Skip to content

Commit

Permalink
minor updates
Browse files Browse the repository at this point in the history
Signed-off-by: Aryan-sharma11 <[email protected]>
  • Loading branch information
Aryan-sharma11 committed Oct 4, 2024
1 parent 5e0d5b3 commit e7a0107
Show file tree
Hide file tree
Showing 7 changed files with 41 additions and 49 deletions.
20 changes: 10 additions & 10 deletions KubeArmor/BPF/common.h
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,16 @@
#ifndef __COMMON_H
#define __COMMON_H
#define MAX_ENTRIES 10240
#define MAX_ARGUMENT_SIZE 256
#define MAX_ARGUMENT_SIZE 256
#define MAX_STR_ARR_ELEM 20

// arguments matching

// values stored for argument map
struct argVal{
char argsArray[5][25];
char argsArray[20][50];
};


struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 1); // Only one entry to store the count
__type(key, int);
__type(value, int);
} index_map SEC(".maps");

struct {
__uint(type, BPF_MAP_TYPE_LRU_HASH);
__uint(max_entries, MAX_ENTRIES);
Expand All @@ -30,4 +23,11 @@ struct {
__uint(pinning, LIBBPF_PIN_BY_NAME);
} args_store SEC(".maps");

struct {
__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
__uint(max_entries, 1); // Adjust max_entries based on expected usage
__type(key, u32);
__type(value, struct argVal); // Store the args in this struct
} cmd_args_buf SEC(".maps");

#endif /* __COMMON_H */
19 changes: 9 additions & 10 deletions KubeArmor/BPF/enforcer.bpf.c
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
bufs_k *pk = bpf_map_lookup_elem(&bufk, &two);
if (pk == NULL)
return 0;

bpf_map_update_elem(&bufk, &two, z, BPF_ANY);
// Extract full path from file structure provided by LSM Hook
bufs_t *path_buf = get_buf(PATH_BUFFER);
if (path_buf == NULL)
Expand Down Expand Up @@ -123,6 +123,7 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
RULE_HINT)) { // true directory match and not a hint suggests
// there are no possibility of child dir
val = dirval;

goto decision;
} else if (dirval->processmask &
RULE_RECURSIVE) { // It's a directory match but also a
Expand Down Expand Up @@ -173,12 +174,12 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
val = bpf_map_lookup_elem(inner, pk);

if (val && (val->processmask & RULE_EXEC)) {

match = true;
goto decision;
}

recursivebuthint = false;
bpf_printk(" source = %s path= %s match %d " , store->source , store->path);

#pragma unroll
for (int i = 0; i < 64; i++) {
Expand Down Expand Up @@ -237,20 +238,18 @@ bpf_printk(" source = %s path= %s match %d " , store->source , store->path);
// clearing to avoid processing garbage values
__builtin_memset(&a_key->okey, 0, sizeof(a_key->okey));
__builtin_memset(&a_key->store, 0, sizeof(a_key->store));

bpf_probe_read(&a_key->okey.mnt_ns, sizeof(okey.mnt_ns) , &okey.mnt_ns);
bpf_probe_read(&a_key->okey.pid_ns, sizeof(okey.pid_ns) , &okey.pid_ns);
bpf_probe_read_str(&a_key->store.path, sizeof(store->path) , store->path);
bpf_printk(" source = %s path= %s " , store->source , store->path);
if (pk->source[0] != '\0') {
bpf_probe_read_str(&a_key->store.source, sizeof(pk->source) , store->source);
bpf_printk(" pksource empty a_key->path %s , a_key->source - %s ", a_key->store.path , a_key->store.source);
}


if (pk->path[0] == '\0') {
bpf_probe_read_str(&a_key->store.source, sizeof(store->source) , store->source);
}
if (argval) {
for( int i = 1 ; i< num && i<10; i++ ){
bpf_printk("Argurment %d : %s\n", i, argval->argsArray[i]);
__builtin_memset(a_key->arg, 0, sizeof(a_key->arg));
__builtin_memset(a_key->arg, 0, sizeof(a_key->arg));
bpf_probe_read_str(&a_key->arg, sizeof(a_key->arg), argval->argsArray[i]);
x = bpf_map_lookup_elem(&a_map ,a_key);
bpf_printk("a_key->path %s , a_key->source - %s ", a_key->store.path , a_key->store.source);
Expand Down
35 changes: 14 additions & 21 deletions KubeArmor/BPF/system_monitor.c
Original file line number Diff line number Diff line change
Expand Up @@ -1118,37 +1118,30 @@ static __always_inline bool should_drop_alerts_per_container(sys_context_t *cont
return false;
}
static __always_inline void save_cmd_args_to_buffer(const char __user *const __user *ptr){
unsigned int key_tgid = bpf_get_current_pid_tgid();
int *j;
int z = 0 ;
bpf_map_update_elem(&index_map, &z , &z , BPF_ANY);
struct argVal val;
__builtin_memset(&val, 0, sizeof(val));
unsigned int key_tgid = bpf_get_current_pid_tgid();
u32 arg_k = 0;
struct argVal *args_buf = bpf_map_lookup_elem(&cmd_args_buf, &arg_k);
if (args_buf == NULL){
return ;
}
__builtin_memset(&args_buf->argsArray, 0, sizeof(args_buf->argsArray));
// add number of args here
#pragma unroll
for (int i = 0; i < 5; i++)
{
j = bpf_map_lookup_elem(&index_map, &z);
if (!j){
bpf_printk("Failed to loarray \n");
break;
}
const char *const *curr_ptr = (void *)&ptr[i] ;
const char *argp = NULL;
bpf_probe_read(&argp, sizeof(argp), curr_ptr);
int k = *j;
if (*j < 0 || *j >= 4)
break;
if (argp)
{
// bpf_printk("in execve arg - %s , key %u ",argp , key_tgid);
bpf_probe_read_str(val.argsArray[k], sizeof(val.argsArray[0]), argp);
k++ ; // Increment the index
bpf_probe_read_str(args_buf->argsArray[i], sizeof(args_buf->argsArray[0]), argp);
bpf_map_update_elem(&args_store, &key_tgid, args_buf, BPF_ANY);
}
*j = k;
bpf_map_update_elem(&index_map, &z, j, BPF_ANY);
else {
break;
}
}
bpf_map_update_elem(&args_store, &key_tgid, &val, BPF_ANY);


}

SEC("kprobe/security_path_mknod")
Expand Down
8 changes: 4 additions & 4 deletions KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
Binary file not shown.
8 changes: 4 additions & 4 deletions KubeArmor/enforcer/bpflsm/enforcer_bpfel.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
Binary file not shown.

0 comments on commit e7a0107

Please sign in to comment.