From f98482dd0c6e50e8b04813f52c06759104bc277d Mon Sep 17 00:00:00 2001 From: rksharma95 Date: Mon, 14 Oct 2024 09:19:26 +0530 Subject: [PATCH] run presets test suite on bpflsm only Signed-off-by: rksharma95 --- KubeArmor/BPF/anonmapexec.bpf.c | 4 +- KubeArmor/BPF/protectenv.bpf.c | 2 +- KubeArmor/core/kubeArmor.go | 2 +- KubeArmor/presets/base/containers.go | 72 ------------------- KubeArmor/presets/filelessexec/preset.go | 2 +- tests/k8s_env/presets/presets_suite_test.go | 3 + tests/k8s_env/presets/presets_test.go | 16 ++++- .../presets/res/python-deployment.yaml | 3 +- 8 files changed, 22 insertions(+), 82 deletions(-) delete mode 100644 KubeArmor/presets/base/containers.go diff --git a/KubeArmor/BPF/anonmapexec.bpf.c b/KubeArmor/BPF/anonmapexec.bpf.c index e78129275..3ce560a6c 100644 --- a/KubeArmor/BPF/anonmapexec.bpf.c +++ b/KubeArmor/BPF/anonmapexec.bpf.c @@ -109,14 +109,14 @@ int BPF_PROG(enforce_mmap_file, struct file *file, unsigned long reqprot, event_data->args[2] = flags; event_data->event_id = ANON_MAP_EXEC; if (*present == BLOCK) { - event_data->retval = -13; + event_data->retval = -EPERM; } else { event_data->retval = 0; } bpf_ringbuf_submit(event_data, 0); // mapping not backed by any file with executable permission, denying mapping if (*present == BLOCK) { - return -13; + return -EPERM; } else { return 0; } diff --git a/KubeArmor/BPF/protectenv.bpf.c b/KubeArmor/BPF/protectenv.bpf.c index c6e5ad06e..91038e115 100644 --- a/KubeArmor/BPF/protectenv.bpf.c +++ b/KubeArmor/BPF/protectenv.bpf.c @@ -101,7 +101,7 @@ int BPF_PROG(enforce_file, struct file *file) { task_info->pid_ns = okey.pid_ns; task_info->mnt_ns = okey.mnt_ns; bpf_ringbuf_submit(task_info, 0); - return -13; + return -EPERM; } return 0; diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index 15df73ea0..afecce924 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -318,7 +318,7 @@ func (dm *KubeArmorDaemon) InitPresets(logger *fd.Feeder, monitor *mon.SystemMon // ClosePresets Function func (dm *KubeArmorDaemon) ClosePresets() bool { if err := dm.Presets.Destroy(); err != nil { - dm.Logger.Errf("Failed to destry preset (%s)", err.Error()) + dm.Logger.Errf("Failed to destroy preset (%s)", err.Error()) return false } return true diff --git a/KubeArmor/presets/base/containers.go b/KubeArmor/presets/base/containers.go deleted file mode 100644 index e3f5f2091..000000000 --- a/KubeArmor/presets/base/containers.go +++ /dev/null @@ -1,72 +0,0 @@ -package base - -import ( - "errors" - "os" - "sync" - - "github.com/cilium/ebpf" -) - -// NsKey struct -type NsKey struct { - PidNS uint32 - MntNS uint32 -} - -// ContainerVal struct -type ContainerVal struct { - NsKey NsKey - Policy string -} - -// Containers struct -type Containers struct { - BPFContainerMap *ebpf.Map - // ContainerID -> NsKey - ContainerMap map[string]ContainerVal - ContainerMapLock *sync.RWMutex -} - -// NewContainers func -func NewContainers(emap *ebpf.Map) *Containers { - c := &Containers{} - c.BPFContainerMap = emap - c.ContainerMap = make(map[string]ContainerVal) - c.ContainerMapLock = new(sync.RWMutex) - - return c -} - -// AddContainerIDToMap function adds container to containers map -func (c *Containers) AddContainerIDToMap(containerID string, pidns, mntns uint32) { - ckv := NsKey{PidNS: pidns, MntNS: mntns} - c.ContainerMapLock.Lock() - defer c.ContainerMapLock.Unlock() - c.ContainerMap[containerID] = ContainerVal{NsKey: ckv} -} - -// DeleteContainerIDFromMap function removed container from container map and