refactor code

Signed-off-by: Aryan-sharma11 <aryan1126.sharma@gmail.com>
kubearmor · Oct 23, 2024 · c361643 · c361643
1 parent 3482d24
commit c361643
Show file tree

Hide file tree

Showing 16 changed files with 198 additions and 91 deletions.
diff --git a/KubeArmor/BPF/common.h b/KubeArmor/BPF/common.h
@@ -12,13 +12,17 @@
 
 // values stored for argument map
 struct argVal{
-  char argsArray[20][50];
+  char argsArray[80];
+};
+struct cmd_args_key {
+  u64 tgid ;
+  u64 ind;
 };
 
 struct {
  __uint(type, BPF_MAP_TYPE_LRU_HASH);
  __uint(max_entries, MAX_ENTRIES);
- __type(key, unsigned int);
+ __type(key, struct cmd_args_key);
  __type(value, struct argVal);
  __uint(pinning, LIBBPF_PIN_BY_NAME);
 } args_store SEC(".maps");

diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c
@@ -11,19 +11,11 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   struct task_struct *t = (struct task_struct *)bpf_get_current_task();
   event *task_info;
   int retval = ret;
-  // variables required for argument matching---------| 
-  struct argVal *argval ;
-  unsigned int num = BPF_CORE_READ(bprm , argc);
-  unsigned int argKey; 
-  unsigned int *x ;
-  u32 arg_k = 0;
-  arg_bufs_k *a_key = bpf_map_lookup_elem(&args_bufk, &arg_k);
-   if (a_key == NULL)
-    return 0;
-  bool argmatch = false;
-  bool frmsource = false;
-  // -------------------------------------------------|
 
+  // no of arguments
+  unsigned int num_of_args = BPF_CORE_READ(bprm , argc);
+  bool argmatch = false;
+
   bool match = false; 
   struct outer_key okey;
   get_outer_key(&okey, t);
@@ -90,16 +82,16 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   if (src_ptr == NULL)
     fromSourceCheck = false;
 
+
   if (fromSourceCheck) {
+
     bpf_probe_read_str(store->source, MAX_STRING_SIZE, src_ptr);
 
     val = bpf_map_lookup_elem(inner, store);
     if (val && (val->processmask & RULE_EXEC)) {
       match = true;
       goto decision;
     }
-    // bpf_printk(" source = %s path= %s " , store->source , store->path);
-
     #pragma unroll
         for (int i = 0; i < 64; i++) {
           if (store->path[i] == '\0')
@@ -231,43 +223,14 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
 
 decision:  
   if (match) {
-    if (val && (val->processmask & RULE_ARGSET)) {
-      argKey =  bpf_get_current_pid_tgid();
-      argval = bpf_map_lookup_elem(&args_store, &argKey);
-
-     // clearing to avoid processing garbage values 
-      __builtin_memset(&a_key->okey, 0, sizeof(a_key->okey));
-      __builtin_memset(&a_key->store, 0, sizeof(a_key->store));
-
-      bpf_probe_read(&a_key->okey.mnt_ns, sizeof(okey.mnt_ns) , &okey.mnt_ns);
-      bpf_probe_read(&a_key->okey.pid_ns, sizeof(okey.pid_ns) , &okey.pid_ns);
-      bpf_probe_read_str(&a_key->store.path, sizeof(store->path) , store->path);
-
-      if (pk->path[0] == '\0') {
-          bpf_probe_read_str(&a_key->store.source, sizeof(store->source) , store->source);
-      } 
-      if (argval) {
-        for( int i = 0 ; i< num && i < 100; i++ ){
-            __builtin_memset(a_key->arg, 0, sizeof(a_key->arg));
-            bpf_probe_read_str(&a_key->arg, sizeof(a_key->arg), argval->argsArray[i]);
-            x  = bpf_map_lookup_elem(&a_map ,a_key);
-            bpf_printk("a_key->path %s , a_key->source - %s ", a_key->store.path , a_key->store.source);
-            if (x) {
-                bpf_printk("argument matched");
-                argmatch = true;
-                if (i != 0) {  
-                    continue;  
-                }
-            } else {
-                if (i != 0) {
-                    argmatch = false;
-                    break;  
-                }
-            }
-        }
-        }
+    if (val && (val->processmask & RULE_ARGSET)){ 
+      argmatch = matchArguments( num_of_args , &okey , store , pk);
+      if(argmatch){
+        // if arguments matches allow the process to be executed
+        return 0;
+      }
     }
-    
+
     if (val && (val->processmask & RULE_OWNER)) {
       if (!is_owner(bprm->file)) {
         if((val->processmask & RULE_ARGSET) && argmatch){
@@ -280,10 +243,6 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
       }
     }
     if (val && (val->processmask & RULE_DENY)) {
-      // Allow if allowedArgs matches
-      if((val->processmask & RULE_ARGSET) && argmatch){
-          return 0;
-      }
       retval = -EPERM;
     }
   }
@@ -301,14 +260,6 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
         retval = -EPERM;
       }
       goto ringbuf;
-    } else {
-         // allow policy + match + !argmatch = action based on default posture
-        if((val->processmask & RULE_ARGSET) && !argmatch){
-                if (allow->processmask == BLOCK_POSTURE) {
-                    retval = -EPERM;
-              }
-            goto ringbuf;
-        }
     }
   }
 

diff --git a/KubeArmor/BPF/shared.h b/KubeArmor/BPF/shared.h
@@ -11,6 +11,7 @@
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
 #include "throttling.h"
+#include "common.h"
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 #define EPERM 13
@@ -98,7 +99,7 @@ struct {
     __type(key, arg_bufs_k);  // Composite key of okey+bufkey+argname
     __type(value, u8);            // Value is a u8 integer
     __uint(pinning, LIBBPF_PIN_BY_NAME);            
-} a_map SEC(".maps");
+} kubearmor_arguments SEC(".maps");
 
