enforcer

package
v0.0.0-...-c365bfc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 26, 2021 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	KABESocketConnectMap     edt.KABPFMapName     = "socket_connect_map"
	KABESocketConnectMapFile edt.KABPFObjFileName = "socket.bpf.o"

	KABESocketSendmsgMap     edt.KABPFMapName     = "socket_sendmsg_map"
	KABESocketSendmsgMapFile edt.KABPFObjFileName = "socket.bpf.o"

	KABEInodePermissionMap     edt.KABPFMapName     = "inode_permission_map"
	KABEInodePermissionMapFile edt.KABPFObjFileName = "inode.bpf.o"

	KABEInodeMkdirMap     edt.KABPFMapName     = "inode_mkdir_map"
	KABEInodeMkdirMapFile edt.KABPFObjFileName = "inode.bpf.o"

	KABEInodeRmdirMap     edt.KABPFMapName     = "inode_rmdir_map"
	KABEInodeRmdirMapFile edt.KABPFObjFileName = "inode.bpf.o"

	KABEInodeBPCKSECMap     edt.KABPFMapName     = "bprm_check_security_map"
	KABEInodeBPCKSECMapFile edt.KABPFObjFileName = "inode.bpf.o"
)
View Source 
const (
	KABEHelloProg     edt.KABPFProgName    = "hello_prog"
	KABEHelloEvent    edt.KABPFEventName   = "file_open"
	KABEHelloProgFile edt.KABPFObjFileName = "hello.bpf.o"

	KABESocketConnectProg     edt.KABPFProgName    = "socket_connect_prog"
	KABESocketConnectEvent    edt.KABPFEventName   = "socket_connect"
	KABESocketConnectProgFile edt.KABPFObjFileName = "socket.bpf.o"

	KABESocketSendmsgProg     edt.KABPFProgName    = "socket_sendmsg_prog"
	KABESocketSendmsgEvent    edt.KABPFEventName   = "socket_sendmsg"
	KABESocketSendmsgProgFile edt.KABPFObjFileName = "socket.bpf.o"

	KABEInodePermissionProg     edt.KABPFProgName    = "inode_permission_prog"
	KABEInodePermissionEvent    edt.KABPFEventName   = "inode_permission"
	KABEInodePermissionProgFile edt.KABPFObjFileName = "inode.bpf.o"

	KABEInodeMkdirProg     edt.KABPFProgName    = "inode_mkdir_prog"
	KABEInodeMkdirEvent    edt.KABPFEventName   = "inode_mkdir"
	KABEInodeMkdirProgFile edt.KABPFObjFileName = "inode.bpf.o"

	KABEInodeRmdirProg     edt.KABPFProgName    = "inode_rmdir_prog"
	KABEInodeRmdirEvent    edt.KABPFEventName   = "inode_rmdir"
	KABEInodeRmdirProgFile edt.KABPFObjFileName = "inode.bpf.o"

	KABEInodeBPCKSECProg     edt.KABPFProgName    = "bprm_check_security_prog"
	KABEInodeBPCKSECEvent    edt.KABPFEventName   = "bprm_check_security"
	KABEInodeBPCKSECProgFile edt.KABPFObjFileName = "inode.bpf.o"
)
View Source 
const (
	SELinuxDirReadOnly   = "getattr search open read lock ioctl"
	SELinuxDirReadWrite  = "getattr search open read lock ioctl setattr write link add_name remove_name reparent lock create unlink rename rmdir"
	SELinuxFileReadOnly  = "getattr ioctl lock open read"
	SELinuxFileReadWrite = "getattr ioctl lock open read write append lock create rename link unlink"
)

SELinux Flags

View Source 
const (
	BPFLSMObjPath = "./BPF/objs"
)
View Source 
const MAX_POLICY_VALUES = 128

Variables

View Source 
var KABEProgs = [...]edt.KABPFProgName{
	KABESocketConnectProg,
	KABESocketSendmsgProg,
	KABEInodePermissionProg,
	KABEInodeMkdirProg,
	KABEInodeRmdirProg,
	KABEInodeBPCKSECProg,
}

Functions

func ConvertCIDRToSocketKey 

func ConvertCIDRToSocketKey(CIDR string) [8]byte

///////////////// utils ///////////////////

func ConvertToInodes 

func ConvertToInodes(paths []string, pathPrefixOfContainers *[]string) []uint64

///////////////// utils ///////////////////

func DoLgetxattr 

func DoLgetxattr(path, attr string, dest []byte) (int, error)