subsequently -// from BPF Map as well returns error if failed -func (c *Containers) DeleteContainerIDFromMap(id string) error { - c.ContainerMapLock.Lock() - defer c.ContainerMapLock.Unlock() - - if val, ok := c.ContainerMap[id]; ok { - if err := c.DeleteContainerIDFromBPFMap(val.NsKey); err != nil { - return err - } - delete(c.ContainerMap, id) - } - return nil -} - -// DeleteContainerIDFromBPFMap deletes the container from BPF map and returns error if failed -func (c *Containers) DeleteContainerIDFromBPFMap(ckv NsKey) error { - if err := c.BPFContainerMap.Delete(ckv); err != nil { - if !errors.Is(err, os.ErrNotExist) { - return err - } - } - return nil -} diff --git a/KubeArmor/presets/filelessexec/preset.go b/KubeArmor/presets/filelessexec/preset.go index cefd00187..5c59b3965 100644 --- a/KubeArmor/presets/filelessexec/preset.go +++ b/KubeArmor/presets/filelessexec/preset.go @@ -193,7 +193,7 @@ func (p *Preset) TraceEvents() { log.Type = "MatchedPolicy" } - log.Operation = "File" + log.Operation = "Process" if event.Retval >= 0 { log.Result = "Passed" diff --git a/tests/k8s_env/presets/presets_suite_test.go b/tests/k8s_env/presets/presets_suite_test.go index 513204294..2910a1e62 100644 --- a/tests/k8s_env/presets/presets_suite_test.go +++ b/tests/k8s_env/presets/presets_suite_test.go @@ -1,3 +1,6 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2022 Authors of KubeArmor + package presets_test import ( diff --git a/tests/k8s_env/presets/presets_test.go b/tests/k8s_env/presets/presets_test.go index 6cb61c074..93103f335 100644 --- a/tests/k8s_env/presets/presets_test.go +++ b/tests/k8s_env/presets/presets_test.go @@ -1,7 +1,11 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2022 Authors of KubeArmor + package presets import ( "fmt" + "strings" "time" "github.com/kubearmor/KubeArmor/protobuf" @@ -37,7 +41,7 @@ var _ = Describe("Presets", func() { var fp string BeforeEach(func() { - fp = getfilelessPod("fileless-", nil) + fp = getfilelessPod("fileless-", []string{"kubearmor-policy: enabled"}) }) AfterEach(func() { @@ -50,12 +54,15 @@ var _ = Describe("Presets", func() { Describe("Policy Apply", func() { It("can audit fileless execution", func() { + if !strings.Contains(K8sRuntimeEnforcer(), "bpf") { + Skip("fileless execution preset requires bpf-lsm") + } // Apply policy err := K8sApplyFile("res/ksp-preset-audit-fileless.yaml") Expect(err).To(BeNil()) // Start Kubearmor Logs - err = KarmorLogStart("policy", "presets", "File", fp) + err = KarmorLogStart("policy", "presets", "Process", fp) Expect(err).To(BeNil()) // wait for policy creation @@ -80,12 +87,15 @@ var _ = Describe("Presets", func() { }) It("can block fileless execution", func() { + if !strings.Contains(K8sRuntimeEnforcer(), "bpf") { + Skip("fileless execution preset requires bpf-lsm") + } // Apply policy err := K8sApplyFile("res/ksp-preset-block-fileless.yaml") Expect(err).To(BeNil()) // Start Kubearmor Logs - err = KarmorLogStart("policy", "presets", "File", fp) + err = KarmorLogStart("policy", "presets", "Process", fp) Expect(err).To(BeNil()) // wait for policy creation diff --git a/tests/k8s_env/presets/res/python-deployment.yaml b/tests/k8s_env/presets/res/python-deployment.yaml index 5e0daa3fb..457e15185 100644 --- a/tests/k8s_env/presets/res/python-deployment.yaml +++ b/tests/k8s_env/presets/res/python-deployment.yaml @@ -25,6 +25,5 @@ spec: spec: containers: - name: fileless - image: rksharma95/python:fileless - command: ["tail", "-f", "/dev/null"] + image: kubearmor/ubuntu-w-utils:0.2