Skip to content

Commit

Permalink
feat(enforcer,feeder): parse execname into lsm rules and support poli…
Browse files Browse the repository at this point in the history
…cy matching on alerts

Signed-off-by: daemon1024 <[email protected]>
  • Loading branch information
daemon1024 committed Mar 7, 2024
1 parent 84c907f commit 61a1b02
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 10 deletions.
13 changes: 10 additions & 3 deletions KubeArmor/enforcer/appArmorProfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ func (ae *AppArmorEnforcer) ResolvedProcessWhiteListConflicts(prof *Profile) {

// SetProcessMatchPaths Function
func (ae *AppArmorEnforcer) SetProcessMatchPaths(path tp.ProcessPathType, prof *Profile, deny bool, head bool) {
if deny == false {
if !deny {
prof.File = head
}
rule := RuleConfig{}
Expand All @@ -41,8 +41,11 @@ func (ae *AppArmorEnforcer) SetProcessMatchPaths(path tp.ProcessPathType, prof *
rule.OwnerOnly = path.OwnerOnly

if len(path.FromSource) == 0 {
if len(path.ExecName) > 0 {
addRuletoMap(rule, "/**/"+path.ExecName, prof.ProcessPaths)
return
}
addRuletoMap(rule, path.Path, prof.ProcessPaths)

return
}

Expand All @@ -58,12 +61,16 @@ func (ae *AppArmorEnforcer) SetProcessMatchPaths(path tp.ProcessPathType, prof *
fromsource.Rules.Init()
prof.FromSource[source] = fromsource
}
if deny == false {
if !deny {
if val, ok := prof.FromSource[source]; ok {
val.File = head
prof.FromSource[source] = val
}
}
if len(path.ExecName) > 0 {
addRuletoMap(rule, "/**/"+path.ExecName, prof.FromSource[source].ProcessPaths)
continue
}
addRuletoMap(rule, path.Path, prof.FromSource[source].ProcessPaths)
}
}
Expand Down
15 changes: 10 additions & 5 deletions KubeArmor/enforcer/bpflsm/rulesHandling.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,24 +115,29 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
}
if len(path.FromSource) == 0 {
var key InnerKey
copy(key.Path[:], []byte(path.Path))
if len(path.ExecName) > 0 {
copy(key.Path[:], []byte(path.ExecName))
} else {
copy(key.Path[:], []byte(path.Path))
}
if path.Action == "Allow" {
newrules.ProcWhiteListPosture = true
newrules.ProcessRuleList[key] = val

} else if path.Action == "Block" {
val[PROCESS] = val[PROCESS] | DENY
newrules.ProcessRuleList[key] = val
}
} else {
for _, src := range path.FromSource {
var key InnerKey
copy(key.Path[:], []byte(path.Path))
if len(path.ExecName) > 0 {
copy(key.Path[:], []byte(path.ExecName))
} else {
copy(key.Path[:], []byte(path.Path))
}
copy(key.Source[:], []byte(src.Path))
if path.Action == "Allow" {

newrules.ProcWhiteListPosture = true

newrules.ProcessRuleList[key] = val
} else if path.Action == "Block" {
val[PROCESS] = val[PROCESS] | DENY
Expand Down
11 changes: 9 additions & 2 deletions KubeArmor/feeder/policyMatcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,13 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i
match.Message = ppt.Message

match.Operation = "Process"
match.Resource = ppt.Path
match.ResourceType = "Path"
if len(ppt.ExecName) > 0 {
match.Resource = ppt.ExecName
match.ResourceType = "ExecName"
} else {
match.Resource = ppt.Path
match.ResourceType = "Path"
}

match.OwnerOnly = ppt.OwnerOnly

Expand Down Expand Up @@ -1023,6 +1028,8 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
procMatch := secPolicy.Regexp.MatchString(log.ProcessName) // pattern (secPolicy.Resource) -> string (log.Resource)
matchedRegex = fileMatch || procMatch
}
case "ExecName":
matchedRegex = strings.HasSuffix(log.ProcessName, "/"+secPolicy.Resource) // processpath = */execname
}

// match resources
Expand Down

0 comments on commit 61a1b02

Please sign in to comment.