From 1f870ce110f9b63946c0d216a78e23611a2f6eb8 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Mon, 12 Dec 2022 21:39:05 +0530 Subject: [PATCH 1/5] bpf: don't fail on k(ret)probe link err Signed-off-by: daemon1024 --- KubeArmor/monitor/systemMonitor.go | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/KubeArmor/monitor/systemMonitor.go b/KubeArmor/monitor/systemMonitor.go index 6b018fa93f..21f3442d5d 100644 --- a/KubeArmor/monitor/systemMonitor.go +++ b/KubeArmor/monitor/systemMonitor.go @@ -420,11 +420,6 @@ func (mon *SystemMonitor) InitBPF() error { } } - ignoreList, err := loadIgnoreList(bpfPath) - if err != nil { - return err - } - mon.Logger.Print("Initializing eBPF system monitor") // Allow the current process to lock memory for eBPF resources. @@ -476,10 +471,6 @@ func (mon *SystemMonitor) InitBPF() error { mon.Probes = make(map[string]link.Link) for _, syscallName := range systemCalls { - if isIgnored(syscallName, ignoreList) { - mon.Logger.Printf("Ignoring syscall %s", syscallName) - continue - } mon.Probes["kprobe__"+syscallName], err = link.Kprobe("sys_"+syscallName, mon.BpfModule.Programs["kprobe__"+syscallName], nil) if err != nil { mon.Logger.Warnf("error loading kprobe %s: %v", syscallName, err) @@ -500,10 +491,6 @@ func (mon *SystemMonitor) InitBPF() error { } for _, sysKprobe := range sysKprobes { - if isIgnored(sysKprobe, ignoreList) { - mon.Logger.Printf("Ignoring kprobe %s", sysKprobe) - continue - } mon.Probes["kprobe__"+sysKprobe], err = link.Kprobe(sysKprobe, mon.BpfModule.Programs["kprobe__"+sysKprobe], nil) if err != nil { mon.Logger.Warnf("error loading kprobe %s: %v", sysKprobe, err) @@ -511,10 +498,6 @@ func (mon *SystemMonitor) InitBPF() error { } for _, netSyscall := range netSyscalls { - if isIgnored(netSyscall, ignoreList) { - mon.Logger.Printf("Ignoring syscall %s", netSyscall) - continue - } mon.Probes["kprobe__"+netSyscall], err = link.Kprobe(netSyscall, mon.BpfModule.Programs["kprobe__"+netSyscall], nil) if err != nil { mon.Logger.Warnf("error loading kprobe %s: %v", netSyscall, err) @@ -522,10 +505,6 @@ func (mon *SystemMonitor) InitBPF() error { } for _, netRetSyscall := range netRetSyscalls { - if isIgnored(netRetSyscall, ignoreList) { - mon.Logger.Printf("Ignoring syscall %s", netRetSyscall) - continue - } mon.Probes["kretprobe__"+netRetSyscall], err = link.Kretprobe(netRetSyscall, mon.BpfModule.Programs["kretprobe__"+netRetSyscall], nil) if err != nil { mon.Logger.Warnf("error loading kretprobe %s: %v", netRetSyscall, err) From c6d1fa437566e7355ac977c12b576add6b576fe7 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Mon, 12 Dec 2022 22:03:00 +0530 Subject: [PATCH 2/5] enforcer: check for bpflsm support even if lsm file not available Signed-off-by: daemon1024 --- KubeArmor/enforcer/runtimeEnforcer.go | 37 +++++++++++++++++++-------- KubeArmor/go.sum | 4 +-- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/KubeArmor/enforcer/runtimeEnforcer.go b/KubeArmor/enforcer/runtimeEnforcer.go index 3369b81560..1d4416ce0b 100644 --- a/KubeArmor/enforcer/runtimeEnforcer.go +++ b/KubeArmor/enforcer/runtimeEnforcer.go @@ -10,6 +10,8 @@ import ( "path/filepath" "strings" + "github.com/cilium/ebpf" + "github.com/cilium/ebpf/features" kl "github.com/kubearmor/KubeArmor/KubeArmor/common" cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" be "github.com/kubearmor/KubeArmor/KubeArmor/enforcer/bpflsm" @@ -126,31 +128,44 @@ func NewRuntimeEnforcer(node tp.Node, pinpath string, logger *fd.Feeder) *Runtim re := &RuntimeEnforcer{} re.Logger = logger + lsms := []string{} + + lsmFile := []byte{} + lsmPath := "/sys/kernel/security/lsm" + if !kl.IsK8sLocal() { // mount securityfs if err := kl.RunCommandAndWaitWithErr("mount", []string{"-t", "securityfs", "securityfs", "/sys/kernel/security"}); err != nil { if _, err := os.Stat(filepath.Clean("/sys/kernel/security")); err != nil { - re.Logger.Errf("Failed to read /sys/kernel/security (%s)", err.Error()) - return nil + re.Logger.Warnf("Failed to read /sys/kernel/security (%s)", err.Error()) + goto probeBPFLSM } } } - lsm := []byte{} - lsmPath := "/sys/kernel/security/lsm" - if _, err := os.Stat(filepath.Clean(lsmPath)); err == nil { - lsm, err = os.ReadFile(lsmPath) + lsmFile, err = os.ReadFile(lsmPath) if err != nil { - re.Logger.Errf("Failed to read /sys/kernel/security/lsm (%s)", err.Error()) - return nil + re.Logger.Warnf("Failed to read /sys/kernel/security/lsm (%s)", err.Error()) + goto probeBPFLSM + } + } + + lsms = strings.Split(string(lsmFile), ",") + +probeBPFLSM: + if !kl.ContainsElement(lsms, "bpf") { + err := features.HaveProgramType(ebpf.LSM) + if err == nil { + lsms = append(lsms, "bpf") + } else { + re.Logger.Warnf("BPF LSM not supported %s", err.Error()) } } - lsms := string(lsm) - re.Logger.Printf("Supported LSMs: %s", lsms) + re.Logger.Printf("Supported LSMs: %s", strings.Join(lsms, ",")) - return selectLsm(re, cfg.GlobalCfg.LsmOrder, availablelsms, strings.Split(lsms, ","), node, pinpath, logger) + return selectLsm(re, cfg.GlobalCfg.LsmOrder, availablelsms, lsms, node, logger) } // RegisterContainer registers container identifiers to BPFEnforcer Map diff --git a/KubeArmor/go.sum b/KubeArmor/go.sum index 3b42bdf8f2..5b6ed52591 100644 --- a/KubeArmor/go.sum +++ b/KubeArmor/go.sum @@ -264,8 +264,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= -github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= +github.com/onsi/ginkgo/v2 v2.9.7 h1:06xGQy5www2oN160RtEZoTvnP2sPhEfePYmCDc2szss= +github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0-rc3 h1:fzg1mXZFj8YdPeNkRXMg+zb88BFV0Ys52cJydRwBkb8= From 127e191aacac9ed52fe023be08561faf7654c9ee Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Mon, 12 Dec 2022 23:12:04 +0530 Subject: [PATCH 3/5] bpf: remove tests We now compile everything and let probes loading fail at runtime, the failed probes don't impact functioning of other probes so the added complexity to conditional compile wasn't needed Signed-off-by: daemon1024 --- Dockerfile.init | 11 ---- KubeArmor/BPF/Makefile | 22 +++---- KubeArmor/BPF/Makefile.vars | 2 - KubeArmor/BPF/system_monitor.c | 2 - KubeArmor/BPF/tests/Makefile | 41 ------------- .../BPF/tests/checks/security_path_unlink.c | 20 ------- KubeArmor/BPF/tests/checksyscall.sh | 37 ------------ KubeArmor/BPF/tests/go.mod | 8 --- KubeArmor/BPF/tests/go.sum | 4 -- KubeArmor/BPF/tests/main.go | 58 ------------------- KubeArmor/build/compile.sh | 2 +- 11 files changed, 8 insertions(+), 199 deletions(-) delete mode 100644 KubeArmor/BPF/tests/Makefile delete mode 100644 KubeArmor/BPF/tests/checks/security_path_unlink.c delete mode 100755 KubeArmor/BPF/tests/checksyscall.sh delete mode 100644 KubeArmor/BPF/tests/go.mod delete mode 100644 KubeArmor/BPF/tests/go.sum delete mode 100644 KubeArmor/BPF/tests/main.go diff --git a/Dockerfile.init b/Dockerfile.init index 0d04efe476..2aafee8e1b 100644 --- a/Dockerfile.init +++ b/Dockerfile.init @@ -1,16 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright 2021 Authors of KubeArmor -### build syscall checker - -FROM golang:1.20-alpine3.17 as init-builder -WORKDIR /usr/src/KubeArmor -COPY ./KubeArmor/BPF/tests/main.go main.go -COPY ./KubeArmor/BPF/tests/go.mod go.mod -COPY ./KubeArmor/BPF/tests/go.sum go.sum - -RUN CGO_ENABLED=0 go build -o syscheck main.go - ### Make compiler image FROM alpine:3.17 as kubearmor-init @@ -23,5 +13,4 @@ RUN apk --no-cache add bash git clang llvm make gcc bpftool@edge COPY ./KubeArmor/BPF /KubeArmor/BPF/ COPY ./KubeArmor/build/compile.sh /KubeArmor/compile.sh -COPY --from=init-builder /usr/src/KubeArmor/syscheck /KubeArmor/BPF/tests/syscheck ENTRYPOINT ["/KubeArmor/compile.sh"] diff --git a/KubeArmor/BPF/Makefile b/KubeArmor/BPF/Makefile index 1e6504439c..d635b9bbd1 100644 --- a/KubeArmor/BPF/Makefile +++ b/KubeArmor/BPF/Makefile @@ -1,7 +1,7 @@ include Makefile.vars .PHONY: all -all: kernel_headers libbpf syscall_test system_monitor.bpf.o system_monitor.container.bpf.o system_monitor.host.bpf.o +all: kernel_headers libbpf system_monitor.bpf.o system_monitor.container.bpf.o system_monitor.host.bpf.o .PHONY: kernel_headers kernel_headers: @@ -29,10 +29,6 @@ ifeq (,$(wildcard $(LIBBPF)/src/libbpf.a)) $(Q)make -C $(LIBBPF)/src endif -.PHONY: syscall_test -syscall_test: tests/Makefile - $(Q)make -C tests KRNDIR="$(KRNDIR)" - # below we use long chain of commands, clang | opt | llvm-dis | llc, # to generate final object file. 'clang' compiles the source into IR # with native target, e.g., x64, arm64, etc. 