minor updates

Signed-off-by: Aryan-sharma11 <[email protected]>

KubeArmor/BPF/common.h

@@ -5,23 +5,16 @@
 #ifndef __COMMON_H
 #define __COMMON_H
 #define MAX_ENTRIES 10240
- #define MAX_ARGUMENT_SIZE 256
+#define MAX_ARGUMENT_SIZE 256
+#define MAX_STR_ARR_ELEM 20
 
 // arguments matching 
 
 // values stored for argument map
 struct argVal{
-  char argsArray[5][25];
+  char argsArray[20][50];
 };
 
-
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __uint(max_entries, 1);  // Only one entry to store the count
-    __type(key, int);
-    __type(value, int);
-} index_map SEC(".maps");
-
 struct {
  __uint(type, BPF_MAP_TYPE_LRU_HASH);
  __uint(max_entries, MAX_ENTRIES);
@@ -30,4 +23,11 @@ struct {
  __uint(pinning, LIBBPF_PIN_BY_NAME);
 } args_store SEC(".maps");
 
+struct {
+    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
+    __uint(max_entries, 1);  // Adjust max_entries based on expected usage
+    __type(key, u32);
+    __type(value, struct argVal);  // Store the args in this struct
+} cmd_args_buf SEC(".maps");
+
 #endif /* __COMMON_H */

KubeArmor/BPF/enforcer.bpf.c

@@ -49,7 +49,7 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   bufs_k *pk = bpf_map_lookup_elem(&bufk, &two);
   if (pk == NULL)
     return 0;
-
+  bpf_map_update_elem(&bufk, &two, z, BPF_ANY);
   // Extract full path from file structure provided by LSM Hook
   bufs_t *path_buf = get_buf(PATH_BUFFER);
   if (path_buf == NULL)
@@ -123,6 +123,7 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
                     RULE_HINT)) { // true directory match and not a hint suggests
                                   // there are no possibility of child dir
                   val = dirval;
+
                   goto decision;
                 } else if (dirval->processmask &
                           RULE_RECURSIVE) { // It's a directory match but also a
@@ -173,12 +174,12 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   val = bpf_map_lookup_elem(inner, pk);
 
   if (val && (val->processmask & RULE_EXEC)) {
+
     match = true;
     goto decision;
   }
 
   recursivebuthint = false;
-bpf_printk(" source = %s path= %s match %d " , store->source , store->path);
 
 #pragma unroll
   for (int i = 0; i < 64; i++) {
@@ -237,20 +238,18 @@ bpf_printk(" source = %s path= %s match %d " , store->source , store->path);
      // clearing to avoid processing garbage values 
       __builtin_memset(&a_key->okey, 0, sizeof(a_key->okey));
       __builtin_memset(&a_key->store, 0, sizeof(a_key->store));
-
+      
       bpf_probe_read(&a_key->okey.mnt_ns, sizeof(okey.mnt_ns) , &okey.mnt_ns);
       bpf_probe_read(&a_key->okey.pid_ns, sizeof(okey.pid_ns) , &okey.pid_ns);
       bpf_probe_read_str(&a_key->store.path, sizeof(store->path) , store->path);
-      bpf_printk(" source = %s path= %s " , store->source , store->path);
-      if (pk->source[0] != '\0') {
-          bpf_probe_read_str(&a_key->store.source, sizeof(pk->source) , store->source);
-          bpf_printk(" pksource empty a_key->path %s , a_key->source - %s ", a_key->store.path , a_key->store.source);
-      }
-
+
+      if (pk->path[0] == '\0') {
+          bpf_probe_read_str(&a_key->store.source, sizeof(store->source) , store->source);
+      } 
       if (argval) {
         for( int i = 1 ; i< num && i<10; i++ ){
             bpf_printk("Argurment %d : %s\n", i,  argval->argsArray[i]);
-             __builtin_memset(a_key->arg, 0, sizeof(a_key->arg));
+            __builtin_memset(a_key->arg, 0, sizeof(a_key->arg));
             bpf_probe_read_str(&a_key->arg, sizeof(a_key->arg), argval->argsArray[i]);
             x  = bpf_map_lookup_elem(&a_map ,a_key); 
             bpf_printk("a_key->path %s , a_key->source - %s ", a_key->store.path , a_key->store.source);

KubeArmor/BPF/system_monitor.c

@@ -1118,37 +1118,30 @@ static __always_inline bool should_drop_alerts_per_container(sys_context_t *cont
     return false; 
 }
  static __always_inline void  save_cmd_args_to_buffer(const char __user *const __user *ptr){
-  unsigned int key_tgid = bpf_get_current_pid_tgid(); 
-  int *j;
-  int z = 0 ;
-  bpf_map_update_elem(&index_map, &z , &z , BPF_ANY);
-  struct argVal  val;
-    __builtin_memset(&val, 0, sizeof(val));
+    unsigned int key_tgid = bpf_get_current_pid_tgid(); 
+    u32 arg_k = 0;
+    struct argVal  *args_buf = bpf_map_lookup_elem(&cmd_args_buf, &arg_k);
+    if (args_buf == NULL){
+      return ;
+    }
+    __builtin_memset(&args_buf->argsArray, 0, sizeof(args_buf->argsArray));
     // add number of args here 
-    #pragma unroll
     for (int i = 0; i < 5; i++)
     {   
-        j = bpf_map_lookup_elem(&index_map, &z);
-        if (!j){
-            bpf_printk("Failed to loarray \n");
-            break; 
-        }
         const char *const *curr_ptr = (void *)&ptr[i] ;
         const char *argp = NULL;
         bpf_probe_read(&argp, sizeof(argp), curr_ptr);
-        int k = *j;
-        if (*j < 0 || *j >= 4)
-            break;
         if (argp)
           {
-            // bpf_printk("in execve arg - %s , key %u ",argp , key_tgid);
-            bpf_probe_read_str(val.argsArray[k], sizeof(val.argsArray[0]), argp);
-            k++ ; // Increment the index
+            bpf_probe_read_str(args_buf->argsArray[i], sizeof(args_buf->argsArray[0]), argp);
+            bpf_map_update_elem(&args_store, &key_tgid, args_buf, BPF_ANY);
           }
-        *j = k;
-        bpf_map_update_elem(&index_map, &z, j, BPF_ANY);
+        else {
+            break;
+        }
     }
-    bpf_map_update_elem(&args_store, &key_tgid, &val, BPF_ANY);
+
+
  }
 
 SEC("kprobe/security_path_mknod")