DoLgetxattr is a wrapper that retries on EINTR

func GenerateHostProfileBody 

func GenerateHostProfileBody(securityPolicies []tp.HostSecurityPolicy) (int, string)

GenerateHostProfileBody Function

func GenerateHostProfileFoot 

func GenerateHostProfileFoot() string

GenerateHostProfileFoot Function

func GenerateHostProfileHead 

func GenerateHostProfileHead() string

GenerateHostProfileHead Function

func GenerateProfileBody 

func GenerateProfileBody(securityPolicies []tp.SecurityPolicy) (int, string)

GenerateProfileBody Function

func GenerateProfileFoot 

func GenerateProfileFoot() string

GenerateProfileFoot Function

func GenerateProfileHead 

func GenerateProfileHead(processWhiteList, fileWhiteList, networkWhiteList, capabilityWhiteList []string) string

GenerateProfileHead Function

func GetSELinuxType 

func GetSELinuxType(path string) (string, error)

GetSELinuxType Function

func KABEGetMapByProgName 

func KABEGetMapByProgName(name edt.KABPFProgName) edt.KABPFMap

func KABEGetProg 

func KABEGetProg(name edt.KABPFProgName) edt.KABPFProg

func Lgetxattr 

func Lgetxattr(path, attr string) ([]byte, error)

Lgetxattr returns a []byte slice containing the value of an extended attribute attr set for path.

Types

type AppArmorEnforcer 

type AppArmorEnforcer struct {
	// host
	HostName string

	// options
	EnableKubeArmorPolicy     bool
	EnableKubeArmorHostPolicy bool

	// logs
	Logger *fd.Feeder

	// default profile
	ApparmorDefault string

	// host profile
	HostProfile string

	// profiles for containers
	AppArmorProfiles     map[string]int
	AppArmorProfilesLock *sync.Mutex
}

AppArmorEnforcer Structure

func NewAppArmorEnforcer 

func NewAppArmorEnforcer(node tp.Node, logger *fd.Feeder) *AppArmorEnforcer

NewAppArmorEnforcer Function

func (*AppArmorEnforcer) CreateAppArmorHostProfile 

func (ae *AppArmorEnforcer) CreateAppArmorHostProfile() error

CreateAppArmorHostProfile Function

func (*AppArmorEnforcer) DestroyAppArmorEnforcer 

func (ae *AppArmorEnforcer) DestroyAppArmorEnforcer() error

DestroyAppArmorEnforcer Function

func (*AppArmorEnforcer) GenerateAppArmorHostProfile 

func (ae *AppArmorEnforcer) GenerateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy) (int, string, bool)

GenerateAppArmorHostProfile Function

func (*AppArmorEnforcer) GenerateAppArmorProfile 

func (ae *AppArmorEnforcer) GenerateAppArmorProfile(appArmorProfile string, securityPolicies []tp.SecurityPolicy) (int, string, bool)

GenerateAppArmorProfile Function

func (*AppArmorEnforcer) RegisterAppArmorHostProfile 

func (ae *AppArmorEnforcer) RegisterAppArmorHostProfile() bool

RegisterAppArmorHostProfile Function

func (*AppArmorEnforcer) RegisterAppArmorProfile 

func (ae *AppArmorEnforcer) RegisterAppArmorProfile(profileName string) bool

RegisterAppArmorProfile Function

func (*AppArmorEnforcer) RemoveAppArmorHostProfile 

func (ae *AppArmorEnforcer) RemoveAppArmorHostProfile() error

RemoveAppArmorHostProfile Function

func (*AppArmorEnforcer) UnregisterAppArmorHostProfile 

func (ae *AppArmorEnforcer) UnregisterAppArmorHostProfile() bool

UnregisterAppArmorHostProfile Function

func (*AppArmorEnforcer) UnregisterAppArmorProfile 

func (ae *AppArmorEnforcer) UnregisterAppArmorProfile(profileName string) bool

UnregisterAppArmorProfile Function

func (*AppArmorEnforcer) UpdateAppArmorHostProfile 

func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy)

UpdateAppArmorHostProfile Function

func (*AppArmorEnforcer) UpdateAppArmorProfile 

func (ae *AppArmorEnforcer) UpdateAppArmorProfile(endPoint tp.EndPoint, appArmorProfile string, securityPolicies []tp.SecurityPolicy)

UpdateAppArmorProfile Function

func (*AppArmorEnforcer) UpdateHostSecurityPolicies 

func (ae *AppArmorEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)