'opt' does bpf CORE IR builtin @@ -40,24 +36,20 @@ syscall_test: tests/Makefile # 'opt' output to IR, and finally 'llc' generates bpf byte code. # Ref https://elixir.bootlin.com/linux/v5.19.5/source/samples/bpf/Makefile#L439 -system_monitor.bpf.o: $(SYSMONITOR) $(VMLINUX_H) syscall_test +system_monitor.bpf.o: $(SYSMONITOR) $(VMLINUX_H) @echo "Compiling eBPF bytecode: $(GREEN)$@$(NC) ..." - @echo "Using Compiler flags: $(CFlags)" - $(Q)$(CL) $(KF) -DMONITOR_HOST_AND_CONTAINER $(CFlags) -Xclang -disable-llvm-passes -c $< -o - | opt -O2 -mtriple=bpf-pc-linux | llvm-dis | llc -march=bpf -mcpu=probe -filetype=obj -o $@ + $(Q)$(CL) $(KF) -DMONITOR_HOST_AND_CONTAINER -Xclang -disable-llvm-passes -c $< -o - | opt -O2 -mtriple=bpf-pc-linux | llvm-dis | llc -march=bpf -mcpu=probe -filetype=obj -o $@ -system_monitor.container.bpf.o: $(SYSMONITOR) $(VMLINUX_H) syscall_test +system_monitor.container.bpf.o: $(SYSMONITOR) $(VMLINUX_H) @echo "Compiling eBPF bytecode: $(GREEN)$@$(NC) ..." - @echo "Using Compiler flags: $(CFlags)" - $(Q)$(CL) $(KF) -DMONITOR_CONTAINER $(CFlags) -Xclang -disable-llvm-passes -c $< -o - | opt -O2 -mtriple=bpf-pc-linux | llvm-dis | llc -march=bpf -mcpu=probe -filetype=obj -o $@ + $(Q)$(CL) $(KF) -DMONITOR_CONTAINER -Xclang -disable-llvm-passes -c $< -o - | opt -O2 -mtriple=bpf-pc-linux | llvm-dis | llc -march=bpf -mcpu=probe -filetype=obj -o $@ -system_monitor.host.bpf.o: $(SYSMONITOR) $(VMLINUX_H) syscall_test +system_monitor.host.bpf.o: $(SYSMONITOR) $(VMLINUX_H) @echo "Compiling eBPF bytecode: $(GREEN)$@$(NC) ..." - @echo "Using Compiler flags: $(CFlags)" - $(Q)$(CL) $(KF) -DMONITOR_HOST $(CFlags) -Xclang -disable-llvm-passes -c $< -o - | opt -O2 -mtriple=bpf-pc-linux | llvm-dis | llc -march=bpf -mcpu=probe -filetype=obj -o $@ + $(Q)$(CL) $(KF) -DMONITOR_HOST -Xclang -disable-llvm-passes -c $< -o - | opt -O2 -mtriple=bpf-pc-linux | llvm-dis | llc -march=bpf -mcpu=probe -filetype=obj -o $@ .PHONY: clean clean: - @make -C tests clean $(Q)rm -rf *.o $(VMLINUX)/vmlinux.h .PHONY: clean-all diff --git a/KubeArmor/BPF/Makefile.vars b/KubeArmor/BPF/Makefile.vars index 238f6ab1a9..4309f7537b 100644 --- a/KubeArmor/BPF/Makefile.vars +++ b/KubeArmor/BPF/Makefile.vars @@ -102,5 +102,3 @@ RED=\033[0;31m GREEN=\033[0;32m CYAN=\033[0;36m NC=\033[0m - -CFlags = $(shell tr '\n' ' ' < cflags.lst ) diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c index f67947ed63..ca102b6497 100644 --- a/KubeArmor/BPF/system_monitor.c +++ b/KubeArmor/BPF/system_monitor.c @@ -1019,7 +1019,6 @@ static __always_inline int security_path_task_arg(struct pt_regs *ctx) return 0; } -#if defined(SECURITY_PATH) SEC("kprobe/security_path_mknod") int kprobe__security_path_mknod(struct pt_regs *ctx) { @@ -1043,7 +1042,6 @@ int kprobe__security_path_rmdir(struct pt_regs *ctx) return 0; return security_path__dir_path_args(ctx); } -#endif SEC("kprobe/security_ptrace_access_check") int kprobe__security_ptrace_access_check(struct pt_regs *ctx) diff --git a/KubeArmor/BPF/tests/Makefile b/KubeArmor/BPF/tests/Makefile deleted file mode 100644 index b40182e594..0000000000 --- a/KubeArmor/BPF/tests/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2022 Authors of KubeArmor - - -include ../Makefile.vars - -LIBBPF = $(CURDIR)/../libbpf -VMLINUX = $(CURDIR)/../ - -Cfiles = $(wildcard checks/*.c) -files = $(Cfiles:.c=) - -.PHONY: all -all: compile-all syscheck check - -syscheck: main.go - @echo "Compiling $(GREEN)$@$(NC) ..." - @[ -x "`which go 2>/dev/null`" ] && go build -o $@ $< || [ -x "./syscheck" ] || echo "Golang was not found in your system please install it to proceed" - -.PHONY: compile-all -compile-all: checks/*.c - @for i in $(files) ; do \ - echo "Compiling eBPF bytecode: $(GREEN)$$i.c$(NC) ..." && \ - $(CL) $(KF) -DMONITOR_HOST_AND_CONTAINER -c $$i.c -o -| llc -march=bpf -mcpu=probe -filetype=obj -o $$i.bpf.o;\ - done - -.PHONY: check -check: checksyscall.sh syscheck - @touch ignore.lst - @touch cflags.lst - @for i in $(files); do \ - echo "Checking syscall $(GREEN)$$i$(NC)" &&\ - chmod +x checksyscall.sh &&\ - ./checksyscall.sh $$i;\ - done - @mv ignore.lst cflags.lst ../ - -# clean up -clean: - @[ -x "`which go 2>/dev/null`" ] && rm syscheck || true - $(Q)rm -rf checks/*.o ../ignore.lst ignore.lst cflags.lst ../cflags.lst diff --git a/KubeArmor/BPF/tests/checks/security_path_unlink.c b/KubeArmor/BPF/tests/checks/security_path_unlink.c deleted file mode 100644 index 924c929388..0000000000 --- a/KubeArmor/BPF/tests/checks/security_path_unlink.c +++ /dev/null @@ -1,20 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0 */ -/* Copyright 2022 Authors of KubeArmor */ - -#ifndef KBUILD_MODNAME -#define KBUILD_MODNAME "kubearmor_syscall_check" -#endif - -#ifdef BTF_SUPPORTED -#include "vmlinux.h" -#else -#include -#endif - -#include - -// CFlag=-DSECURITY_PATH -SEC("kprobe/security_path_unlink") -int kprobe__security_path_unlink(struct pt_regs *ctx){ - return 0; -} diff --git a/KubeArmor/BPF/tests/checksyscall.sh b/KubeArmor/BPF/tests/checksyscall.sh deleted file mode 100755 index d654bb44fe..0000000000 --- a/KubeArmor/BPF/tests/checksyscall.