fix : Kuberamor compatibility with Bottlerocket vm 1.16 (#1512)

* fix : containerd mount points for bottlerocket vm Signed-off-by: Aryan-sharma11 <[email protected]> * revert commit a6e16a1 to fix bottle rocket vm Signed-off-by: Aryan-sharma11 <[email protected]> * fix : kubearmor clean up process Signed-off-by: Aryan-sharma11 <[email protected]> * changed events map name to kubearmor_events Signed-off-by: Aryan-sharma11 <[email protected]> --------- Signed-off-by: Aryan-sharma11 <[email protected]>
kubearmor · Nov 28, 2023 · 7c21066 · 7c21066
1 parent 718f829
commit 7c21066
Show file tree

Hide file tree

Showing 21 changed files with 65 additions and 39 deletions.
diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c
@@ -203,7 +203,7 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   }
 
 decision:
-  task_info = bpf_ringbuf_reserve(&events, sizeof(event), 0);
+  task_info = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
   if (!task_info) {
     return 0;
   }
@@ -360,7 +360,7 @@ static inline int match_net_rules(int type, int protocol, u32 eventID) {
 
 decision:
 
-  task_info = bpf_ringbuf_reserve(&events, sizeof(event), 0);
+  task_info = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
   if (!task_info) {
     return 0;
   }

diff --git a/KubeArmor/BPF/probe.bpf.c b/KubeArmor/BPF/probe.bpf.c
@@ -14,7 +14,7 @@ typedef struct {
 struct {
   __uint(type, BPF_MAP_TYPE_RINGBUF);
   __uint(max_entries, 1 << 24);
-} events SEC(".maps");
+} kubearmor_events SEC(".maps");
 
 // Force emitting struct event into the ELF.
 const event *unused __attribute__((unused));
@@ -23,7 +23,7 @@ SEC("lsm/mmap_file")
 int test_memfd() {
   event *task_info;
 
-  task_info = bpf_ringbuf_reserve(&events, sizeof(event), 0);
+  task_info = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
   if (!task_info) {
     return 0;
   }

diff --git a/KubeArmor/BPF/shared.h b/KubeArmor/BPF/shared.h
@@ -100,7 +100,7 @@ struct {
   __uint(type, BPF_MAP_TYPE_RINGBUF);
   __uint(max_entries, 1 << 24);
   __uint(pinning, LIBBPF_PIN_BY_NAME);
-} events SEC(".maps");
+} kubearmor_events SEC(".maps");
 
 #define RULE_EXEC 1 << 0
 #define RULE_WRITE 1 << 1
@@ -194,7 +194,7 @@ static __always_inline bool prepend_path(struct path *path, bufs_t *string_p) {
     int sz = bpf_probe_read_str(
         &(string_p->buf[(offset) & (MAX_COMBINED_LENGTH - 1)]),
         (d_name.len + 1) & (MAX_COMBINED_LENGTH - 1), d_name.name);
-    if (sz > 1) {
+     if (sz > 1) {
       bpf_probe_read(
           &(string_p->buf[(offset + d_name.len) & (MAX_COMBINED_LENGTH - 1)]), 1,
           &slash);
@@ -400,7 +400,7 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id , u32
     }
 
 #pragma unroll
-    for (int i = 0; i < MAX_STRING_SIZE; i++) {
+    for (int i = 0; i < 64; i++) {
       if (store->path[i] == '\0')
         break;
 
@@ -463,7 +463,7 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id , u32
   recursivebuthint = false;
 
 #pragma unroll
-  for (int i = 0; i < MAX_STRING_SIZE; i++) {
+  for (int i = 0; i < 64; i++) {
     if (store->path[i] == '\0')
       break;
 
@@ -502,7 +502,7 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id , u32
 
 decision:
 
-  task_info = bpf_ringbuf_reserve(&events, sizeof(event), 0);
+  task_info = bpf_ringbuf_reserve(&kubearmor_events, sizeof(event), 0);
   if (!task_info) {
     return 0;
   }
@@ -538,7 +538,7 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id , u32
     pk->path[0] = dfile;
     struct data_t *allow = bpf_map_lookup_elem(inner, pk);
 
-    if (allow) {
+        if (allow) {
       if (!match) {
         if(allow->processmask == BLOCK_POSTURE) {
           bpf_ringbuf_submit(task_info, BPF_RB_FORCE_WAKEUP);
@@ -550,7 +550,7 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id , u32
           }
       }
     }
-           
+
   } else if (id == dfileread) { // file open
     if (match) {
       if (val && (val->filemask & RULE_OWNER)) {

diff --git a/KubeArmor/enforcer/bpflsm/enforcer.go b/KubeArmor/enforcer/bpflsm/enforcer.go
@@ -219,7 +219,7 @@ func NewBPFEnforcer(node tp.Node, pinpath string, logger *fd.Feeder, monitor *mo
 		}
 	}
 