UpdateHostSecurityPolicies Function

func (*AppArmorEnforcer) UpdateSecurityPolicies 

func (ae *AppArmorEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint)

UpdateSecurityPolicies Function

type BPFEnforcer 

type BPFEnforcer struct {
	// logs
	Logger *fd.Feeder
	// host
	HostName string

	// containers
	Containers *map[string]tp.Container

	// options
	EnableKubeArmorPolicy     bool
	EnableKubeArmorHostPolicy bool
	// contains filtered or unexported fields
}

BPFEnforcer Structure

func NewBPFEnforcer 

func NewBPFEnforcer(node tp.Node, logger *fd.Feeder, containers *map[string]tp.Container) *BPFEnforcer

NewBPFEnforcer Function

func (*BPFEnforcer) CleanupBPFPolicies 

func (be *BPFEnforcer) CleanupBPFPolicies(endPoint *tp.EndPoint)

func (*BPFEnforcer) DeleteInodePidNSID 

func (be *BPFEnforcer) DeleteInodePidNSID(pgName tp.BPFPolicyType, pidNSID uint64) error

func (*BPFEnforcer) DeleteSocketCIDR 

func (be *BPFEnforcer) DeleteSocketCIDR(pgName tp.BPFPolicyType, CIDR string) error

func (*BPFEnforcer) DestroyBPFEnforcer 

func (be *BPFEnforcer) DestroyBPFEnforcer() error

DestroyBPFEnforcer Function

func (*BPFEnforcer) DestroyEnforceMaps 

func (be *BPFEnforcer) DestroyEnforceMaps(bman *edt.KABPFManager) error

func (*BPFEnforcer) DestroyEnforcePrograms 

func (be *BPFEnforcer) DestroyEnforcePrograms(bman *edt.KABPFManager) error

func (*BPFEnforcer) HostSecurityPolicyToBPFPolicy 

func (be *BPFEnforcer) HostSecurityPolicyToBPFPolicy(secHostPolicy tp.HostSecurityPolicy) []tp.BPFPolicy

Parse security Host policy to BPF policy

func (*BPFEnforcer) InitializeEnforceMaps 

func (be *BPFEnforcer) InitializeEnforceMaps(bman *edt.KABPFManager) error

func (*BPFEnforcer) InitializeEnforcePrograms 

func (be *BPFEnforcer) InitializeEnforcePrograms(bman *edt.KABPFManager) error

func (*BPFEnforcer) UpdateHostSecurityPolicies 

func (be *BPFEnforcer) UpdateHostSecurityPolicies(secHostPolicies []tp.HostSecurityPolicy)

Not implemented

func (*BPFEnforcer) UpdateInodeMap 

func (be *BPFEnforcer) UpdateInodeMap(pgName tp.BPFPolicyType, pidNSID uint64, inodes [MAX_POLICY_VALUES]uint64) error

func (*BPFEnforcer) UpdateSecurityPolicies 

func (be *BPFEnforcer) UpdateSecurityPolicies(endPoint *tp.EndPoint)

UpdateSecurityPolicies Function

func (*BPFEnforcer) UpdateSocketMap 

func (be *BPFEnforcer) UpdateSocketMap(pgName tp.BPFPolicyType, CIDR string, pidNSIDs [MAX_POLICY_VALUES]uint64) error

type InodeBPCKSECMapElement 

type InodeBPCKSECMapElement struct {
	Key   uint64
	Value [128]uint64
}

func (*InodeBPCKSECMapElement) KeyPointer 

func (indbpcksecme *InodeBPCKSECMapElement) KeyPointer() unsafe.Pointer

func (*InodeBPCKSECMapElement) MapName 

func (indbpcksecme *InodeBPCKSECMapElement) MapName() string

func (*InodeBPCKSECMapElement) SetFoundValue 

func (indbpcksecme *InodeBPCKSECMapElement) SetFoundValue(value []byte)

func (*InodeBPCKSECMapElement) SetKey 

func (indbpcksecme *InodeBPCKSECMapElement) SetKey(pidns uint64)

func (*InodeBPCKSECMapElement) SetValue 

func (indbpcksecme *InodeBPCKSECMapElement) SetValue(inodes [128]uint64)