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: Apache-2.0 -# Copyright 2022 Authors of KubeArmor - -realpath() { - CURR=$PWD - - cd "$(dirname "$0")" - LINK=$(readlink "$(basename "$0")") - - while [ "$LINK" ]; do - cd "$(dirname "$LINK")" - LINK=$(readlink "$(basename "$1")") - done - - REALPATH="$PWD/$(basename "$1")" - echo "$REALPATH" - - cd $CURR -} - -BPF_HOME=`dirname $(realpath "$0")`/.. - -if command -v sudo &> /dev/null -then - SUDO="sudo" -fi - -SYSCALL=${1#*/} - -if ! $SUDO ./syscheck $1 ; then - echo "Disabling $SYSCALL ..." - grep "// CFlag=.*$" "$1.c" | sed -E "s/.*?=(.*?)$/\1/" >> ignore.lst -else - echo "Enabling syscall $SYSCALL" - grep "// CFlag=.*$" "$1.c" | sed -E "s/.*?=(.*?)$/\1/" >> cflags.lst -fi diff --git a/KubeArmor/BPF/tests/go.mod b/KubeArmor/BPF/tests/go.mod deleted file mode 100644 index 955b159db5..0000000000 --- a/KubeArmor/BPF/tests/go.mod +++ /dev/null @@ -1,8 +0,0 @@ -module github.com/kubearmor/KubeArmor/KubeArmor/BPF/tests - -go 1.18 - -require ( - github.com/cilium/ebpf v0.9.1 - golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34 // indirect -) diff --git a/KubeArmor/BPF/tests/go.sum b/KubeArmor/BPF/tests/go.sum deleted file mode 100644 index 68b071bad6..0000000000 --- a/KubeArmor/BPF/tests/go.sum +++ /dev/null @@ -1,4 +0,0 @@ -github.com/cilium/ebpf v0.9.1 h1:64sn2K3UKw8NbP/blsixRpF3nXuyhz/VjRlRzvlBRu4= -github.com/cilium/ebpf v0.9.1/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnxUFY= -golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34 h1:GkvMjFtXUmahfDtashnc1mnrCtuBVcwse5QV2lUk/tI= -golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/KubeArmor/BPF/tests/main.go b/KubeArmor/BPF/tests/main.go deleted file mode 100644 index bbded3c56c..0000000000 --- a/KubeArmor/BPF/tests/main.go +++ /dev/null @@ -1,58 +0,0 @@ -// SPDX-License-Identifier: Apache-2.0 -// Copyright 2022 Authors of KubeArmor - -// This program loads an eBPF program to test if the probe is supported by the kernel. -package main - -import ( - "fmt" - "log" - "os" - "strings" - - cle "github.com/cilium/ebpf" - "github.com/cilium/ebpf/link" - "github.com/cilium/ebpf/rlimit" -) - -func main() { - - args := os.Args[1:] - if len(args) != 1 { - log.Fatalf("Unexpected arg number, expected 1 got %d\n", len(args)) - } - syscall := strings.Split(args[0], "/")[1] // syscall name - - // Allow the current process to lock memory for eBPF resources. - if err := rlimit.RemoveMemlock(); err != nil { - log.Fatal(err) - } - - bpfModule, err := cle.LoadCollection(args[0] + ".bpf.o") - if err != nil { - log.Fatalf("bpf module is nil %v\n", err) - } - - var fn string - count := 0 - for k := range bpfModule.Programs { - fn = k - count++ - } - - if count != 1 { - log.Fatalf("%s.c should contain only one syscall\n", args[0]) - } - - if strings.HasPrefix(fn, "kprobe__") { - _, err = link.Kprobe(syscall, bpfModule.Programs[fn], nil) - if err != nil { - log.Fatalf("[Failed] Cannot attach syscall %s\n", err.Error()) - } - } // other probe types goes here - /*else if (){ - - }*/ - - fmt.Printf("[Success] Syscall %s attached\n", fn) -} diff --git a/KubeArmor/build/compile.sh b/KubeArmor/build/compile.sh index dec60e8d50..d610081250 100755 --- a/KubeArmor/build/compile.sh +++ b/KubeArmor/build/compile.sh @@ -11,4 +11,4 @@ else make fi -cp *.bpf.o ignore.lst /opt/kubearmor/BPF/ +cp *.bpf.o /opt/kubearmor/BPF/ From e846b515af9bc84897f58b6be40c87c2acaad40b Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Tue, 25 Jul 2023 02:28:57 +0530 Subject: [PATCH 4/5] enforcer: use probe check which checks for actual events using bpf lsm Signed-off-by: daemon1024 --- KubeArmor/enforcer/runtimeEnforcer.go | 8 ++++---- KubeArmor/go.mod | 6 ++++-- KubeArmor/go.sum | 15 +++++++++------ 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/KubeArmor/enforcer/runtimeEnforcer.go b/KubeArmor/enforcer/runtimeEnforcer.go index 1d4416ce0b..8c5f341a6b 100644 --- a/KubeArmor/enforcer/runtimeEnforcer.go +++ b/KubeArmor/enforcer/runtimeEnforcer.go @@ -10,8 +10,8 @@ import ( "path/filepath" "strings" - "github.com/cilium/ebpf" - "github.com/cilium/ebpf/features" + features "github.com/daemon1024/bpflsmprobe/probe" + kl "github.com/kubearmor/KubeArmor/KubeArmor/common" cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" be "github.com/kubearmor/KubeArmor/KubeArmor/enforcer/bpflsm" @@ -155,7 +155,7 @@ func NewRuntimeEnforcer(node tp.Node, pinpath string, logger *fd.Feeder) *Runtim probeBPFLSM: if !kl.ContainsElement(lsms, "bpf") { - err := features.HaveProgramType(ebpf.LSM) + err := features.CheckBPFLSMSupport() if err == nil { lsms = append(lsms, "bpf") } else { @@ -165,7 +165,7 @@ probeBPFLSM: re.Logger.Printf("Supported LSMs: %s", strings.Join(lsms, ",")) - return selectLsm(re, cfg.GlobalCfg.LsmOrder, availablelsms, lsms, node, logger) + return selectLsm(re, cfg.GlobalCfg.LsmOrder, availablelsms, lsms, node, pinpath, logger) } // RegisterContainer registers container identifiers to BPFEnforcer Map diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod index b412557cc1..f3f7099106 100644 --- a/KubeArmor/go.mod +++ b/KubeArmor/go.mod @@ -27,9 +27,10 @@ replace ( require ( github.com/Masterminds/sprig/v3 v3.2.3 github.com/cilium/cilium v1.13.2 - github.com/cilium/ebpf v0.10.0 + github.com/cilium/ebpf v0.11.0 github.com/containerd/containerd v1.7.1 github.com/containerd/typeurl/v2 v2.1.1 + github.com/daemon1024/bpflsmprobe v0.0.0-20230724205136-8b744a822dbe github.com/docker/docker v23.0.6+incompatible github.com/google/uuid v1.3.0 github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20230510133055-4e30a28b6352 @@ -37,7 +38,7 @@ require ( github.com/opencontainers/runtime-spec v1.1.0-rc.2 github.com/spf13/viper v1.15.0 go.uber.org/zap v1.24.0 - golang.org/x/sys v0.8.0 + golang.org/x/sys v0.10.0 google.golang.org/grpc v1.55.0 k8s.io/api v0.27.1 k8s.io/apimachinery v0.27.1 @@ -103,6 +104,7 @@ require ( go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/crypto v0.9.0 // indirect + golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.10.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect diff --git a/KubeArmor/go.sum b/KubeArmor/go.sum index 5b6ed52591..3d0296dee4 100644 --- a/KubeArmor/go.sum +++ b/KubeArmor/go.sum @@ -65,8 +65,8 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/cilium v1.13.2 h1:BWHxoqWQP4iK6KWHLiWvVZ/eyvqpP0tvkWnEVg1gDyk= github.com/cilium/cilium v1.13.2/go.mod h1:AkOABrMt0qsqZUN0Vl2mGY/PRUwkH7kcS1JHsQVEk5Q= -github.com/cilium/ebpf v0.10.0 h1:nk5HPMeoBXtOzbkZBWym+ZWq1GIiHUsBFXxwewXAHLQ= -github.com/cilium/ebpf v0.10.0/go.mod h1:DPiVdY/kT534dgc9ERmvP8mWA+9gvwgKfRvk4nNWnoE= +github.com/cilium/ebpf v0.11.0 h1:V8gS/bTCCjX9uUnkUFUpPsksM8n1lXBAvHcpiFk1X2Y= +github.com/cilium/ebpf v0.11.0/go.mod h1:WE7CZAnqOL2RouJ4f1uyNhqr2P4CCvXFIqdRDUgWsVs= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -79,6 +79,8 @@ github.com/containerd/ttrpc v1.2.2/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4= github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/daemon1024/bpflsmprobe v0.0.0-20230724205136-8b744a822dbe h1:o005cyyl3mns89HdNMsyDh91T0JQXGkca4TJ8A47aXg= +github.com/daemon1024/bpflsmprobe v0.0.0-20230724205136-8b744a822dbe/go.mod h1:ZxI7K+8djQN8AU3WBXw1uZZUd6AIufWXzw2wNPmiZck= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -105,7 +107,7 @@ github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCv github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/flowstack/go-jsonschema v0.1.1/go.mod h1:yL7fNggx1o8rm9RlgXv7hTBWxdBM0rVwpMwimd3F3N0= -github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= +github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -381,7 +383,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20221106115401-f9659909a136 h1:Fq7F/w7MAa1KJ5bt2aJ62ihqp9HDcRuyILskkpIAurw= +golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI= +golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -514,8 +517,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= From 0190aa389d66383f90ea4d7f3ad7ad38ed66dda3 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Wed, 26 Jul 2023 18:08:14 +0530 Subject: [PATCH 5/5] utils: add bpf lsm probe util to kubearmor Signed-off-by: daemon1024 --- KubeArmor/BPF/probe.bpf.c | 36 +++++++ KubeArmor/enforcer/runtimeEnforcer.go | 4 +- KubeArmor/go.mod | 1 - KubeArmor/go.sum | 2 - KubeArmor/utils/bpflsmprobe/probe.go | 65 +++++++++++ KubeArmor/utils/bpflsmprobe/probe_bpfeb.go | 119 +++++++++++++++++++++ KubeArmor/utils/bpflsmprobe/probe_bpfeb.o | Bin 0 -> 2504 bytes KubeArmor/utils/bpflsmprobe/probe_bpfel.go | 