 //--------------------------------------------//
 
@@ -744,6 +745,66 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
   bpf_ringbuf_submit(task_info, 0);
   return retval;
 }
+static inline bool matchArguments( unsigned int num_of_args , struct outer_key *okey , bufs_k *store , bufs_k *pk ) {
+
+    bool argmatch = false;
+    unsigned int *x ;
+
+    unsigned int argKey;
+    struct argVal *argval ;
+
+    u32 arg_k = 0;
+    arg_bufs_k *a_key = bpf_map_lookup_elem(&args_bufk, &arg_k);
+    if (a_key == NULL)
+      return 0;
+
+    // clearing to avoid processing garbage values 
+    __builtin_memset(&a_key->okey, 0, sizeof(a_key->okey));
+    __builtin_memset(&a_key->store, 0, sizeof(a_key->store));
+
+    bpf_probe_read(&a_key->okey.mnt_ns, sizeof(okey->mnt_ns) , &okey->mnt_ns);
+    bpf_probe_read(&a_key->okey.pid_ns, sizeof(okey->pid_ns) , &okey->pid_ns);
+    bpf_probe_read_str(&a_key->store.path, sizeof(store->path) , &store->path);
+
+    struct cmd_args_key cmd_args_buf_k;
+    cmd_args_buf_k.tgid = bpf_get_current_pid_tgid();
+
+    if (pk->path[0] == '\0') {
+      // pk->path[0] will be null for fromSource rules
+        bpf_probe_read_str(&a_key->store.source, sizeof(store->source) , store->source);
+    }
+
+      for( u8 i = 0 ; i< num_of_args && i < 16; i++ ){
+        cmd_args_buf_k.ind = i;
+        bpf_printk(" tgid %llu ind %d" , cmd_args_buf_k.tgid , cmd_args_buf_k.ind);
+
+        argval = bpf_map_lookup_elem(&args_store , &cmd_args_buf_k);
+
+        bpf_printk("argval %d %s " , argval , argval->argsArray);
+        if(argval){
+          __builtin_memset(a_key->arg, 0, sizeof(a_key->arg));
+          bpf_probe_read_str(&a_key->arg, sizeof(a_key->arg), &argval->argsArray);
+          x = bpf_map_lookup_elem(&kubearmor_arguments ,a_key);    
+          if (x){
+            argmatch = true;
+            } 
+          else {
+              argmatch = false;
+              if (i != 0) {
+                break;  
+              }
+            }
+        }
+        else {
+
+            struct argVal try ;
+             int y = bpf_map_update_elem(&args_store, &cmd_args_buf_k, &try, BPF_NOEXIST);
+             bpf_printk("update elem return %d" , y);
+        }
+      }
+
+  return argmatch; 
+}
 
 /*
   How do we check what to deny or not?

diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c
@@ -1118,23 +1118,28 @@ static __always_inline bool should_drop_alerts_per_container(sys_context_t *cont
     return false; 
 }
  static __always_inline void  save_cmd_args_to_buffer(const char __user *const __user *ptr){
-    unsigned int key_tgid = bpf_get_current_pid_tgid(); 
+
+
+    struct cmd_args_key key;
+    key.tgid = bpf_get_current_pid_tgid(); 
     u32 arg_k = 0;
     struct argVal  *args_buf = bpf_map_lookup_elem(&cmd_args_buf, &arg_k);
     if (args_buf == NULL){
       return ;
     }
-    __builtin_memset(&args_buf->argsArray, 0, sizeof(args_buf->argsArray));
-    // add number of args here 
-    for (int i = 0; i < 5; i++)
+    // add number of args here // pragmaunroll
+    for ( u8 i = 0; i < 16; i++)
     {   
+        key.ind = i;
         const char *const *curr_ptr = (void *)&ptr[i] ;
         const char *argp = NULL;
         bpf_probe_read(&argp, sizeof(argp), curr_ptr);
         if (argp)
           {
-            bpf_probe_read_str(args_buf->argsArray[i], sizeof(args_buf->argsArray[0]), argp);
-            bpf_map_update_elem(&args_store, &key_tgid, args_buf, BPF_ANY);
+            __builtin_memset(&args_buf->argsArray, 0, sizeof(args_buf->argsArray));
+            bpf_probe_read_str(&args_buf->argsArray, sizeof(args_buf->argsArray), argp);
+            // bpf_printk("argp = %s argsBuf = %s" , argp , args_buf->argsArray);
+            bpf_map_update_elem(&args_store, &key, args_buf, BPF_ANY);
           }
         else {
             break;

diff --git a/KubeArmor/enforcer/bpflsm/enforcer.go b/KubeArmor/enforcer/bpflsm/enforcer.go
@@ -102,13 +102,13 @@ func NewBPFEnforcer(node tp.Node, pinpath string, logger *fd.Feeder, monitor *mo
 		KeySize:    776,
 		ValueSize:  1,
 		MaxEntries: 100,
-		Name:       "a_map",
+		Name:       "kubearmor_arguments",
 		Pinning:    ebpf.PinByName,
 	}, ebpf.MapOptions{
 		PinPath: pinpath,
 	})
 	if err != nil {
-		be.Logger.Errf("error creating kubearmor_argumetns_map: %s", err)
+		be.Logger.Errf("error creating kubearmor_arguments_map: %s", err)
 		return be, err
 	}
 

diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o