Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat/fix(bpflsm-enforcer): refactor network rule handling #1283

Merged
merged 2 commits into from
Jun 27, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
240 changes: 130 additions & 110 deletions KubeArmor/BPF/enforcer.bpf.c
Original file line number Diff line number Diff line change
Expand Up @@ -235,118 +235,138 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
return ret;
}

static inline int match_net_rules(int type, int protocol, char *string) {
struct task_struct *t = (struct task_struct *)bpf_get_current_task();

bool match = false;

struct outer_key okey;
get_outer_key(&okey, t);

u32 *inner = bpf_map_lookup_elem(&kubearmor_containers, &okey);

if (!inner) {
return 0;
}

u32 zero = 0;
bufs_k *z = bpf_map_lookup_elem(&bufk, &zero);
if (z == NULL)
return 0;

u32 one = 1;
bufs_k *p = bpf_map_lookup_elem(&bufk, &one);
if (p == NULL)
return 0;

u32 two = 2;
bufs_k *store = bpf_map_lookup_elem(&bufk, &two);
if (store == NULL)
return 0;

bpf_map_update_elem(&bufk, &one, z, BPF_ANY);

struct file *file_p = get_task_file(t);
if (file_p == NULL)
return 0;
bufs_t *src_buf = get_buf(PATH_BUFFER);
if (src_buf == NULL)
return 0;
struct path f_src = BPF_CORE_READ(file_p, f_path);
if (!prepend_path(&f_src, src_buf))
return 0;

u32 *src_offset = get_buf_off(PATH_BUFFER);
if (src_offset == NULL)
return 0;

void *ptr = &src_buf->buf[*src_offset];
bpf_probe_read_str(p->source, MAX_STRING_SIZE, ptr);

int p0;
int p1;

if (type == SOCK_STREAM && (protocol == IPPROTO_TCP || protocol == 0)) {
p0 = sock_proto;
p1 = IPPROTO_TCP;
} else if (type == SOCK_DGRAM && (protocol == IPPROTO_UDP || protocol == 0)) {
p0 = sock_proto;
p1 = IPPROTO_UDP;
} else if (protocol == IPPROTO_ICMP &&
(type == SOCK_DGRAM || type == SOCK_RAW)) {
p0 = sock_proto;
p1 = IPPROTO_ICMP;
} else if (type == SOCK_RAW && protocol == 0) {
p0 = sock_type;
p1 = SOCK_RAW;
} else {
p0 = sock_proto;
p1 = protocol;
}

p->path[0] = p0;
p->path[1] = p1;

struct data_t *val = bpf_map_lookup_elem(inner, p);

if (val) {
match = true;
goto decision;
}

val = bpf_map_lookup_elem(inner, p);

bpf_map_update_elem(&bufk, &one, z, BPF_ANY);

p->path[0] = p0;
p->path[1] = p1;

val = bpf_map_lookup_elem(inner, p);

if (val) {
match = true;
goto decision;
}

decision:

bpf_map_update_elem(&bufk, &one, z, BPF_ANY);
p->path[0] = dnet;
struct data_t *allow = bpf_map_lookup_elem(inner, p);

if (allow) {
if (!match) {
bpf_printk("denying sock %s - type %d, protocol %d due "
"to not in allowlist\n",
string, type, protocol);
if (p->source[0] != '\0') {
bpf_printk("denying from source from %s", store->source);
}
return -EPERM;
}
} else {
if (match) {
if (val && (val->processmask & RULE_DENY)) {
bpf_printk("denying sock %s - type %d, protocol %d due to in "
"blacklist\n",
string, type, protocol);
return -EPERM;
}
}
}
return 0;
}

SEC("lsm/socket_create")
int BPF_PROG(enforce_net_create, int family, int type, int protocol) {
return match_net_rules(type, protocol, "create");
}