-	be.Events, err = ringbuf.NewReader(be.obj.Events)
+	be.Events, err = ringbuf.NewReader(be.obj.KubearmorEvents)
 	if err != nil {
 		be.Logger.Errf("opening ringbuf reader: %s", err)
 		return be, err
@@ -412,6 +412,14 @@ func (be *BPFEnforcer) DestroyBPFEnforcer() error {
 			errBPFCleanUp = true
 		}
 	}
+	if err := be.obj.KubearmorEvents.Unpin(); err != nil {
+		be.Logger.Err(err.Error())
+		errBPFCleanUp = true
+	}
+	if err := be.obj.KubearmorEvents.Close(); err != nil {
+		be.Logger.Err(err.Error())
+		errBPFCleanUp = true
+	}
 
 	if err := be.Events.Close(); err != nil {
 		be.Logger.Err(err.Error())

diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.go b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.go
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o
diff --git a/KubeArmor/main.go b/KubeArmor/main.go
@@ -41,6 +41,24 @@ func main() {
 			return
 		}
 	}
+	// initial clean up
+
+	bpfMapsDir := "/sys/fs/bpf/"
+	bpfMapsName := []string{"kubearmor_config", "kubearmor_events", "kubearmor_contianers", "kubearmor_visibility"}
+	for _, mp := range bpfMapsName {
+		path := bpfMapsDir + mp
+		/* This should not be triggered in ideal cases,
+		if this is triggered that means there is incomplete cleanup process
+		from the last installation */
+		if _, err := os.Stat(path); !os.IsNotExist(err) {
+			err = os.Remove(path)
+			if err != nil {
+				kg.Err(err.Error())
+			}
+			kg.Warnf("Deleteing existing map %s. This means previous cleanup was failed", path)
+
+		}
+	}
 
 	dir, err := filepath.Abs(filepath.Dir(os.Args[0]))
 	if err != nil {

diff --git a/KubeArmor/utils/bpflsmprobe/probe.go b/KubeArmor/utils/bpflsmprobe/probe.go
@@ -32,6 +32,8 @@ func CheckBPFLSMSupport() error {
 	if err := loadProbeObjects(&objs, nil); err != nil {
 		return err
 	}
+	defer objs.KubearmorEvents.Close()
+	defer objs.KubearmorEvents.Unpin()
 	defer objs.Close()
 
 	kp, err := link.AttachLSM(link.LSMOptions{Program: objs.TestMemfd})
@@ -40,7 +42,7 @@ func CheckBPFLSMSupport() error {
 	}
 	defer kp.Close()
 
-	rd, err := ringbuf.NewReader(objs.Events)
+	rd, err := ringbuf.NewReader(objs.KubearmorEvents)
 	if err != nil {
 		return err
 	}

diff --git a/KubeArmor/utils/bpflsmprobe/probe_bpfeb.go b/KubeArmor/utils/bpflsmprobe/probe_bpfeb.go
diff --git a/KubeArmor/utils/bpflsmprobe/probe_bpfeb.o b/KubeArmor/utils/bpflsmprobe/probe_bpfeb.o
diff --git a/KubeArmor/utils/bpflsmprobe/probe_bpfel.go b/KubeArmor/utils/bpflsmprobe/probe_bpfel.go
diff --git a/KubeArmor/utils/bpflsmprobe/probe_bpfel.o b/KubeArmor/utils/bpflsmprobe/probe_bpfel.o
diff --git a/deployments/get/defaults.go b/deployments/get/defaults.go
@@ -332,15 +332,13 @@ var defaultConfigs = map[string]DaemonSetConfig{
 		},
 	},
 	"bottlerocket": {
-		Args: []string{
-			"-criSocket=unix:///run/dockershim.sock",
-		},
+		Args: []string{},
 		Envs: envVar,
 		VolumeMounts: []corev1.VolumeMount{
 			apparmorVolMnt,
 			{
 				Name:      "containerd-sock-path", // containerd
-				MountPath: "/run/dockershim.sock",
+				MountPath: "/var/run/containerd/containerd.sock",
 				ReadOnly:  true,
 			},
 		},
@@ -350,7 +348,7 @@ var defaultConfigs = map[string]DaemonSetConfig{
 				Name: "containerd-sock-path",
 				VolumeSource: corev1.VolumeSource{
 					HostPath: &corev1.HostPathVolumeSource{
-						Path: "/run/dockershim.sock",
+						Path: "/run/containerd/containerd.sock",
 						Type: &hostPathSocket,
 					},
 				},

diff --git a/deployments/get/objects.go b/deployments/get/objects.go
@@ -191,7 +191,7 @@ func GenerateDaemonSet(env, namespace string) *appsv1.DaemonSet {
 		"kubearmor-app": kubearmor,
 	}
 	var privileged = bool(false)
-	var terminationGracePeriodSeconds = int64(30)
+	var terminationGracePeriodSeconds = int64(60)
 	var args = []string{
 		"-gRPC=" + strconv.Itoa(int(port)),
 	}

diff --git a/deployments/helm/KubeArmor/values.yaml b/deployments/helm/KubeArmor/values.yaml
@@ -308,7 +308,7 @@ kubearmor:
       readOnly: true
     - mountPath: /etc/apparmor.d
       name: etc-apparmor-d-path
-    - mountPath: /run/dockershim.sock
+    - mountPath: /var/run/containerd/container.sock
       name: containerd-sock-path
       readOnly: true
 
@@ -636,7 +636,7 @@ kubearmor:
         type: DirectoryOrCreate
       name: etc-apparmor-d-path
     - hostPath:
-        path: /run/dockershim.sock
+        path: /var/run/containerd/container.sock
         type: Socket
       name: containerd-sock-path