enforcer: update Container Rules on K8s events

Signed-off-by: daemon1024 <[email protected]>
daemon1024 · Jul 9, 2022 · c02db7e · c02db7e
1 parent a25cf3f
commit c02db7e
Show file tree

Hide file tree

Showing 7 changed files with 171 additions and 1 deletion.
diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c
@@ -35,6 +35,11 @@ static struct file *get_task_file(struct task_struct *task) {
   return BPF_CORE_READ(task, mm, exe_file);
 }
 
+static u64 cb_check_path(struct bpf_map *map, u32 *key, char *path, int t) {
+  bpf_printk("Found key %u", *key);
+  return 0;
+}
+
 SEC("lsm/bprm_check_security")
 int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
   struct task_struct *t = (struct task_struct *)bpf_get_current_task();
@@ -54,5 +59,7 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
 
   bpf_printk("monitoring %u,%u", okey.pid_ns, okey.mnt_ns);
 
+  bpf_for_each_map_elem(inner, cb_check_path, 0, 0);
+
   return ret;
 }
diff --git a/KubeArmor/common/hash.go b/KubeArmor/common/hash.go
@@ -0,0 +1,121 @@
+package common
+
+import "unsafe"
+
+/*
+ * This contains Jenkins hash algorithm modified to mactch the hashing in ebpf land.
+ * Inspiration sources:
+ *
+ * https://en.wikipedia.org/wiki/Jenkins_hash_function
+ * http://burtleburtle.net/bob/c/lookup3.c
+ * https://github.com/torvalds/linux/blob/master/tools/include/linux/jhash.h
+ * https://github.com/tildeleb/hashland/blob/46daf2d89bba924a4269f30949050748548effb1/jenkins/jenkins.go
+ */
+
+func rot(x, k uint32) uint32 {
+	return x<<k | x>>(32-k)
+}
+
+func mix(a, b, c uint32) (uint32, uint32, uint32) {
+	a -= c
+	a ^= rot(c, 4)
+	c += b
+	b -= a
+	b ^= rot(a, 6)
+	a += c
+	c -= b
+	c ^= rot(b, 8)
+	b += a
+	a -= c
+	a ^= rot(c, 16)
+	c += b
+	b -= a
+	b ^= rot(a, 19)
+	a += c
+	c -= b
+	c ^= rot(b, 4)
+	b += a
+
+	return a, b, c
+}
+
+func final(a, b, c uint32) uint32 {
+	c ^= b
+	c -= rot(b, 14)
+	a ^= c
+	a -= rot(c, 11)
+	b ^= a
+	b -= rot(a, 25)
+	c ^= b
+	c -= rot(b, 16)
+	a ^= c
+	a -= rot(c, 4)
+	b ^= a
+	b -= rot(a, 14)
+	c ^= b
+	c -= rot(b, 24)
+
+	return c
+}
+
+func JHash(k []byte, seed uint32) uint32 {
+	var a, b, c uint32
+
+	var length int
+	length = len(k)
+	a = 0xdeadbeef + uint32(length) + seed
+	b, c = a, a
+
+	for ; length > 12; length -= 12 {
+		a += *(*uint32)(unsafe.Pointer(&k[0]))
+		b += *(*uint32)(unsafe.Pointer(&k[4]))
+		c += *(*uint32)(unsafe.Pointer(&k[8]))
+		a, b, c = mix(a, b, c)
+		k = k[12:]
+	}
+
+	switch length {
+	case 12:
+		a += *(*uint32)(unsafe.Pointer(&k[0]))
+		b += *(*uint32)(unsafe.Pointer(&k[4]))
+		c += *(*uint32)(unsafe.Pointer(&k[8]))
+	case 11:
+		c += uint32(k[10]) << 16
+		fallthrough
+	case 10:
+		c += uint32(k[9]) << 8
+		fallthrough
+	case 9:
+		c += uint32(k[8])
+		fallthrough
+	case 8:
+		a += *(*uint32)(unsafe.Pointer(&k[0]))
+		b += *(*uint32)(unsafe.Pointer(&k[4]))
+		// break
+	case 7:
+		b += uint32(k[6]) << 16
+		fallthrough
+	case 6:
+		b += uint32(k[5]) << 8
+		fallthrough
+	case 5:
+		b += uint32(k[4])
+		fallthrough
+	case 4:
+		a += *(*uint32)(unsafe.Pointer(&k[0]))
+		// break
+	case 3:
+		a += uint32(k[2]) << 16
+		fallthrough
+	case 2:
+		a += uint32(k[1]) << 8
+		fallthrough
+	case 1:
+		a += uint32(k[0])
+		// break
+	case 0:
+		return c /* zero length strings require no mixing */
+	}
+	c = final(a, b, c)
+	return c
+}
diff --git a/KubeArmor/enforcer/bpflsm/enforcer.go b/KubeArmor/enforcer/bpflsm/enforcer.go
@@ -88,6 +88,19 @@ func NewBPFEnforcer(node tp.Node, logger *fd.Feeder) *BPFEnforcer {
 	return be
 }
 
+func (be *BPFEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint) {
+	// skip if BPFEnforcer is not active
+	if be == nil {
+		return
+	}
+
+	for _, cid := range endPoint.Containers {
+		be.Logger.Printf("Updating container rules for %s", cid)
+		be.UpdateContainerRules(cid, endPoint.SecurityPolicies)
+	}
+
+}
+
 func (be *BPFEnforcer) DestroyBPFEnforcer() error {
 	if be == nil {
 		return nil

diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
diff --git a/KubeArmor/enforcer/bpflsm/rulesHandling.go b/KubeArmor/enforcer/bpflsm/rulesHandling.go
@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Authors of KubeArmor
+
+package bpflsm
+
+import (
+	cm "github.com/kubearmor/KubeArmor/KubeArmor/common"
+	tp "github.com/kubearmor/KubeArmor/KubeArmor/types"
+)
+
+func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.SecurityPolicy) {
+	for _, secPolicy := range securityPolicies {
+		if len(secPolicy.Spec.Process.MatchPaths) > 0 {
+			for _, path := range secPolicy.Spec.Process.MatchPaths {
+				if len(path.FromSource) == 0 {
+					be.Logger.Printf("Rule %d for %s - %s", cm.JHash([]byte(path.Path), 0), path.Path, id)
+					be.ContainerMap[id].Map.Put(cm.JHash([]byte(path.Path), 0), [8]byte{})
+				} else {
+					for _, src := range path.FromSource {
+						be.Logger.Printf("Rule %d for %s (%s) - %s", cm.JHash(append([]byte(path.Path), []byte(src.Path)...), 0), path.Path, src.Path, id)
+						be.ContainerMap[id].Map.Put(cm.JHash(append([]byte(path.Path), []byte(src.Path)...), 0), [8]byte{})
+					}
+				}
+			}
+		}
+	}
+}
diff --git a/KubeArmor/enforcer/runtimeEnforcer.go b/KubeArmor/enforcer/runtimeEnforcer.go
@@ -149,7 +149,9 @@ func (re *RuntimeEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint) {
 		return
 	}
 
-	if re.EnforcerType == "AppArmor" {
+	if re.EnforcerType == "BPFLSM" {
+		re.bpfEnforcer.UpdateSecurityPolicies(endPoint)
+	} else if re.EnforcerType == "AppArmor" {
 		re.appArmorEnforcer.UpdateSecurityPolicies(endPoint)
 	} else if re.EnforcerType == "SELinux" {
 		// do nothing