diff --git a/KubeArmor/BPF/common.h b/KubeArmor/BPF/common.h index 2b44a48a85..312200fd9b 100644 --- a/KubeArmor/BPF/common.h +++ b/KubeArmor/BPF/common.h @@ -12,13 +12,17 @@ // values stored for argument map struct argVal{ - char argsArray[20][50]; + char argsArray[80]; +}; +struct cmd_args_key { + u64 tgid ; + u64 ind; }; struct { __uint(type, BPF_MAP_TYPE_LRU_HASH); __uint(max_entries, MAX_ENTRIES); - __type(key, unsigned int); + __type(key, struct cmd_args_key); __type(value, struct argVal); __uint(pinning, LIBBPF_PIN_BY_NAME); } args_store SEC(".maps"); diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c index e0cb4bf6c5..5a6c040739 100644 --- a/KubeArmor/BPF/enforcer.bpf.c +++ b/KubeArmor/BPF/enforcer.bpf.c @@ -11,19 +11,11 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) { struct task_struct *t = (struct task_struct *)bpf_get_current_task(); event *task_info; int retval = ret; - // variables required for argument matching---------| - struct argVal *argval ; - unsigned int num = BPF_CORE_READ(bprm , argc); - unsigned int argKey; - unsigned int *x ; - u32 arg_k = 0; - arg_bufs_k *a_key = bpf_map_lookup_elem(&args_bufk, &arg_k); - if (a_key == NULL) - return 0; - bool argmatch = false; - bool frmsource = false; - // -------------------------------------------------| + // no of arguments + unsigned int num_of_args = BPF_CORE_READ(bprm , argc); + bool argmatch = false; + bool match = false; struct outer_key okey; get_outer_key(&okey, t); @@ -90,7 +82,9 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) { if (src_ptr == NULL) fromSourceCheck = false; + if (fromSourceCheck) { + bpf_probe_read_str(store->source, MAX_STRING_SIZE, src_ptr); val = bpf_map_lookup_elem(inner, store); @@ -98,8 +92,6 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) { match = true; goto decision; } - // bpf_printk(" source = %s path= %s " , store->source , store->path); - #pragma unroll for (int i = 0; i < 64; i++) { if (store->path[i] == '\0') @@ -231,43 +223,14 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) { decision: if (match) { - if (val && (val->processmask & RULE_ARGSET)) { - argKey = bpf_get_current_pid_tgid(); - argval = bpf_map_lookup_elem(&args_store, &argKey); - - // clearing to avoid processing garbage values - __builtin_memset(&a_key->okey, 0, sizeof(a_key->okey)); - __builtin_memset(&a_key->store, 0, sizeof(a_key->store)); - - bpf_probe_read(&a_key->okey.mnt_ns, sizeof(okey.mnt_ns) , &okey.mnt_ns); - bpf_probe_read(&a_key->okey.pid_ns, sizeof(okey.pid_ns) , &okey.pid_ns); - bpf_probe_read_str(&a_key->store.path, sizeof(store->path) , store->path); - - if (pk->path[0] == '\0') { - bpf_probe_read_str(&a_key->store.source, sizeof(store->source) , store->source); - } - if (argval) { - for( int i = 0 ; i< num && i < 100; i++ ){ - __builtin_memset(a_key->arg, 0, sizeof(a_key->arg)); - bpf_probe_read_str(&a_key->arg, sizeof(a_key->arg), argval->argsArray[i]); - x = bpf_map_lookup_elem(&a_map ,a_key); - bpf_printk("a_key->path %s , a_key->source - %s ", a_key->store.path , a_key->store.source); - if (x) { - bpf_printk("argument matched"); - argmatch = true; - if (i != 0) { - continue; - } - } else { - if (i != 0) { - argmatch = false; - break; - } - } - } - } + if (val && (val->processmask & RULE_ARGSET)){ + argmatch = matchArguments( num_of_args , &okey , store , pk); + if(argmatch){ + // if arguments matches allow the process to be executed + return 0; + } } - + if (val && (val->processmask & RULE_OWNER)) { if (!is_owner(bprm->file)) { if((val->processmask & RULE_ARGSET) && argmatch){ @@ -280,10 +243,6 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) { } } if (val && (val->processmask & RULE_DENY)) { - // Allow if allowedArgs matches - if((val->processmask & RULE_ARGSET) && argmatch){ - return 0; - } retval = -EPERM; } } @@ -301,14 +260,6 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) { retval = -EPERM; } goto ringbuf; - } else { - // allow policy + match + !argmatch = action based on default posture - if((val->processmask & RULE_ARGSET) && !argmatch){ - if (allow->processmask == BLOCK_POSTURE) { - retval = -EPERM; - } - goto ringbuf; - } } } diff --git a/KubeArmor/BPF/shared.h b/KubeArmor/BPF/shared.h index 5d4fd60111..b27016e938 100644 --- a/KubeArmor/BPF/shared.h +++ b/KubeArmor/BPF/shared.h @@ -11,6 +11,7 @@ #include #include #include "throttling.h" +#include "common.h" char LICENSE[] SEC("license") = "Dual BSD/GPL"; #define EPERM 13 @@ -98,7 +99,7 @@ struct { __type(key, arg_bufs_k); // Composite key of okey+bufkey+argname __type(value, u8); // Value is a u8 integer __uint(pinning, LIBBPF_PIN_BY_NAME); -} a_map SEC(".maps"); +} kubearmor_arguments SEC(".maps"); //--------------------------------------------// @@ -744,6 +745,66 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id, bpf_ringbuf_submit(task_info, 0); return retval; } +static inline bool matchArguments( unsigned int num_of_args , struct outer_key *okey , bufs_k *store , bufs_k *pk ) { + + bool argmatch = false; + unsigned int *x ; + + unsigned int argKey; + struct argVal *argval ; + + u32 arg_k = 0; + arg_bufs_k *a_key = bpf_map_lookup_elem(&args_bufk, &arg_k); + if (a_key == NULL) + return 0; + + // clearing to avoid processing garbage values + __builtin_memset(&a_key->okey, 0, sizeof(a_key->okey)); + __builtin_memset(&a_key->store, 0, sizeof(a_key->store)); + + bpf_probe_read(&a_key->okey.mnt_ns, sizeof(okey->mnt_ns) , &okey->mnt_ns); + bpf_probe_read(&a_key->okey.pid_ns, sizeof(okey->pid_ns) , &okey->pid_ns); + bpf_probe_read_str(&a_key->store.path, sizeof(store->path) , &store->path); + + struct cmd_args_key cmd_args_buf_k; + cmd_args_buf_k.tgid = bpf_get_current_pid_tgid(); + + if (pk->path[0] == '\0') { + // pk->path[0] will be null for fromSource rules + bpf_probe_read_str(&a_key->store.source, sizeof(store->source) , store->source); + } + + for( u8 i = 0 ; i< num_of_args && i < 16; i++ ){ + cmd_args_buf_k.ind = i; + bpf_printk(" tgid %llu ind %d" , cmd_args_buf_k.tgid , cmd_args_buf_k.ind); + + argval = bpf_map_lookup_elem(&args_store , &cmd_args_buf_k); + + bpf_printk("argval %d %s " , argval , argval->argsArray); + if(argval){ + __builtin_memset(a_key->arg, 0, sizeof(a_key->arg)); + bpf_probe_read_str(&a_key->arg, sizeof(a_key->arg), &argval->argsArray); + x = bpf_map_lookup_elem(&kubearmor_arguments ,a_key); + if (x){ + argmatch = true; + } + else { + argmatch = false; + if (i != 0) { + break; + } + } + } + else { + + struct argVal try ; + int y = bpf_map_update_elem(&args_store, &cmd_args_buf_k, &try, BPF_NOEXIST); + bpf_printk("update elem