enforcer: handle default posture updates and fix exec perms

Signed-off-by: daemon1024 <[email protected]>
daemon1024 · Jul 9, 2022 · 86668ff · 86668ff
1 parent 5e5a7fd
commit 86668ff
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 13 deletions.
diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c
@@ -335,7 +335,8 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
 
   if (allow) {
     if (!match) {
-      bpf_printk("denying proc %s due to not in allowlist \n", p->path);
+      bpf_printk("denying proc %s due to not in allowlist, source -> %s \n",
+                 p->path, p->source);
       return -EPERM;
     }
   } else {
@@ -469,7 +470,7 @@ int BPF_PROG(enforce_file, struct file *file) { // check if ret code available
         if (val) {
           if (val->dir && val->read) {
             match = true;
-            bpf_printk("dir match %s with recursive %d and from source %S \n",
+            bpf_printk("dir match %s with recursive %d and from source %s \n",
                        dir->path, val->recursive, dir->source);
             if (val->recursive) {
               goto decision;
@@ -508,7 +509,8 @@ int BPF_PROG(enforce_file, struct file *file) { // check if ret code available
 
   if (allow) {
     if (!match) {
-      bpf_printk("denying file %s due to not in allowlist \n", p);
+      bpf_printk("denying file %s due to not in allowlist, source -> %s \n",
+                 p->path, p->source);
       return -EPERM;
     }
   } else {
@@ -610,7 +612,7 @@ int BPF_PROG(enforce_net, struct socket *sock, struct sockaddr *address,
 decision:
 
   bpf_map_update_elem(&bufk, &zero, z, BPF_ANY);
-  p->path[0] = 102;
+  p->path[0] = 103;
   struct data_t *allow = bpf_map_lookup_elem(inner, p);
 
   if (allow) {

diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
diff --git a/KubeArmor/enforcer/bpflsm/rulesHandling.go b/KubeArmor/enforcer/bpflsm/rulesHandling.go
@@ -5,7 +5,6 @@ package bpflsm
 
 import (
 	"errors"
-	"log"
 	"os"
 	"strings"
 
@@ -87,6 +86,7 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
 
 			var val [8]byte
 			val[EXEC] = 1
+			val[READ] = 1 // Exec needs to pass through file open so need to provide this
 			if path.OwnerOnly {
 				val[OWNER] = 1
 			}
@@ -117,6 +117,7 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
 		for _, dir := range secPolicy.Spec.Process.MatchDirectories {
 			var val [8]byte
 			val[EXEC] = 1
+			val[READ] = 1 // Exec needs to pass through file open so need to provide this
 			if dir.OwnerOnly {
 				val[OWNER] = 1
 			}
@@ -218,7 +219,7 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
 			}
 
 			if len(net.FromSource) == 0 {
-				if net.Action == "Allow" && defaultPosture.FileAction == "block" {
+				if net.Action == "Allow" && defaultPosture.NetworkAction == "block" {
 					newrules.NetWhiteListPosture = true
 					newrules.NetworkWhiteList[key] = val
 				} else if net.Action == "Block" && !newrules.NetWhiteListPosture {
@@ -227,7 +228,7 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
 			} else {
 				for _, src := range net.FromSource {
 					copy(key.Source[:], []byte(src.Path))
-					if net.Action == "Allow" && defaultPosture.FileAction == "block" {
+					if net.Action == "Allow" && defaultPosture.NetworkAction == "block" {
 						newrules.NetWhiteListPosture = true
 						newrules.NetworkWhiteList[key] = val
 					} else if net.Action == "Block" && !newrules.NetWhiteListPosture {
@@ -244,6 +245,15 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
 	be.resolveConflicts(newrules.FileWhiteListPosture, be.ContainerMap[id].Rules.FileWhiteListPosture, newrules.FileBlackList, be.ContainerMap[id].Rules.FileBlackList, newrules.FileWhiteList, be.ContainerMap[id].Rules.FileWhiteList, be.ContainerMap[id].Map)
 	be.resolveConflicts(newrules.NetWhiteListPosture, be.ContainerMap[id].Rules.NetWhiteListPosture, newrules.NetworkBlackList, be.ContainerMap[id].Rules.NetworkBlackList, newrules.NetworkWhiteList, be.ContainerMap[id].Rules.NetworkWhiteList, be.ContainerMap[id].Map)
 
+	// Update Posture
+	if list, ok := be.ContainerMap[id]; ok {
+		list.Rules.ProcWhiteListPosture = newrules.ProcWhiteListPosture
+		list.Rules.FileWhiteListPosture = newrules.FileWhiteListPosture
+		list.Rules.NetWhiteListPosture = newrules.NetWhiteListPosture
+
+		be.ContainerMap[id] = list
+	}
+
 	if newrules.ProcWhiteListPosture {
 		if err := be.ContainerMap[id].Map.Put(PROCWHITELIST, [8]byte{}); err != nil {
 			be.Logger.Errf("error adding rule to map for container %s: %s", id, err)
@@ -289,12 +299,6 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
 			if err := be.ContainerMap[id].Map.Put(key, val); err != nil {
 				be.Logger.Errf("error adding rule to map for container %s: %s", id, err)
 			}
-			var i uint32
-			err := be.BPFContainerMap.Lookup(be.ContainerMap[id].Key, &i)
-			if err != nil {
-				log.Fatalf("error looking map: %s", err)
-			}
-			log.Println(i)
 		}
 	}