119 +++++++++++++++++++++ KubeArmor/utils/bpflsmprobe/probe_bpfel.o | Bin 0 -> 2504 bytes 9 files changed, 341 insertions(+), 5 deletions(-) create mode 100644 KubeArmor/BPF/probe.bpf.c create mode 100644 KubeArmor/utils/bpflsmprobe/probe.go create mode 100644 KubeArmor/utils/bpflsmprobe/probe_bpfeb.go create mode 100644 KubeArmor/utils/bpflsmprobe/probe_bpfeb.o create mode 100644 KubeArmor/utils/bpflsmprobe/probe_bpfel.go create mode 100644 KubeArmor/utils/bpflsmprobe/probe_bpfel.o diff --git a/KubeArmor/BPF/probe.bpf.c b/KubeArmor/BPF/probe.bpf.c new file mode 100644 index 0000000000..fdcbe4d5b5 --- /dev/null +++ b/KubeArmor/BPF/probe.bpf.c @@ -0,0 +1,36 @@ +// +build ignore +/* SPDX-License-Identifier: GPL-2.0 */ +/* Copyright 2023 Authors of KubeArmor */ + +#include "vmlinux.h" +#include + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; + +typedef struct { + bool exec; +} event; + +struct { + __uint(type, BPF_MAP_TYPE_RINGBUF); + __uint(max_entries, 1 << 24); +} events SEC(".maps"); + +// Force emitting struct event into the ELF. +const event *unused __attribute__((unused)); + +SEC("lsm/mmap_file") +int test_memfd() { + event *task_info; + + task_info = bpf_ringbuf_reserve(&events, sizeof(event), 0); + if (!task_info) { + return 0; + } + + task_info->exec = true; + + bpf_ringbuf_submit(task_info, 0); + + return 0; +} \ No newline at end of file diff --git a/KubeArmor/enforcer/runtimeEnforcer.go b/KubeArmor/enforcer/runtimeEnforcer.go index 8c5f341a6b..6fdb9ddbdb 100644 --- a/KubeArmor/enforcer/runtimeEnforcer.go +++ b/KubeArmor/enforcer/runtimeEnforcer.go @@ -10,7 +10,7 @@ import ( "path/filepath" "strings" - features "github.com/daemon1024/bpflsmprobe/probe" + probe "github.com/kubearmor/KubeArmor/KubeArmor/utils/bpflsmprobe" kl "github.com/kubearmor/KubeArmor/KubeArmor/common" cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" @@ -155,7 +155,7 @@ func NewRuntimeEnforcer(node tp.Node, pinpath string, logger *fd.Feeder) *Runtim probeBPFLSM: if !kl.ContainsElement(lsms, "bpf") { - err := features.CheckBPFLSMSupport() + err := probe.CheckBPFLSMSupport() if err == nil { lsms = append(lsms, "bpf") } else { diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod index f3f7099106..a678e9c215 100644 --- a/KubeArmor/go.mod +++ b/KubeArmor/go.mod @@ -30,7 +30,6 @@ require ( github.com/cilium/ebpf v0.11.0 github.com/containerd/containerd v1.7.1 github.com/containerd/typeurl/v2 v2.1.1 - github.com/daemon1024/bpflsmprobe v0.0.0-20230724205136-8b744a822dbe github.com/docker/docker v23.0.6+incompatible github.com/google/uuid v1.3.0 github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20230510133055-4e30a28b6352 diff --git a/KubeArmor/go.sum b/KubeArmor/go.sum index 3d0296dee4..bb6ea9dd6c 100644 --- a/KubeArmor/go.sum +++ b/KubeArmor/go.sum @@ -79,8 +79,6 @@ github.com/containerd/ttrpc v1.2.2/go.mod h1:sIT6l32Ph/H9cvnJsfXM5drIVzTr5A2flTf github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4= github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/daemon1024/bpflsmprobe v0.0.0-20230724205136-8b744a822dbe h1:o005cyyl3mns89HdNMsyDh91T0JQXGkca4TJ8A47aXg= -github.com/daemon1024/bpflsmprobe v0.0.0-20230724205136-8b744a822dbe/go.mod h1:ZxI7K+8djQN8AU3WBXw1uZZUd6AIufWXzw2wNPmiZck= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/KubeArmor/utils/bpflsmprobe/probe.go b/KubeArmor/utils/bpflsmprobe/probe.go new file mode 100644 index 0000000000..d7002efa26 --- /dev/null +++ b/KubeArmor/utils/bpflsmprobe/probe.go @@ -0,0 +1,65 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of KubeArmor + +// Package probe checks whether the probed LSM support is available. +package probe + +import ( + "bytes" + "encoding/binary" + "time" + + "github.com/cilium/ebpf/link" + "github.com/cilium/ebpf/ringbuf" + "github.com/cilium/ebpf/rlimit" + "golang.org/x/sys/unix" +) + +//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang probe ../../BPF/probe.bpf.c -- -I/usr/include/bpf -O2 -g + +type eventBPF struct { + Exec bool +} + +// CheckBPFLSMSupport check if BPF LSM support is enabled in the kernel or not by loading a memfd hook and checking if it is executed and a ringbuf event is received +// It returns an error if the kernel does not support BPF LSM +func CheckBPFLSMSupport() error { + if err := rlimit.RemoveMemlock(); err != nil { + return err + } + + objs := probeObjects{} + if err := loadProbeObjects(&objs, nil); err != nil { + return err + } + defer objs.Close() + + kp, err := link.AttachLSM(link.LSMOptions{Program: objs.TestMemfd}) + if err != nil { + return err + } + defer kp.Close() + + rd, err := ringbuf.NewReader(objs.Events) + if err != nil { + return err + } + defer rd.Close() + + var event eventBPF + go func() { + fd, err := unix.MemfdCreate("trigger_memfd", 0) + if err != nil { + return + } + defer unix.Close(fd) + }() + + rd.SetDeadline(time.Now().Add(1 * time.Second)) + record, err := rd.Read() + if err != nil { + return err + } + + return binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event) +} diff --git a/KubeArmor/utils/bpflsmprobe/probe_bpfeb.go b/KubeArmor/utils/bpflsmprobe/probe_bpfeb.go new file mode 100644 index 0000000000..4b0ffc55d5 --- /dev/null +++ b/KubeArmor/utils/bpflsmprobe/probe_bpfeb.go @@ -0,0 +1,119 @@ +// Code generated by bpf2go; DO NOT EDIT. +//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64 + +package probe + +import ( + "bytes" + _ "embed" + "fmt" + "io" + + "github.com/cilium/ebpf" +) + +// loadProbe returns the embedded CollectionSpec for probe. +func loadProbe() (*ebpf.CollectionSpec, error) { + reader := bytes.NewReader(_ProbeBytes) + spec, err := ebpf.LoadCollectionSpecFromReader(reader) + if err != nil { + return nil, fmt.Errorf("can't load probe: %w", err) + } + + return spec, err +} + +// loadProbeObjects loads probe and converts it into a struct. +// +// The following types are suitable as obj argument: +// +// *probeObjects +// *probePrograms +// *probeMaps +// +// See ebpf.CollectionSpec.LoadAndAssign documentation for details. +func loadProbeObjects(obj interface{}, opts *ebpf.CollectionOptions) error { + spec, err := loadProbe() + if err != nil { + return err + } + + return spec.LoadAndAssign(obj, opts) +} + +// probeSpecs contains maps and programs before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type probeSpecs struct { + probeProgramSpecs + probeMapSpecs +} + +// probeSpecs contains programs before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type probeProgramSpecs struct { + TestMemfd *ebpf.ProgramSpec `ebpf:"test_memfd"` +} + +// probeMapSpecs contains maps before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type probeMapSpecs struct { + Events *ebpf.MapSpec `ebpf:"events"` +} + +// probeObjects contains all objects after they have been loaded into the kernel. +// +// It can be passed to loadProbeObjects or ebpf.CollectionSpec.LoadAndAssign. +type probeObjects struct { + probePrograms + probeMaps +} + +func (o *probeObjects) Close() error { + return _ProbeClose( + &o.probePrograms, + &o.probeMaps, + ) +} + +// probeMaps contains all maps after they have been loaded into the kernel. +// +// It can be passed to loadProbeObjects or ebpf.CollectionSpec.LoadAndAssign. +type probeMaps struct { + Events *ebpf.Map `ebpf:"events"` +} + +func (m *probeMaps) Close() error { + return _ProbeClose( + m.Events, + ) +} + +// probePrograms contains all programs after they have been loaded into the kernel. +// +// It can be passed to loadProbeObjects or ebpf.CollectionSpec.LoadAndAssign. +type probePrograms struct { + TestMemfd *ebpf.Program `ebpf:"test_memfd"` +} + +func (p *probePrograms) Close() error { + return _ProbeClose( + p.TestMemfd, + ) +} + +func _ProbeClose(closers ...io.Closer) error { + for _, closer := range closers { + if err := closer.Close(); err != nil { + return err + } + } + return nil +} + +// Do not access this directly. +// +//go:embed probe_bpfeb.o +var _ProbeBytes []byte diff --git a/KubeArmor/utils/bpflsmprobe/probe_bpfeb.o b/KubeArmor/utils/bpflsmprobe/probe_bpfeb.o new file mode 100644 index 0000000000000000000000000000000000000000..86bb521eafb77319ce2df40a0dea4d1f19533566 GIT binary patch literal 2504 zcmb_d&2Jl35T8xs(xy;oDN;~HwQ#7MDqS1Y1A>BFQ->B=Rn+7_xUB8?xmk7Bw)U-~ zgccD5m3rg=H>CF1Lob|y!~rfy{1^NI+~ElGdponZ%bk`OZ zJSxbezgaH<#SAOQZ#b(Z<7x5^drtS3UvaV+4*eWIZ068|Tzvf+(IQlPJO_S}IPoX( z`{pp8rtd{wpY>zEy>Y$q@p@OFXT+b6+>)1b(EEY60B*xx$iZVQJlWVHOCK;mA-G{} z=b3Bj$GXp~IoztNG2)A0ow*U^QF@~FulO+=3jEAi+lUU96QNE>tnqq z;8Lo2icPGOL%k)*$Dw&X+3U+}(-H=^9`CG6LUaZI2ctH#hx0lMjP*Cf=T+9i-8tP^f-t#`tZ zvi+%{q`w!Mah68LlG$a=Qf6!xCMFpTDYi)?N&3@p6vc*upuxZP`dVX}P6j3zOh>^s z();s}`ig&#d_U{kyJ0jQP5cjhb_>&Jd}lCYX{_6u4UEbAjtA&! zKV=;?#HLl&5vz8qVy{>1Ud5hP?1PH^t=cC~Em4q}y^Mm?#6f#=Er1~prPL}x9PcJ! ze>hBSbf;(>1U>tN<`1RlH=Ctde?WoVPn?uOMYnd_?PmB6uju(ukJD7|S2EXr7UiKx z73Kbdu6DH_S{hK1dQX5`%>NgUek+sq4KTbX{&qWRi4;*&KlCMfQ1@BJuQ0Clbzb7> zi75K*R9yXG`^;)r<9~t!6Y7^q>jT68p4!