return %d" , y); + } + } + + return argmatch; +} /* How do we check what to deny or not? diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c index 24833d6144..62f8e03f30 100644 --- a/KubeArmor/BPF/system_monitor.c +++ b/KubeArmor/BPF/system_monitor.c @@ -1118,23 +1118,28 @@ static __always_inline bool should_drop_alerts_per_container(sys_context_t *cont return false; } static __always_inline void save_cmd_args_to_buffer(const char __user *const __user *ptr){ - unsigned int key_tgid = bpf_get_current_pid_tgid(); + + + struct cmd_args_key key; + key.tgid = bpf_get_current_pid_tgid(); u32 arg_k = 0; struct argVal *args_buf = bpf_map_lookup_elem(&cmd_args_buf, &arg_k); if (args_buf == NULL){ return ; } - __builtin_memset(&args_buf->argsArray, 0, sizeof(args_buf->argsArray)); - // add number of args here - for (int i = 0; i < 5; i++) + // add number of args here // pragmaunroll + for ( u8 i = 0; i < 16; i++) { + key.ind = i; const char *const *curr_ptr = (void *)&ptr[i] ; const char *argp = NULL; bpf_probe_read(&argp, sizeof(argp), curr_ptr); if (argp) { - bpf_probe_read_str(args_buf->argsArray[i], sizeof(args_buf->argsArray[0]), argp); - bpf_map_update_elem(&args_store, &key_tgid, args_buf, BPF_ANY); + __builtin_memset(&args_buf->argsArray, 0, sizeof(args_buf->argsArray)); + bpf_probe_read_str(&args_buf->argsArray, sizeof(args_buf->argsArray), argp); + // bpf_printk("argp = %s argsBuf = %s" , argp , args_buf->argsArray); + bpf_map_update_elem(&args_store, &key, args_buf, BPF_ANY); } else { break; diff --git a/KubeArmor/enforcer/bpflsm/enforcer.go b/KubeArmor/enforcer/bpflsm/enforcer.go index faf190f41c..10880558d9 100644 --- a/KubeArmor/enforcer/bpflsm/enforcer.go +++ b/KubeArmor/enforcer/bpflsm/enforcer.go @@ -102,13 +102,13 @@ func NewBPFEnforcer(node tp.Node, pinpath string, logger *fd.Feeder, monitor *mo KeySize: 776, ValueSize: 1, MaxEntries: 100, - Name: "a_map", + Name: "kubearmor_arguments", Pinning: ebpf.PinByName, }, ebpf.MapOptions{ PinPath: pinpath, }) if err != nil { - be.Logger.Errf("error creating kubearmor_argumetns_map: %s", err) + be.Logger.Errf("error creating kubearmor_arguments_map: %s", err) return be, err } diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go index 6360599840..2a9ed849c0 100644 --- a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go +++ b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go @@ -21,7 +21,7 @@ type enforcerArgBufsK struct { Arg [256]int8 } -type enforcerArgVal struct{ ArgsArray [20][50]int8 } +type enforcerArgVal struct{ ArgsArray [80]int8 } type enforcerBufsK struct { Path [256]int8 @@ -30,6 +30,11 @@ type enforcerBufsK struct { type enforcerBufsT struct{ Buf [32768]int8 } +type enforcerCmdArgsKey struct { + Tgid uint64 + Ind uint64 +} + // loadEnforcer returns the embedded CollectionSpec for enforcer. func loadEnforcer() (*ebpf.CollectionSpec, error) { reader := bytes.NewReader(_EnforcerBytes) @@ -84,7 +89,6 @@ type enforcerProgramSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type enforcerMapSpecs struct { - A_map *ebpf.MapSpec `ebpf:"a_map"` ArgsBufk *ebpf.MapSpec `ebpf:"args_bufk"` ArgsStore *ebpf.MapSpec `ebpf:"args_store"` Bufk *ebpf.MapSpec `ebpf:"bufk"` @@ -92,6 +96,7 @@ type enforcerMapSpecs struct { BufsOff *ebpf.MapSpec `ebpf:"bufs_off"` CmdArgsBuf *ebpf.MapSpec `ebpf:"cmd_args_buf"` KubearmorAlertThrottle *ebpf.MapSpec `ebpf:"kubearmor_alert_throttle"` + KubearmorArguments *ebpf.MapSpec `ebpf:"kubearmor_arguments"` KubearmorConfig *ebpf.MapSpec `ebpf:"kubearmor_config"` KubearmorContainers *ebpf.MapSpec `ebpf:"kubearmor_containers"` KubearmorEvents *ebpf.MapSpec `ebpf:"kubearmor_events"` @@ -116,7 +121,6 @@ func (o *enforcerObjects) Close() error { // // It can be passed to loadEnforcerObjects or ebpf.CollectionSpec.LoadAndAssign. type enforcerMaps struct { - A_map *ebpf.Map `ebpf:"a_map"` ArgsBufk *ebpf.Map `ebpf:"args_bufk"` ArgsStore *ebpf.Map `ebpf:"args_store"` Bufk *ebpf.Map `ebpf:"bufk"` @@ -124,6 +128,7 @@ type enforcerMaps struct { BufsOff *ebpf.Map `ebpf:"bufs_off"` CmdArgsBuf *ebpf.Map `ebpf:"cmd_args_buf"` KubearmorAlertThrottle *ebpf.Map `ebpf:"kubearmor_alert_throttle"` + KubearmorArguments *ebpf.Map `ebpf:"kubearmor_arguments"` KubearmorConfig *ebpf.Map `ebpf:"kubearmor_config"` KubearmorContainers *ebpf.Map `ebpf:"kubearmor_containers"` KubearmorEvents *ebpf.Map `ebpf:"kubearmor_events"` @@ -131,7 +136,6 @@ type enforcerMaps struct { func (m *enforcerMaps) Close() error { return _EnforcerClose( - m.A_map, m.ArgsBufk, m.ArgsStore, m.Bufk, @@ -139,6 +143,7 @@ func (m *enforcerMaps) Close() error { m.BufsOff, m.CmdArgsBuf, m.KubearmorAlertThrottle, + m.KubearmorArguments, m.KubearmorConfig, m.KubearmorContainers, m.KubearmorEvents, diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o index 017bc52e96..89d45bfa51 100644 Binary files a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o and b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o differ diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go index 85f27ae866..50168e75f9 100644 --- a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go +++ b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go @@ -21,7 +21,7 @@ type enforcerArgBufsK struct { Arg [256]int8 } -type enforcerArgVal struct{ ArgsArray [20][50]int8 } +type enforcerArgVal struct{ ArgsArray [80]int8 } type enforcerBufsK struct { Path [256]int8 @@ -30,6 +30,11 @@ type enforcerBufsK struct { type enforcerBufsT struct{ Buf [32768]int8 } +type enforcerCmdArgsKey struct { + Tgid uint64 + Ind uint64 +} + // loadEnforcer returns the embedded CollectionSpec for enforcer. func loadEnforcer() (*ebpf.CollectionSpec, error) { reader := bytes.NewReader(_EnforcerBytes) @@ -84,7 +89,6 @@ type enforcerProgramSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type enforcerMapSpecs struct { - A_map *ebpf.MapSpec `ebpf:"a_map"` ArgsBufk *ebpf.MapSpec `ebpf:"args_bufk"` ArgsStore *ebpf.MapSpec `ebpf:"args_store"` Bufk *ebpf.MapSpec `ebpf:"bufk"` @@ -92,6 +96,7 @@ type enforcerMapSpecs struct { BufsOff *ebpf.MapSpec `ebpf:"bufs_off"` CmdArgsBuf *ebpf.MapSpec `ebpf:"cmd_args_buf"` KubearmorAlertThrottle *ebpf.MapSpec `ebpf:"kubearmor_alert_throttle"` + KubearmorArguments *ebpf.MapSpec `ebpf:"kubearmor_arguments"` KubearmorConfig *ebpf.MapSpec `ebpf:"kubearmor_config"` KubearmorContainers *ebpf.MapSpec `ebpf:"kubearmor_containers"` KubearmorEvents *ebpf.MapSpec `ebpf:"kubearmor_events"` @@ -116,7 +121,6 @@ func (o *enforcerObjects) Close() error { // // It can be passed to loadEnforcerObjects or ebpf.CollectionSpec.LoadAndAssign. type