enforcer: handle network policies

Signed-off-by: daemon1024 <[email protected]>

KubeArmor/BPF/enforcer.bpf.c

@@ -524,50 +524,109 @@ int BPF_PROG(enforce_file, struct file *file) { // check if ret code available
 SEC("lsm/socket_connect")
 int BPF_PROG(enforce_net, struct socket *sock, struct sockaddr *address,
              int addrlen) {
-  // struct task_struct *t = (struct task_struct *)bpf_get_current_task();
-
-  // bool match = false;
-
-  // struct outer_key okey = {.pid_ns = get_task_pid_ns_id(t),
-  //                          .mnt_ns = get_task_mnt_ns_id(t)};
-
-  // if (okey.pid_ns == PROC_PID_INIT_INO) {
-  //   return 0;
-  // }
-
-  // u32 *inner = bpf_map_lookup_elem(&kubearmor_containers, &okey);
-
-  // if (!inner) {
-  //   return 0;
-  // }
-
-  // u32 k;
-
-  // k = 0xdeadbeef + sock->sk->sk_protocol;
-
-  // if (bpf_map_lookup_elem(inner, &k)) {
-  //   match = true;
-  // }
-
-  // u32 ank = 103;
-  // struct data_t *allow = bpf_map_lookup_elem(inner, &ank);
-
-  // if (allow) {
-  //   if (!match) {
-  //     bpf_printk("denying sock type %d, family %d, protocol %d due to not
-  //     in
-  //     "
-  //                "allowlist \n",
-  //                sock->type, address->sa_family, sock->sk->sk_protocol);
-  //     return -EPERM;
-  //   }
-  // } else {
-  //   if (match) {
-  //     bpf_printk(
-  //         "denying sock type %d, family %d, protocol %d due to in blacklist
-  //         \n", sock->type, address->sa_family, sock->sk->sk_protocol);
-  //     return -EPERM;
-  //   }
-  // }
+  struct task_struct *t = (struct task_struct *)bpf_get_current_task();
+
+  bool match = false;
+
+  struct outer_key okey = {.pid_ns = get_task_pid_ns_id(t),
+                           .mnt_ns = get_task_mnt_ns_id(t)};
+
+  if (okey.pid_ns == PROC_PID_INIT_INO) {
+    return 0;
+  }
+
+  u32 *inner = bpf_map_lookup_elem(&kubearmor_containers, &okey);
+
+  if (!inner) {
+    return 0;
+  }
+
+  u32 zero = 0;
+  u32 one = 1;
+  bufs_k *p = bpf_map_lookup_elem(&bufk, &zero);
+  if (p == NULL)
+    return 0;
+
+  bufs_k *z = bpf_map_lookup_elem(&bufk, &one);
+  if (z == NULL)
+    return 0;
+
+  bpf_map_update_elem(&bufk, &zero, z, BPF_ANY);
+
+  p->path[0] = 3; // Protocol Check
+  p->path[1] = sock->sk->sk_protocol;
+
+  struct data_t *val = bpf_map_lookup_elem(inner, p);
+
+  if (val) {
+    match = true;
+    goto decision;
+  }
+
+  struct file *file_p = get_task_file(t);
+  if (file_p == NULL)
+    return 0;
+  bufs_t *src_buf = get_buf(PATH_BUFFER);
+  if (src_buf == NULL)
+    return 0;
+  struct path f_src = BPF_CORE_READ(file_p, f_path);
+  if (!prepend_path(&f_src, src_buf))
+    return 0;
+
+  u32 *src_offset = get_buf_off(PATH_BUFFER);
+  if (src_offset == NULL)
+    return 0;
+
+  void *ptr = &src_buf->buf[*src_offset];
+  bpf_probe_read_str(p->source, MAX_STRING_SIZE, ptr);
+
+  val = bpf_map_lookup_elem(inner, p);
+
+  if (val) {
+    match = true;
+    goto decision;
+  }
+
+  bpf_map_update_elem(&bufk, &zero, z, BPF_ANY);
+
+  p->path[0] = 2; // Type Check
+  p->path[1] = sock->type;
+
+  val = bpf_map_lookup_elem(inner, p);
+
+  if (val) {
+    match = true;
+    goto decision;
+  }
+
+  bpf_probe_read_str(p->source, MAX_STRING_SIZE, ptr);
+
+  val = bpf_map_lookup_elem(inner, p);
+
+  if (val) {
+    match = true;
+    goto decision;
+  }
+decision:
+
+  bpf_map_update_elem(&bufk, &zero, z, BPF_ANY);
+  p->path[0] = 102;
+  struct data_t *allow = bpf_map_lookup_elem(inner, p);
+
+  if (allow) {
+    if (!match) {
+      bpf_printk("denying sock type %d, family %d, protocol %d due to not in "
+                 "allowlist \n",
+                 sock->type, address->sa_family, sock->sk->sk_protocol);
+      return -EPERM;
+    }
+  } else {
+    if (match) {
+      bpf_printk("denying sock type %d, family %d, protocol %d due to in "
+                 "blacklist \n",
+                 sock->type, address->sa_family, sock->sk->sk_protocol);
+      return -EPERM;
+    }
+  }
   return 0;
 }

KubeArmor/enforcer/bpflsm/enforcer.go

@@ -15,6 +15,11 @@ import (
 
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang enforcer ../../BPF/enforcer.bpf.c -- -I/usr/include/bpf -O2 -g
 
+// ===================== //
+// == BPFLSM Enforcer == //
+// ===================== //
+
+// BPFEnforcer structure to maintains relevant objects for BPF LSM Enforcement
 type BPFEnforcer struct {
 	Logger *fd.Feeder
 
@@ -30,6 +35,7 @@ type BPFEnforcer struct {
 	Probes map[string]link.Link
 }
 
+// NewBPFEnforcer instantiates a objects for setting up BPF LSM Enforcement
 func NewBPFEnforcer(node tp.Node, logger *fd.Feeder) *BPFEnforcer {
 
 	be := &BPFEnforcer{}
@@ -100,6 +106,7 @@ func NewBPFEnforcer(node tp.Node, logger *fd.Feeder) *BPFEnforcer {
 	return be
 }
 
+// UpdateSecurityPolicies loops through containers present in the input endpoint and updates rules for each container
 func (be *BPFEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint) {
 	// skip if BPFEnforcer is not active
 	if be == nil {
@@ -113,6 +120,7 @@ func (be *BPFEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint) {
 
 }
 
+// DestroyBPFEnforcer cleans up the objects for BPF LSM Enforcer
 func (be *BPFEnforcer) DestroyBPFEnforcer() error {
 	if be == nil {
 		return nil

KubeArmor/enforcer/bpflsm/mapHelpers.go

@@ -10,19 +10,20 @@ import (
 	"github.com/cilium/ebpf"
 )
 
+// ContainerKV contains Keys for individual container eBPF Map and the Map itself
 type ContainerKV struct {
 	Key   NsKey
 	Map   *ebpf.Map
 	Rules RuleList
 }
 
-// NsKey Structure
+// NsKey Structure acts as an Identifier for containers
 type NsKey struct {
 	PidNS uint32
 	MntNS uint32
 }
 
-// NsKey Structure
+// InnerKey Structure contains Map Rule Identifier
 type InnerKey struct {
 	Path   [4096]byte
 	Source [4096]byte