11 +534,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
in case of enforcer = AppArmor only Default Posture logs will be converted to
container/host log depending upon the defaultPostureLogs flag
*/
presetlog := false
if strings.Contains(log.Enforcer, "PRESET") {
kg.Printf("PRESET log 1: %+v\n", log)
presetlog = true
}

if (cfg.GlobalCfg.EnforcerAlerts && fd.Enforcer == "BPFLSM" && log.Enforcer == "eBPF Monitor") || (fd.Enforcer != "BPFLSM" && !cfg.GlobalCfg.DefaultPostureLogs) {
log = fd.UpdateMatchedPolicy(log)
Expand Down Expand Up @@ -567,10 +562,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
fd.Debug("Pushing Telemetry without source")
}

if presetlog {
kg.Printf("PRESET LOG 2: %+v\n", log)
}

// set hostname
log.HostName = cfg.GlobalCfg.Host

Expand All @@ -590,10 +581,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
fd.StrToFile(string(arr))
}

if strings.Contains(log.Enforcer, "PRESET") {
kg.Printf("PRESET_LOG: \n%+v\n", &log)
}

// gRPC output
if log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy" || log.Type == "SystemEvent" {

Expand Down Expand Up @@ -695,10 +682,6 @@ func (fd *Feeder) PushLog(log tp.Log) {
counter := 0
lenAlert := len(fd.EventStructs.AlertStructs)

if strings.Contains(log.Enforcer, "PRESET") {
kg.Printf("PRESET_ALERT: \n%s\n", &pbAlert)
}

for uid := range fd.EventStructs.AlertStructs {
select {
case fd.EventStructs.AlertStructs[uid].Broadcast <- &pbAlert:
Expand Down
2 changes: 0 additions & 2 deletions KubeArmor/go.sum
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
github.com/5GSEC/SentryFlow/protobuf v0.0.0-20240513071927-c6689c164ec8 h1:vOjDsj/1zs1O4V2UG2SINC7/maAx3WEQsE0bz5n0skI=
github.com/5GSEC/SentryFlow/protobuf v0.0.0-20240513071927-c6689c164ec8/go.mod h1:cvmCAKkLBDXx6Rlk97XQQuAtcOhkM/wsWNbxGOC3yfE=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
Expand Down
Binary file modified KubeArmor/presets/anonmapexec/anonmapexec_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/presets/anonmapexec/anonmapexec_bpfel.o
View file
Binary file not shown.
2 changes: 1 addition & 1 deletion KubeArmor/presets/anonmapexec/preset.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ func (p *AnonMapExecPreset) Name() string {
func (p *AnonMapExecPreset) RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (base.BasePresetInterface, error) {

if logger.Enforcer != "BPFLSM" {
// it's based on actibe enforcer, it might possible that node support bpflsm but
// it's based on active enforcer, it might possible that node support bpflsm but
// current enforcer is not bpflsm
return nil, errors.New("AnonExecutionPreset not supported if bpflsm not supported")
}
Expand Down
72 changes: 0 additions & 72 deletions KubeArmor/presets/base/containers.go
View file

This file was deleted.

Binary file modified KubeArmor/presets/filelessexec/filelessexec_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/presets/filelessexec/filelessexec_bpfel.o
View file
Binary file not shown.
4 changes: 2 additions & 2 deletions KubeArmor/presets/filelessexec/preset.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ func (p *Preset) Name() string {
func (p *Preset) RegisterPreset(logger *fd.Feeder, monitor *mon.SystemMonitor) (base.BasePresetInterface, error) {

if logger.Enforcer != "BPFLSM" {
// it's based on actibe enforcer, it might possible that node support bpflsm but
// it's based on active enforcer, it might possible that node support bpflsm but
// current enforcer is not bpflsm
return nil, errors.New("FilelessExecutionPreset not supported if bpflsm not supported")
}
Expand Down Expand Up @@ -193,7 +193,7 @@ func (p *Preset) TraceEvents() {
log.Type = "MatchedPolicy"
}

log.Operation = "File"
log.Operation = "Process"

if event.Retval >= 0 {
log.Result = "Passed"
Expand Down
Binary file modified KubeArmor/presets/protectEnv/protectenv_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/presets/protectEnv/protectenv_bpfel.o
View file
Binary file not shown.
3 changes: 3 additions & 0 deletions tests/k8s_env/presets/presets_suite_test.go
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2022 Authors of KubeArmor

package presets_test

import (
Expand Down
16 changes: 13 additions & 3 deletions tests/k8s_env/presets/presets_test.go
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2022 Authors of KubeArmor

package presets

import (
"fmt"
"strings"
"time"

"github.com/kubearmor/KubeArmor/protobuf"
Expand Down Expand Up @@ -37,7 +41,7 @@ var _ = Describe("Presets", func() {
var fp string

BeforeEach(func() {
fp = getfilelessPod("fileless-", nil)
fp = getfilelessPod("fileless-", []string{"kubearmor-policy: enabled"})
})

AfterEach(func() {
Expand All @@ -50,12 +54,15 @@ var _ = Describe("Presets", func() {

Describe("Policy Apply", func() {
It("can audit fileless execution", func() {
if !strings.Contains(K8sRuntimeEnforcer(), "bpf") {
Skip("fileless execution preset requires bpf-lsm")
}
// Apply policy
err := K8sApplyFile("res/ksp-preset-audit-fileless.yaml")
Expect(err).To(BeNil())

// Start Kubearmor Logs
err = KarmorLogStart("policy", "presets", "File", fp)
err = KarmorLogStart("policy", "presets", "Process", fp)
Expect(err).To(BeNil())

// wait for policy creation
Expand All @@ -80,12 +87,15 @@ var _ = Describe("Presets", func() {
})

It("can block fileless execution", func() {
if !strings.Contains(K8sRuntimeEnforcer(), "bpf") {
Skip("fileless execution preset requires bpf-lsm")
}
// Apply policy
err := K8sApplyFile("res/ksp-preset-block-fileless.yaml")
Expect(err).To(BeNil())

// Start Kubearmor Logs
err = KarmorLogStart("policy", "presets", "File", fp)
err = KarmorLogStart("policy", "presets", "Process", fp)
Expect(err).To(BeNil())

// wait for policy creation
Expand Down
3 changes: 1 addition & 2 deletions tests/k8s_env/presets/res/python-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,5 @@ spec:
spec:
containers:
- name: fileless
image: rksharma95/python:fileless
command: ["tail", "-f", "/dev/null"]
image: kubearmor/ubuntu-w-utils:0.2

0 comments on commit 7953d6f

Please sign in to comment.