enforcerMaps struct { - A_map *ebpf.Map `ebpf:"a_map"` ArgsBufk *ebpf.Map `ebpf:"args_bufk"` ArgsStore *ebpf.Map `ebpf:"args_store"` Bufk *ebpf.Map `ebpf:"bufk"` @@ -124,6 +128,7 @@ type enforcerMaps struct { BufsOff *ebpf.Map `ebpf:"bufs_off"` CmdArgsBuf *ebpf.Map `ebpf:"cmd_args_buf"` KubearmorAlertThrottle *ebpf.Map `ebpf:"kubearmor_alert_throttle"` + KubearmorArguments *ebpf.Map `ebpf:"kubearmor_arguments"` KubearmorConfig *ebpf.Map `ebpf:"kubearmor_config"` KubearmorContainers *ebpf.Map `ebpf:"kubearmor_containers"` KubearmorEvents *ebpf.Map `ebpf:"kubearmor_events"` @@ -131,7 +136,6 @@ type enforcerMaps struct { func (m *enforcerMaps) Close() error { return _EnforcerClose( - m.A_map, m.ArgsBufk, m.ArgsStore, m.Bufk, @@ -139,6 +143,7 @@ func (m *enforcerMaps) Close() error { m.BufsOff, m.CmdArgsBuf, m.KubearmorAlertThrottle, + m.KubearmorArguments, m.KubearmorConfig, m.KubearmorContainers, m.KubearmorEvents, diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o index 735a0c9097..1f82abd8c8 100644 Binary files a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o and b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o differ diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go index c623853bd5..d5a39524fd 100644 --- a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go +++ b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go @@ -21,6 +21,8 @@ type enforcer_pathArgBufsK struct { Arg [256]int8 } +type enforcer_pathArgVal struct{ ArgsArray [80]int8 } + type enforcer_pathBufsK struct { Path [256]int8 Source [256]int8 @@ -28,6 +30,11 @@ type enforcer_pathBufsK struct { type enforcer_pathBufsT struct{ Buf [32768]int8 } +type enforcer_pathCmdArgsKey struct { + Tgid uint64 + Ind uint64 +} + // loadEnforcer_path returns the embedded CollectionSpec for enforcer_path. func loadEnforcer_path() (*ebpf.CollectionSpec, error) { reader := bytes.NewReader(_Enforcer_pathBytes) @@ -86,12 +93,14 @@ type enforcer_pathProgramSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type enforcer_pathMapSpecs struct { - A_map *ebpf.MapSpec `ebpf:"a_map"` ArgsBufk *ebpf.MapSpec `ebpf:"args_bufk"` + ArgsStore *ebpf.MapSpec `ebpf:"args_store"` Bufk *ebpf.MapSpec `ebpf:"bufk"` Bufs *ebpf.MapSpec `ebpf:"bufs"` BufsOff *ebpf.MapSpec `ebpf:"bufs_off"` + CmdArgsBuf *ebpf.MapSpec `ebpf:"cmd_args_buf"` KubearmorAlertThrottle *ebpf.MapSpec `ebpf:"kubearmor_alert_throttle"` + KubearmorArguments *ebpf.MapSpec `ebpf:"kubearmor_arguments"` KubearmorConfig *ebpf.MapSpec `ebpf:"kubearmor_config"` KubearmorContainers *ebpf.MapSpec `ebpf:"kubearmor_containers"` KubearmorEvents *ebpf.MapSpec `ebpf:"kubearmor_events"` @@ -116,12 +125,14 @@ func (o *enforcer_pathObjects) Close() error { // // It can be passed to loadEnforcer_pathObjects or ebpf.CollectionSpec.LoadAndAssign. type enforcer_pathMaps struct { - A_map *ebpf.Map `ebpf:"a_map"` ArgsBufk *ebpf.Map `ebpf:"args_bufk"` + ArgsStore *ebpf.Map `ebpf:"args_store"` Bufk *ebpf.Map `ebpf:"bufk"` Bufs *ebpf.Map `ebpf:"bufs"` BufsOff *ebpf.Map `ebpf:"bufs_off"` + CmdArgsBuf *ebpf.Map `ebpf:"cmd_args_buf"` KubearmorAlertThrottle *ebpf.Map `ebpf:"kubearmor_alert_throttle"` + KubearmorArguments *ebpf.Map `ebpf:"kubearmor_arguments"` KubearmorConfig *ebpf.Map `ebpf:"kubearmor_config"` KubearmorContainers *ebpf.Map `ebpf:"kubearmor_containers"` KubearmorEvents *ebpf.Map `ebpf:"kubearmor_events"` @@ -129,12 +140,14 @@ type enforcer_pathMaps struct { func (m *enforcer_pathMaps) Close() error { return _Enforcer_pathClose( - m.A_map, m.ArgsBufk, + m.ArgsStore, m.Bufk, m.Bufs, m.BufsOff, + m.CmdArgsBuf, m.KubearmorAlertThrottle, + m.KubearmorArguments, m.KubearmorConfig, m.KubearmorContainers, m.KubearmorEvents, diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o index b666393b00..86b4b67627 100644 Binary files a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o and b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o differ diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.go b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.go index 0b5d392038..fe3f14d361 100644 --- a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.go +++ b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.go @@ -21,6 +21,8 @@ type enforcer_pathArgBufsK struct { Arg [256]int8 } +type enforcer_pathArgVal struct{ ArgsArray [80]int8 } + type enforcer_pathBufsK struct { Path [256]int8 Source [256]int8 @@ -28,6 +30,11 @@ type enforcer_pathBufsK struct { type enforcer_pathBufsT struct{ Buf [32768]int8 } +type enforcer_pathCmdArgsKey struct { + Tgid uint64 + Ind uint64 +} + // loadEnforcer_path returns the embedded CollectionSpec for enforcer_path. func loadEnforcer_path() (*ebpf.CollectionSpec, error) { reader := bytes.NewReader(_Enforcer_pathBytes) @@ -86,12 +93,14 @@ type enforcer_pathProgramSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type enforcer_pathMapSpecs struct { - A_map *ebpf.MapSpec `ebpf:"a_map"` ArgsBufk *ebpf.MapSpec `ebpf:"args_bufk"` + ArgsStore *ebpf.MapSpec `ebpf:"args_store"` Bufk *ebpf.MapSpec `ebpf:"bufk"` Bufs *ebpf.MapSpec `ebpf:"bufs"` BufsOff *ebpf.MapSpec `ebpf:"bufs_off"` + CmdArgsBuf *ebpf.MapSpec `ebpf:"cmd_args_buf"` KubearmorAlertThrottle *ebpf.MapSpec `ebpf:"kubearmor_alert_throttle"` + KubearmorArguments *ebpf.MapSpec `ebpf:"kubearmor_arguments"` KubearmorConfig *ebpf.MapSpec `ebpf:"kubearmor_config"` KubearmorContainers *ebpf.MapSpec `ebpf:"kubearmor_containers"` KubearmorEvents *ebpf.MapSpec `ebpf:"kubearmor_events"` @@ -116,12 +125,14 @@ func (o *enforcer_pathObjects) Close() error { // // It can be passed to loadEnforcer_pathObjects or ebpf.CollectionSpec.LoadAndAssign. type enforcer_pathMaps struct { - A_map *ebpf.Map `ebpf:"a_map"` ArgsBufk *ebpf.Map `ebpf:"args_bufk"` + ArgsStore *ebpf.Map `ebpf:"args_store"` Bufk *ebpf.Map `ebpf:"bufk"` Bufs *ebpf.Map `ebpf:"bufs"` BufsOff *ebpf.Map `ebpf:"bufs_off"` + CmdArgsBuf *ebpf.Map `ebpf:"cmd_args_buf"` KubearmorAlertThrottle *ebpf.Map `ebpf:"kubearmor_alert_throttle"` + KubearmorArguments *ebpf.Map `ebpf:"kubearmor_arguments"` KubearmorConfig *ebpf.Map `ebpf:"kubearmor_config"` KubearmorContainers *ebpf.Map `ebpf:"kubearmor_containers"` KubearmorEvents *ebpf.Map `ebpf:"kubearmor_events"` @@ -129,12 +140,14 @@ type enforcer_pathMaps struct { func (m *enforcer_pathMaps) Close() error { return _Enforcer_pathClose( - m.A_map, m.ArgsBufk, + m.ArgsStore, m.Bufk, m.Bufs, m.BufsOff, + m.CmdArgsBuf, m.KubearmorAlertThrottle, + m.KubearmorArguments, m.KubearmorConfig, m.KubearmorContainers, m.KubearmorEvents, diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o