refactor code

Signed-off-by: Aryan-sharma11 <aryan1126.sharma@gmail.com>
kubearmor · Oct 17, 2024 · d68e9cd · d68e9cd
1 parent 3482d24
commit d68e9cd
Show file tree

Hide file tree

Showing 14 changed files with 143 additions and 81 deletions.
diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c
@@ -11,19 +11,11 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   struct task_struct *t = (struct task_struct *)bpf_get_current_task();
   event *task_info;
   int retval = ret;
-  // variables required for argument matching---------| 
-  struct argVal *argval ;
-  unsigned int num = BPF_CORE_READ(bprm , argc);
-  unsigned int argKey; 
-  unsigned int *x ;
-  u32 arg_k = 0;
-  arg_bufs_k *a_key = bpf_map_lookup_elem(&args_bufk, &arg_k);
-   if (a_key == NULL)
-    return 0;
-  bool argmatch = false;
-  bool frmsource = false;
-  // -------------------------------------------------|
 
+  // no of arguments
+  unsigned int num_of_args = BPF_CORE_READ(bprm , argc);
+  bool argmatch = false;
+
   bool match = false; 
   struct outer_key okey;
   get_outer_key(&okey, t);
@@ -90,16 +82,16 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   if (src_ptr == NULL)
     fromSourceCheck = false;
 
+
   if (fromSourceCheck) {
+
     bpf_probe_read_str(store->source, MAX_STRING_SIZE, src_ptr);
 
     val = bpf_map_lookup_elem(inner, store);
     if (val && (val->processmask & RULE_EXEC)) {
       match = true;
       goto decision;
     }
-    // bpf_printk(" source = %s path= %s " , store->source , store->path);
-
     #pragma unroll
         for (int i = 0; i < 64; i++) {
           if (store->path[i] == '\0')
@@ -231,43 +223,14 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
 
 decision:  
   if (match) {
-    if (val && (val->processmask & RULE_ARGSET)) {
-      argKey =  bpf_get_current_pid_tgid();
-      argval = bpf_map_lookup_elem(&args_store, &argKey);
-
-     // clearing to avoid processing garbage values 
-      __builtin_memset(&a_key->okey, 0, sizeof(a_key->okey));
-      __builtin_memset(&a_key->store, 0, sizeof(a_key->store));
-
-      bpf_probe_read(&a_key->okey.mnt_ns, sizeof(okey.mnt_ns) , &okey.mnt_ns);
-      bpf_probe_read(&a_key->okey.pid_ns, sizeof(okey.pid_ns) , &okey.pid_ns);
-      bpf_probe_read_str(&a_key->store.path, sizeof(store->path) , store->path);
-
-      if (pk->path[0] == '\0') {
-          bpf_probe_read_str(&a_key->store.source, sizeof(store->source) , store->source);
-      } 
-      if (argval) {
-        for( int i = 0 ; i< num && i < 100; i++ ){
-            __builtin_memset(a_key->arg, 0, sizeof(a_key->arg));
-            bpf_probe_read_str(&a_key->arg, sizeof(a_key->arg), argval->argsArray[i]);
-            x  = bpf_map_lookup_elem(&a_map ,a_key);
-            bpf_printk("a_key->path %s , a_key->source - %s ", a_key->store.path , a_key->store.source);
-            if (x) {
-                bpf_printk("argument matched");
-                argmatch = true;
-                if (i != 0) {  
-                    continue;  
-                }
-            } else {
-                if (i != 0) {
-                    argmatch = false;
-                    break;  
-                }
-            }
-        }
-        }
+    if (val && (val->processmask & RULE_ARGSET)){ 
+      argmatch = matchArguments( num_of_args , &okey , store , pk);
+      if(argmatch){
+        // if arguments matches allow the process to be executed
+        return 0;
+      }
     }
-    
+
     if (val && (val->processmask & RULE_OWNER)) {
       if (!is_owner(bprm->file)) {
         if((val->processmask & RULE_ARGSET) && argmatch){
@@ -280,10 +243,6 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
       }
     }
     if (val && (val->processmask & RULE_DENY)) {
-      // Allow if allowedArgs matches
-      if((val->processmask & RULE_ARGSET) && argmatch){
-          return 0;
-      }
       retval = -EPERM;
     }
   }
@@ -301,14 +260,6 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
         retval = -EPERM;
       }
       goto ringbuf;
-    } else {
-         // allow policy + match + !argmatch = action based on default posture
-        if((val->processmask & RULE_ARGSET) && !argmatch){
-                if (allow->processmask == BLOCK_POSTURE) {
-                    retval = -EPERM;
-              }
-            goto ringbuf;
-        }
     }
   }
 

