Skip to content

Commit

Permalink
feat: bpflsm dogfooding
Browse files Browse the repository at this point in the history 
Signed-off-by: daemon1024 <barun1024@gmail.com>
  • Loading branch information
@daemon1024
daemon1024 committed Oct 15, 2024
1 parent d369d09 commit 396cce4
Show file tree
Hide file tree
Showing 7 changed files with 17 additions and 7 deletions.
8 changes: 5 additions & 3 deletions KubeArmor/BPF/enforcer.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,10 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
if (src_offset == NULL)
fromSourceCheck = false;

void *src_ptr = &src_buf->buf[*src_offset];
void *src_ptr;
if (src_buf->buf[*src_offset]) {
src_ptr = &src_buf->buf[*src_offset];
}
if (src_ptr == NULL)
fromSourceCheck = false;

Expand Down Expand Up @@ -152,10 +155,9 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
goto decision;
}


// match exec name
struct qstr d_name;
d_name = BPF_CORE_READ(f_path.dentry,d_name);
d_name = BPF_CORE_READ(f_path.dentry, d_name);
bpf_map_update_elem(&bufk, &two, z, BPF_ANY);
bpf_probe_read_str(pk->path, MAX_STRING_SIZE, d_name.name);

Expand Down
12 changes: 10 additions & 2 deletions KubeArmor/BPF/shared.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,9 @@ static inline void get_outer_key(struct outer_key *pokey,
struct task_struct *t) {
pokey->pid_ns = get_task_pid_ns_id(t);
pokey->mnt_ns = get_task_mnt_ns_id(t);
// TODO: Use cgroup ns as well for host process identification to support enforcement on deployments using hostpidns
// u32 cg_ns = BPF_CORE_READ(t, nsproxy, cgroup_ns, ns).inum;
// if (pokey->pid_ns == PROC_PID_INIT_INO && cg_ns == PROC_CGROUP_INIT_INO) {
if (pokey->pid_ns == PROC_PID_INIT_INO) {
pokey->pid_ns = 0;
pokey->mnt_ns = 0;
Expand Down Expand Up @@ -480,10 +483,15 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
if (src_offset == NULL)
fromSourceCheck = false;

void *ptr = &src_buf->buf[*src_offset];
void *src_ptr;
if (src_buf->buf[*src_offset]) {
src_ptr = &src_buf->buf[*src_offset];
}
if (src_ptr == NULL)
fromSourceCheck = false;

if (fromSourceCheck) {
bpf_probe_read_str(store->source, MAX_STRING_SIZE, ptr);
bpf_probe_read_str(store->source, MAX_STRING_SIZE, src_ptr);

val = bpf_map_lookup_elem(inner, store);

Expand Down
4 changes: 2 additions & 2 deletions KubeArmor/enforcer/bpflsm/enforcer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ import (
tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
)

//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer ../../BPF/enforcer.bpf.c -- -I/usr/include/ -O2 -g
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer_path ../../BPF/enforcer_path.bpf.c -- -I/usr/include/ -O2 -g
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer ../../BPF/enforcer.bpf.c -- -I/usr/include/ -O2 -g -fno-stack-protector
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer_path ../../BPF/enforcer_path.bpf.c -- -I/usr/include/ -O2 -g -fno-stack-protector

// ===================== //
// == BPFLSM Enforcer == //
Expand Down
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o
View file
Binary file not shown.

0 comments on commit 396cce4

Please sign in to comment.