#;-z7-r#Vq_`XUtk(=T%Dl!e0uAET2Dm z|ETj@7XKzooPn-GCH95?#Utt;`<3TFkKH&Q%JuP0II8{)3Bejse@X0e{fm=-y6)T# jWO6QQdj8dOEw6Wn{pIg_9+_*4JwcwZM2zOq`pf?U3@y|3 literal 0 HcmV?d00001 diff --git a/KubeArmor/utils/bpflsmprobe/probe_bpfel.go b/KubeArmor/utils/bpflsmprobe/probe_bpfel.go new file mode 100644 index 0000000000..c94982c876 --- /dev/null +++ b/KubeArmor/utils/bpflsmprobe/probe_bpfel.go @@ -0,0 +1,119 @@ +// Code generated by bpf2go; DO NOT EDIT. +//go:build 386 || amd64 || amd64p32 || arm || arm64 || loong64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64 + +package probe + +import ( + "bytes" + _ "embed" + "fmt" + "io" + + "github.com/cilium/ebpf" +) + +// loadProbe returns the embedded CollectionSpec for probe. +func loadProbe() (*ebpf.CollectionSpec, error) { + reader := bytes.NewReader(_ProbeBytes) + spec, err := ebpf.LoadCollectionSpecFromReader(reader) + if err != nil { + return nil, fmt.Errorf("can't load probe: %w", err) + } + + return spec, err +} + +// loadProbeObjects loads probe and converts it into a struct. +// +// The following types are suitable as obj argument: +// +// *probeObjects +// *probePrograms +// *probeMaps +// +// See ebpf.CollectionSpec.LoadAndAssign documentation for details. +func loadProbeObjects(obj interface{}, opts *ebpf.CollectionOptions) error { + spec, err := loadProbe() + if err != nil { + return err + } + + return spec.LoadAndAssign(obj, opts) +} + +// probeSpecs contains maps and programs before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type probeSpecs struct { + probeProgramSpecs + probeMapSpecs +} + +// probeSpecs contains programs before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type probeProgramSpecs struct { + TestMemfd *ebpf.ProgramSpec `ebpf:"test_memfd"` +} + +// probeMapSpecs contains maps before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type probeMapSpecs struct { + Events *ebpf.MapSpec `ebpf:"events"` +} + +// probeObjects contains all objects after they have been loaded into the kernel. +// +// It can be passed to loadProbeObjects or ebpf.CollectionSpec.LoadAndAssign. +type probeObjects struct { + probePrograms + probeMaps +} + +func (o *probeObjects) Close() error { + return _ProbeClose( + &o.probePrograms, + &o.probeMaps, + ) +} + +// probeMaps contains all maps after they have been loaded into the kernel. +// +// It can be passed to loadProbeObjects or ebpf.CollectionSpec.LoadAndAssign. +type probeMaps struct { + Events *ebpf.Map `ebpf:"events"` +} + +func (m *probeMaps) Close() error { + return _ProbeClose( + m.Events, + ) +} + +// probePrograms contains all programs after they have been loaded into the kernel. +// +// It can be passed to loadProbeObjects or ebpf.CollectionSpec.LoadAndAssign. +type probePrograms struct { + TestMemfd *ebpf.Program `ebpf:"test_memfd"` +} + +func (p *probePrograms) Close() error { + return _ProbeClose( + p.TestMemfd, + ) +} + +func _ProbeClose(closers ...io.Closer) error { + for _, closer := range closers { + if err := closer.Close(); err != nil { + return err + } + } + return nil +} + +// Do not access this directly. +// +//go:embed probe_bpfel.o +var _ProbeBytes []byte diff --git a/KubeArmor/utils/bpflsmprobe/probe_bpfel.o b/KubeArmor/utils/bpflsmprobe/probe_bpfel.o new file mode 100644 index 0000000000000000000000000000000000000000..6fb81f0c507bfebb992b7a8efede73b8b78dbf5b GIT binary patch literal 2504 zcmbtW&2Jk;6o0l;n!2sqrXU3&(88f|P*?}l1L8}rsY8pbDr#~dT-J6xZdUBt*3LRg zpokzq;>ZDRNO0_d3#U}#02d_w3;qD^aD?}pnYZ4IqF#8)+c&@WJu`3D`K;U9tX3){ zRH1)pfkaDm=c&cIZI*3nu;&Tu;lJtyom8#f+!Jg5Q_S zCjd;}SwXkwgCyu|-)_CP)pM#-;)lN~wCXh9b53w)(Nh&|I9NdkK>^8hi1N@s$9#^N zN&GA#s+Nx6R1AFK#5tC(vV2w)EMH(ozBcpA%uJ2*{8+R`mr?swtGjf8{ERj)91R7XE6*0_AlDH$$7g*#huy62tGb;d8*wbWl~THI)` z4a*ik_|KGi+QoC9bhD%f2BH2NB|Z8E85vJ=(M(Y~ zIE>UJ&tj!X9q>w1u5=!yDjkm~(P=A92eW7#CyK(b#ebcx&DJcN4plgujl(_S^uZ#e zxfXmvL68shM^QW(PlLAuc8juj@?bb;skF)tRP%KN&4P09fHrC$c=y)77 zUo2918DDuv9jZOfn`d(c?{a=UAEt5MEMjfOPib#|kWugMyWM-+UAs?078*{c2}K<| z=aacsBMOIFQ^C2>0+7GhczBIzMqI(8)Z%&+9%j z?O1YeiV+@PAt zQ#RaVuu}5hcSh{@TCo$mH<*r$-o44Zmbu$Cdc1*_WKKomobY}i zDAVzSVsH?2`W0HdD8;<#Jj(||3iVNHq$^ZRYp>JUh+cDz{ZG;7c=Lht^8Dhi&>tmt z{Dn6#SY}!bZCQ8{_fn=dgD1tyyh)7Ai(tG@_;$BN;pDRG|Ej~7L+n%HMSqiZsPCV_ zBi4arel4=TvW5(p&x(HxBa_szXi;AWf{Z#Q%*Sxf1#3 zKV#cj=eO$4Z^Omn98g>8%f9fti2eKYo7>Qjp24q=FTz>%@3{Kt4}|)4X21Ro*429d kPFWl?7xdW0`{(NSy3Y~b5t$r)*XSdcQSMmk%l|z80kV?QZ2$lO literal 0 HcmV?d00001