Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat : process arguments matching #1869

Open
wants to merge 11 commits into
base: main
Choose a base branch
from

Conversation

Aryan-sharma11
Copy link
Member

@Aryan-sharma11 Aryan-sharma11 commented Oct 3, 2024

Purpose of PR?:

This PR Introduces argument based matching for processes.

###Design
image

Maps
bpf maps
image

in user space we will keep track of arguments list using

ArgumentsList        map[ArgListKey][]string 
  type ArgListKey struct {
	  NsKey
	  InnerKey
  }

Policy example

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: allow-steampipe-args
spec:
  selector:
    matchLabels:
      app: steampipe
  process:
    matchPaths:
    - path: /usr/bin/python3.6
      allowedArgs:
        - -m
        - modules.steampipe_aws
    matchDirectories:
    - dir: /tmp/
  action:
    Block

new BPF maps added
ArgsStore => to store commandline arguments
CmdArgsBuf => to store value for ArgsStore map

kubearmor_arguments => to store the arguments provided with the policy
args_bufK => to store key for kubearmor_arguments map

Benchmarking

-- current stable
https://hackmd.io/@aryan1126/H1B_gLyZ1x
-- with process args matching
https://hackmd.io/@aryan1126/ryq0xIy-kl

Does this PR introduce a breaking change?

If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

  • Bug fix. Fixes #
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

@Aryan-sharma11 Aryan-sharma11 marked this pull request as draft October 3, 2024 08:04
@Aryan-sharma11 Aryan-sharma11 force-pushed the arg-matching branch 4 times, most recently from 895a6a7 to 3f3c89c Compare October 10, 2024 05:49
@Aryan-sharma11 Aryan-sharma11 force-pushed the arg-matching branch 2 times, most recently from e57f369 to d68e9cd Compare October 17, 2024 06:19
@Aryan-sharma11 Aryan-sharma11 force-pushed the arg-matching branch 2 times, most recently from c361643 to ed83a17 Compare October 24, 2024 04:49
Copy link
Member

@rootxrishabh rootxrishabh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BPFLSM enforcer not starting, here's the error message -

2024-11-12 10:39:53.824274 ERROR error creating kubearmor_arguments_map: creating map: map create: argument list too long (without BTF k/v) github.com/kubearmor/KubeArmor/KubeArmor/log.Err /usr/src/KubeArmor/KubeArmor/log/logger.go:103 github.com/kubearmor/KubeArmor/KubeArmor/feeder.(*Feeder).Errf /usr/src/KubeArmor/KubeArmor/feeder/feeder.go:446 github.com/kubearmor/KubeArmor/KubeArmor/enforcer/bpflsm.NewBPFEnforcer /usr/src/KubeArmor/KubeArmor/enforcer/bpflsm/enforcer.go:111 github.com/kubearmor/KubeArmor/KubeArmor/enforcer.selectLsm /usr/src/KubeArmor/KubeArmor/enforcer/runtimeEnforcer.go:106 github.com/kubearmor/KubeArmor/KubeArmor/enforcer.NewRuntimeEnforcer /usr/src/KubeArmor/KubeArmor/enforcer/runtimeEnforcer.go:175 github.com/kubearmor/KubeArmor/KubeArmor/core.(*KubeArmorDaemon).InitRuntimeEnforcer /usr/src/KubeArmor/KubeArmor/core/kubeArmor.go:292 github.com/kubearmor/KubeArmor/KubeArmor/core.KubeArmor /usr/src/KubeArmor/KubeArmor/core/kubeArmor.go:548 main.main /usr/src/KubeArmor/KubeArmor/main.go:79 runtime.main /usr/local/go/src/runtime/proc.go:271 2024-11-12 10:39:53.824329 INFO Error Initialising BPF-LSM Enforcer, Cleaning Up

Environment -

  • K8s -> EKS
  • Container Runtime -> containerd://1.7.22
  • Kernel Version -> 5.10.227-219.884.amzn2.x86_64
  • Operating system -> Amazon Linux 2

@Prateeknandle Prateeknandle self-assigned this Dec 16, 2024
@Aryan-sharma11 Aryan-sharma11 force-pushed the arg-matching branch 2 times, most recently from 378110d to 7c83c0d Compare January 13, 2025 07:14
Signed-off-by: Aryan-sharma11 <[email protected]>
Signed-off-by: Aryan-sharma11 <[email protected]>
Signed-off-by: Aryan-sharma11 <[email protected]>
Signed-off-by: Aryan-sharma11 <[email protected]>
Signed-off-by: Aryan-sharma11 <[email protected]>
Signed-off-by: Aryan-sharma11 <[email protected]>
Signed-off-by: Aryan-sharma11 <[email protected]>
Signed-off-by: Aryan-sharma11 <[email protected]>
Signed-off-by: Aryan-sharma11 <[email protected]>
@Aryan-sharma11 Aryan-sharma11 marked this pull request as ready for review January 16, 2025 06:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: In Progress
Development

Successfully merging this pull request may close these issues.

3 participants