diff --git a/KubeArmor/BPF/shared.h b/KubeArmor/BPF/shared.h
@@ -11,6 +11,7 @@
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
 #include "throttling.h"
+#include "common.h"
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 #define EPERM 13
@@ -98,7 +99,7 @@ struct {
     __type(key, arg_bufs_k);  // Composite key of okey+bufkey+argname
     __type(value, u8);            // Value is a u8 integer
     __uint(pinning, LIBBPF_PIN_BY_NAME);            
-} a_map SEC(".maps");
+} kubearmor_arguments SEC(".maps");
 
 //--------------------------------------------//
 
@@ -744,6 +745,50 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
   bpf_ringbuf_submit(task_info, 0);
   return retval;
 }
+static inline bool matchArguments( unsigned int num_of_args , struct outer_key *okey , bufs_k *store , bufs_k *pk ) {
+
+    bool argmatch = false;
+    unsigned int *x ;
+
+    unsigned int argKey;
+    struct argVal *argval ;
+    argKey =  bpf_get_current_pid_tgid();
+    argval = bpf_map_lookup_elem(&args_store, &argKey);
+
+    u32 arg_k = 0;
+    arg_bufs_k *a_key = bpf_map_lookup_elem(&args_bufk, &arg_k);
+    if (a_key == NULL)
+      return 0;
+
+    // clearing to avoid processing garbage values 
+    __builtin_memset(&a_key->okey, 0, sizeof(a_key->okey));
+    __builtin_memset(&a_key->store, 0, sizeof(a_key->store));
+
+    bpf_probe_read(&a_key->okey.mnt_ns, sizeof(okey->mnt_ns) , &okey->mnt_ns);
+    bpf_probe_read(&a_key->okey.pid_ns, sizeof(okey->pid_ns) , &okey->pid_ns);
+    bpf_probe_read_str(&a_key->store.path, sizeof(store->path) , &store->path);
+
+    if (pk->path[0] == '\0') {
+      // pk->path[0] will be null for fromSource rules
+        bpf_probe_read_str(&a_key->store.source, sizeof(store->source) , store->source);
+    }
+    if (argval) {
+      for( int i = 0 ; i< num_of_args && i < 100; i++ ){
+          __builtin_memset(a_key->arg, 0, sizeof(a_key->arg));
+          bpf_probe_read_str(&a_key->arg, sizeof(a_key->arg), argval->argsArray[i]);
+          x = bpf_map_lookup_elem(&kubearmor_arguments ,a_key);
+          if (x) {
+              argmatch = true;
+            } else {
+                argmatch = false;
+                if (i != 0) {
+                  break;  
+                }
+            }
+      }
+    }
+  return argmatch; 
+}
 
 /*
   How do we check what to deny or not?

diff --git a/KubeArmor/enforcer/bpflsm/enforcer.go b/KubeArmor/enforcer/bpflsm/enforcer.go
@@ -102,13 +102,13 @@ func NewBPFEnforcer(node tp.Node, pinpath string, logger *fd.Feeder, monitor *mo
 		KeySize:    776,
 		ValueSize:  1,
 		MaxEntries: 100,
-		Name:       "a_map",
+		Name:       "kubearmor_arguments",
 		Pinning:    ebpf.PinByName,
 	}, ebpf.MapOptions{
 		PinPath: pinpath,
 	})
 	if err != nil {
-		be.Logger.Errf("error creating kubearmor_argumetns_map: %s", err)
+		be.Logger.Errf("error creating kubearmor_arguments_map: %s", err)
 		return be, err
 	}
 

diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o