#define LSM_NET(name, string) \
int BPF_PROG(name, struct socket *sock) { \
struct task_struct *t = (struct task_struct *)bpf_get_current_task(); \
\
bool match = false; \
\
struct outer_key okey; \
get_outer_key(&okey, t); \
\
u32 *inner = bpf_map_lookup_elem(&kubearmor_containers, &okey); \
\
if (!inner) { \
return 0; \
} \
\
u32 zero = 0; \
bufs_k *z = bpf_map_lookup_elem(&bufk, &zero); \
if (z == NULL) \
return 0; \
\
u32 one = 1; \
bufs_k *p = bpf_map_lookup_elem(&bufk, &one); \
if (p == NULL) \
return 0; \
\
u32 two = 2; \
bufs_k *store = bpf_map_lookup_elem(&bufk, &two); \
if (store == NULL) \
return 0; \
\
bpf_map_update_elem(&bufk, &one, z, BPF_ANY); \
\
p->path[0] = sock_proto; /* Protocol Check */ \
p->path[1] = sock->sk->sk_protocol; \
\
struct data_t *val = bpf_map_lookup_elem(inner, p); \
\
if (val) { \
match = true; \
goto decision; \
} \
\
struct file *file_p = get_task_file(t); \
if (file_p == NULL) \
return 0; \
bufs_t *src_buf = get_buf(PATH_BUFFER); \
if (src_buf == NULL) \
return 0; \
struct path f_src = BPF_CORE_READ(file_p, f_path); \
if (!prepend_path(&f_src, src_buf)) \
return 0; \
\
u32 *src_offset = get_buf_off(PATH_BUFFER); \
if (src_offset == NULL) \
return 0; \
\
void *ptr = &src_buf->buf[*src_offset]; \
bpf_probe_read_str(p->source, MAX_STRING_SIZE, ptr); \
bpf_probe_read_str(store->source, MAX_STRING_SIZE, ptr); \
\
val = bpf_map_lookup_elem(inner, p); \
\
if (val) { \
match = true; \
goto decision; \
} \
\
bpf_map_update_elem(&bufk, &one, z, BPF_ANY); \
\
p->path[0] = sock_type; /* Type Check */ \
p->path[1] = sock->type; \
\
val = bpf_map_lookup_elem(inner, p); \
\
if (val) { \
match = true; \
goto decision; \
} \
\
bpf_probe_read_str(p->source, MAX_STRING_SIZE, ptr); \
\
val = bpf_map_lookup_elem(inner, p); \
\
if (val) { \
match = true; \
goto decision; \
} \
decision: \
\
bpf_map_update_elem(&bufk, &one, z, BPF_ANY); \
p->path[0] = dnet; \
struct data_t *allow = bpf_map_lookup_elem(inner, p); \
\
if (allow) { \
if (!match) { \
bpf_printk("denying sock %s - type %d, protocol %d due " \
"to not in allowlist\n", \
string, sock->type, sock->sk->sk_protocol); \
if (store->source[0] != '\0') { \
bpf_printk("denying from source from %s", store->source); \
} \
return -EPERM; \
} \
} else { \
if (match) { \
bpf_printk("denying sock %s - type %d, protocol %d due to in " \
"blacklist\n", \
string, sock->type, sock->sk->sk_protocol); \
return -EPERM; \
} \
} \
return 0; \
int type = sock->type; \
int protocol = sock->sk->sk_protocol; \
return match_net_rules(type, protocol, string); \
}

SEC("lsm/socket_connect")
Expand Down
6 changes: 6 additions & 0 deletions KubeArmor/enforcer/bpflsm/enforcer.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,12 @@ func NewBPFEnforcer(node tp.Node, pinpath string, logger *fd.Feeder) (*BPFEnforc
return be, err
}

be.Probes[be.obj.EnforceNetCreate.String()], err = link.AttachLSM(link.LSMOptions{Program: be.obj.EnforceNetCreate})
if err != nil {
be.Logger.Errf("opening lsm %s: %s", be.obj.EnforceNetCreate.String(), err)
return be, err
}

be.Probes[be.obj.EnforceNetConnect.String()], err = link.AttachLSM(link.LSMOptions{Program: be.obj.EnforceNetConnect})
if err != nil {
be.Logger.Errf("opening lsm %s: %s", be.obj.EnforceNetConnect.String(), err)
Expand Down
3 changes: 3 additions & 0 deletions KubeArmor/enforcer/bpflsm/enforcer_bpfeb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
Binary file not shown.
3 changes: 3 additions & 0 deletions KubeArmor/enforcer/bpflsm/enforcer_bpfel.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o
Binary file not shown.
3 changes: 3 additions & 0 deletions KubeArmor/enforcer/bpflsm/rulesHandling.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ const (
const (
PROCESS = 0
FILE = 1
NETWORK = 0
)

// Map Key Identifiers for Whitelist/Posture
Expand Down Expand Up @@ -253,6 +254,7 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
}
newrules.NetworkRuleList[key] = val
} else if net.Action == "Block" {
val[NETWORK] = val[NETWORK] | DENY
newrules.NetworkRuleList[key] = val
}
} else {
Expand All @@ -266,6 +268,7 @@ func (be *BPFEnforcer) UpdateContainerRules(id string, securityPolicies []tp.Sec
}
newrules.NetworkRuleList[key] = val
} else if net.Action == "Block" {
val[NETWORK] = val[NETWORK] | DENY
newrules.NetworkRuleList[key] = val
}

Expand Down