index eb748cb13c..1464173397 100644 Binary files a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o and b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o differ diff --git a/KubeArmor/enforcer/bpflsm/rulesHandling.go b/KubeArmor/enforcer/bpflsm/rulesHandling.go index 9f398d0e03..1575ba80ef 100644 --- a/KubeArmor/enforcer/bpflsm/rulesHandling.go +++ b/KubeArmor/enforcer/bpflsm/rulesHandling.go @@ -5,7 +5,6 @@ package bpflsm import ( "errors" - "fmt" "os" "strings" @@ -366,7 +365,6 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec } else if len(newrules.FileRuleList) == 0 && len(newrules.ProcessRuleList) == 0 && len(newrules.NetworkRuleList) == 0 && len(newrules.CapabilitiesRuleList) == 0 { // All Policies removed for the container be.Logger.Printf("Deleting inner map for %s", id) - fmt.Println("policies are being deleted") be.DeleteContainerInnerMap(id) return } @@ -420,7 +418,6 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec argKey.InnerKey = key.InnerKey argKey.NsKey = key.NsKey copy(argKey.Argument[:], []byte(arg)) - fmt.Printf("Adding ARGUMENTS rule to container id %s , key = pid-%d mntid- %d argument - %s ", id, argKey.PidNS, argKey.MntNS, argKey.Argument) be.BPFArgumentsMap.Put(argKey, uint8(1)) } } @@ -544,7 +541,6 @@ func (be *BPFEnforcer) resolveConflictsProcessRules(newRuleList, oldRuleList map bpfArgKey.NsKey = argKey.NsKey copy(bpfArgKey.Argument[:], []byte(arg)) be.BPFArgumentsMap.Delete(bpfArgKey) - fmt.Println("deleting Arguments", bpfArgKey) } delete(argListMap, argKey) } diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 37d48b5218..7bc7c24980 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -665,6 +665,30 @@ var _ = Describe("Ksp", func() { Expect(err).To(BeNil()) Expect(res.Found).To(BeTrue()) }) + It("it can allow certain arguments in process execution", func() { + err := K8sApplyFile("multiubuntu/ksp-ubuntu-1-allow-proc-args.yaml") + Expect(err).To(BeNil()) + + // Start KubeArmor Logs + err = KarmorLogStart("policy", "multiubuntu", "Process", ub1) + Expect(err).To(BeNil()) + + AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "'python -m pydoc'"}, + MatchRegexp("*Permission denied"), true, + ) + + expect := protobuf.Alert{ + PolicyName: "ksp-ubuntu-1-allow-proc-args", + Action: "Block", + Result: "Permission denied", + } + + res, err := KarmorGetTargetAlert(5*time.Second, &expect) + Expect(err).To(BeNil()) + Expect(res.Found).To(BeTrue()) + + //ksp-group-1-allow-proc-args + }) }) diff --git a/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-allow-proc-args.yaml b/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-allow-proc-args.yaml new file mode 100644 index 0000000000..4779f0f88d --- /dev/null +++ b/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-allow-proc-args.yaml @@ -0,0 +1,30 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-ubuntu-1-allow-proc-args + namespace: multiubuntu +spec: + severity: 5 + message: "block all arguments except allowedArgs" + selector: + matchLabels: + container: ubuntu-1 + process: + matchPaths: + - path: /usr/bin/python3.6 + allowedArgs: + - -m + - random + action: + Block + +# multiubuntu_test_12 + +# test +# python -m random +# allowed +# python -m pydoc +# permission denied +# python +# permission denied +