Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: kubescape/node-agent
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 59ce1d1d53a69143fa5087dd14444369aa3ca681
Choose a base ref
..
head repository: kubescape/node-agent
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 9277b592946cf15a39b34cbf42cfbecb2f98986a
Choose a head ref
Showing with 107 additions and 8 deletions.
  1. +1 −1 build/Dockerfile
  2. +4 −1 main.go
  3. +87 −5 pkg/sbommanager/v1/sbom_manager.go
  4. +14 −0 pkg/sbommanager/v1/sbom_manager_test.go
  5. +1 −1 pkg/seccompmanager/v1/seccomp_manager.go
2 changes: 1 addition & 1 deletion build/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -9,7 +9,7 @@ RUN --mount=target=. \
--mount=type=cache,target=/go/pkg \
GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/node-agent .

FROM gcr.io/distroless/static-debian12:latest
FROM gcr.io/distroless/static-debian12:debug

COPY --from=builder /out/node-agent /usr/bin/node-agent

5 changes: 4 additions & 1 deletion main.go
View file
Original file line number Diff line number Diff line change
@@ -273,7 +273,10 @@ func main() {
// Create the SBOM manager
var sbomManager sbommanager.SbomManagerClient
if cfg.EnableSbomGeneration {
sbomManager = sbommanagerv1.CreateSbomManager(ctx, cfg)
sbomManager, err = sbommanagerv1.CreateSbomManager(ctx, cfg)
if err != nil {
logger.L().Ctx(ctx).Fatal("error creating SbomManager", helpers.Error(err))
}
} else {
sbomManager = sbommanager.CreateSbomManagerMock()
}
92 changes: 87 additions & 5 deletions pkg/sbommanager/v1/sbom_manager.go
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,104 @@
package v1

import (
"bufio"
"context"
"fmt"
"os"
"regexp"

securejoin "github.com/cyphar/filepath-securejoin"
containercollection "github.com/inspektor-gadget/inspektor-gadget/pkg/container-collection"
"github.com/kubescape/node-agent/pkg/config"
"github.com/kubescape/node-agent/pkg/sbommanager"
"github.com/moby/sys/mountinfo"
"github.com/spf13/afero"
)

type SbomManager struct {
cfg config.Config
ctx context.Context
appFs afero.Fs
cfg config.Config
ctx context.Context
procMounts string
}

var _ sbommanager.SbomManagerClient = (*SbomManager)(nil)

func CreateSbomManager(ctx context.Context, cfg config.Config) *SbomManager {
func CreateSbomManager(ctx context.Context, cfg config.Config) (*SbomManager, error) {
procMounts, err := getProcMounts()
if err != nil {
return nil, err
}
return &SbomManager{
cfg: cfg,
ctx: ctx,
appFs: afero.NewOsFs(),
cfg: cfg,
ctx: ctx,
procMounts: procMounts,
}, nil
}

func getImageLayers(imageID string) ([]string, error) {
// TODO
return nil, nil
}

func (s *SbomManager) getMountedVolumes(pid string) (string, []string, error) {
f, err := s.appFs.Open("/proc/795218/mountinfo")
if err != nil {
return "", nil, err
}
mounts, err := mountinfo.GetMountsFromReader(f, func(info *mountinfo.Info) (skip, stop bool) {
if info.FSType == "overlay" {
return false, false
}
return true, false
})
if err != nil {
return "", nil, err
}
for _, m := range mounts {
fmt.Println(m)
}
return "", nil, nil
}

func (s *SbomManager) getMountedVolumes2(containerID string) (string, []string, error) {
f, err := s.appFs.Open(s.procMounts)
if err != nil {
return "", nil, fmt.Errorf("failed to open %s: %w", s.procMounts, err)
}
defer func() {
_ = f.Close()
}()
re, err := regexp.Compile(fmt.Sprintf(`overlay \W+%s\W+ \W+ \W*lowerdir=(\W+)`, containerID))
if err != nil {
return "", nil, fmt.Errorf("failed to compile regex: %w", err)
}
scanner := bufio.NewScanner(f)
for scanner.Scan() {
line := scanner.Text()
if re.MatchString(line) {
matches := re.FindStringSubmatch(line)
if len(matches) == 2 {
return matches[1], nil, nil
}
}
}
return "", nil, nil
}

func getProcMounts() (string, error) {
// read HOST_ROOT from env
hostRoot, exists := os.LookupEnv("HOST_ROOT")
if !exists {
hostRoot = "/host"
}
// use securejoin to join the two, add seccomp and store in seccompProfilesDir
procMounts, err := securejoin.SecureJoin(hostRoot, "/proc/mounts")
if err != nil {
return "", fmt.Errorf("failed to join seccomp profiles dir: %w", err)
}
return procMounts, nil
}

func (s *SbomManager) ContainerCallback(notif containercollection.PubSubEvent) {
@@ -28,5 +107,8 @@ func (s *SbomManager) ContainerCallback(notif containercollection.PubSubEvent) {
return
}

//notif.Container.Pid
//notif.Container.Runtime.ContainerID

// TODO
}
14 changes: 14 additions & 0 deletions pkg/sbommanager/v1/sbom_manager_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package v1

import (
"testing"

"github.com/spf13/afero"
)

func TestSbomManager_getMountedVolumes(t *testing.T) {
s := &SbomManager{
appFs: afero.NewOsFs(),
}
s.getMountedVolumes("")
}
2 changes: 1 addition & 1 deletion pkg/seccompmanager/v1/seccomp_manager.go
View file
Original file line number Diff line number Diff line change
@@ -117,7 +117,7 @@ func getProfilesDir() (string, error) {
kubeletRoot = "/var/lib/kubelet"
}
// use securejoin to join the two, add seccomp and store in seccompProfilesDir
seccompProfilesDir, err := securejoin.SecureJoin(filepath.Join(hostRoot, kubeletRoot), "seccomp")
seccompProfilesDir, err := securejoin.SecureJoin(hostRoot, filepath.Join(kubeletRoot, "seccomp"))
if err != nil {
return "", fmt.Errorf("failed to join seccomp profiles dir: %w", err)
}