Skip to content

Commit

Permalink
added changes from PR kubearmor#1578
Browse files Browse the repository at this point in the history 
Signed-off-by: Aryan-sharma11 <[email protected]>
  • Loading branch information
@Aryan-sharma11
Aryan-sharma11 committed Mar 1, 2024
1 parent c8f0de2 commit 48cf91e
Show file tree
Hide file tree
Showing 5 changed files with 58 additions and 6 deletions.
64 changes: 58 additions & 6 deletions KubeArmor/BPF/shared.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -520,6 +520,10 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
if (match) {
if (val && (val->filemask & RULE_OWNER)) {
struct dentry *dent ;
/* MKNOD and MKDIR would always have current user as
the owner so we need to check the parent dentry's owner
to enforcer owner only */

if(eventID == _FILE_MKNOD || eventID == _FILE_MKDIR){
dent = BPF_CORE_READ(f_path , dentry , d_parent);
} else {
Expand All @@ -533,7 +537,7 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
else if(val->filemask & RULE_AUDIT){
retval = AUDIT;
} else {
//check for matched owner only allow policies
// check for matched !owner + allow policies
bpf_map_update_elem(&bufk, &two, z, BPF_ANY);
pk->path[0] = dfile;
struct data_t *allow = bpf_map_lookup_elem(inner, pk);
Expand All @@ -556,10 +560,23 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
}
else if(val->filemask & RULE_AUDIT){
retval = AUDIT;
}
} else {
// check for matched owner only + readonly + allow policies
bpf_map_update_elem(&bufk, &two, z, BPF_ANY);
pk->path[0] = dfile;
struct data_t *allow = bpf_map_lookup_elem(inner, pk);
if (allow) {
if (allow->processmask == BLOCK_POSTURE) {
retval = DENY;
}
else {
retval = AUDIT;
}
}
}
}
else
// alow owner
// allow owner
return 0;
}
}
Expand Down Expand Up @@ -600,8 +617,21 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
}
else if(val->filemask & RULE_AUDIT){
retval = AUDIT;
}
// TODO :- owner + allow policy (fix verifier error)
} else {
// check for matched !owner + allow policies
bpf_map_update_elem(&bufk, &two, z, BPF_ANY);
pk->path[0] = dfile;
struct data_t *allow = bpf_map_lookup_elem(inner, pk);
if (allow) {
if (allow->processmask == BLOCK_POSTURE) {
retval = DENY;
}
else {
retval = AUDIT;
}
}
}

} else {
// allow owner
return 0;
Expand Down Expand Up @@ -637,6 +667,27 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
}
} else if (id == dfilewrite) { // file write
if (match) {
if (val && (val->filemask & RULE_OWNER)) {
if (!is_owner_path(f_path->dentry , &oid)) {
if(val->filemask & RULE_DENY) {
retval = DENY;
}
else if(val->filemask & RULE_AUDIT){
retval = DENY;
}
goto ringbuf;
}
}
if (val && (val->filemask & RULE_READ) && !(val->filemask & RULE_WRITE)) {
if(val->filemask & RULE_DENY) {
retval = DENY;
}
else if(val->filemask & RULE_AUDIT){
retval = DENY;
}
goto ringbuf;
}

if (val) {
if(val->filemask & RULE_DENY) {
retval = DENY;
Expand Down Expand Up @@ -709,4 +760,5 @@ static inline int match_and_enforce_path_hooks(struct path *f_path, u32 id,
directory checks
*/

#endif /* __SHARED_H */
#endif /* __SHARED_H */

Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o
View file
Binary file not shown.
Binary file modified KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o
View file
Binary file not shown.

0 comments on commit 48cf91e

Please sign in to comment.