func (*InodeBPCKSECMapElement) ValuePointer 

func (indbpcksecme *InodeBPCKSECMapElement) ValuePointer() unsafe.Pointer

type InodeMkdirMapElement 

type InodeMkdirMapElement struct {
	Key   uint64
	Value [128]uint64
}

func (*InodeMkdirMapElement) KeyPointer 

func (indmkme *InodeMkdirMapElement) KeyPointer() unsafe.Pointer

func (*InodeMkdirMapElement) MapName 

func (indmkme *InodeMkdirMapElement) MapName() string

func (*InodeMkdirMapElement) SetFoundValue 

func (indmkme *InodeMkdirMapElement) SetFoundValue(value []byte)

func (*InodeMkdirMapElement) SetKey 

func (indmkme *InodeMkdirMapElement) SetKey(pidns uint64)

func (*InodeMkdirMapElement) SetValue 

func (indmkme *InodeMkdirMapElement) SetValue(inodes [128]uint64)

func (*InodeMkdirMapElement) ValuePointer 

func (indmkme *InodeMkdirMapElement) ValuePointer() unsafe.Pointer

type InodePermissionMapElement 

type InodePermissionMapElement struct {
	Key   uint64
	Value [MAX_POLICY_VALUES]uint64
}

func (*InodePermissionMapElement) KeyPointer 

func (indpme *InodePermissionMapElement) KeyPointer() unsafe.Pointer

func (*InodePermissionMapElement) MapName 

func (indpme *InodePermissionMapElement) MapName() string

func (*InodePermissionMapElement) SetFoundValue 

func (indpme *InodePermissionMapElement) SetFoundValue(value []byte)

func (*InodePermissionMapElement) SetKey 

func (indpme *InodePermissionMapElement) SetKey(pidns uint64)

func (*InodePermissionMapElement) SetValue 

func (indpme *InodePermissionMapElement) SetValue(inodes [MAX_POLICY_VALUES]uint64)

func (*InodePermissionMapElement) ValuePointer 

func (indpme *InodePermissionMapElement) ValuePointer() unsafe.Pointer

type InodeRmdirMapElement 

type InodeRmdirMapElement struct {
	Key   uint64
	Value [128]uint64
}

func (*InodeRmdirMapElement) KeyPointer 

func (indrmme *InodeRmdirMapElement) KeyPointer() unsafe.Pointer

func (*InodeRmdirMapElement) MapName 

func (indrmme *InodeRmdirMapElement) MapName() string

func (*InodeRmdirMapElement) SetFoundValue 

func (indrmme *InodeRmdirMapElement) SetFoundValue(value []byte)

func (*InodeRmdirMapElement) SetKey 

func (indrmme *InodeRmdirMapElement) SetKey(pidns uint64)

func (*InodeRmdirMapElement) SetValue 

func (indrmme *InodeRmdirMapElement) SetValue(inodes [128]uint64)

func (*InodeRmdirMapElement) ValuePointer 

func (indrmme *InodeRmdirMapElement) ValuePointer() unsafe.Pointer

type RuntimeEnforcer 

type RuntimeEnforcer struct {
	// logger
	Logger *fd.Feeder

	// LSM type
	EnforcerType string
	EnableBPFRE  bool
	// contains filtered or unexported fields
}

RuntimeEnforcer Structure

func NewRuntimeEnforcer 

func NewRuntimeEnforcer(node tp.Node, logger *fd.Feeder, containers *map[string]tp.Container) *RuntimeEnforcer

NewRuntimeEnforcer Function

func (*RuntimeEnforcer) CleanupBPFPolicies 

func (re *RuntimeEnforcer) CleanupBPFPolicies(endPoint tp.EndPoint)

func (*RuntimeEnforcer) DestroyRuntimeEnforcer 

func (re *RuntimeEnforcer) DestroyRuntimeEnforcer() error

DestroyRuntimeEnforcer Function

func (*RuntimeEnforcer) UpdateAppArmorProfiles 

func (re *RuntimeEnforcer) UpdateAppArmorProfiles(action string, profiles map[string]string)

UpdateAppArmorProfiles Function

func (*RuntimeEnforcer) UpdateHostSecurityPolicies 

func (re *RuntimeEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)

UpdateHostSecurityPolicies Function

func (*RuntimeEnforcer) UpdateSELinuxProfiles 

func (re *RuntimeEnforcer) UpdateSELinuxProfiles(action string, profiles map[string]string, hostVolumes []tp.HostVolumeMount)

UpdateSELinuxProfiles Function

func (*RuntimeEnforcer) UpdateSecurityPolicies 

func (re *RuntimeEnforcer) UpdateSecurityPolicies(endPoint *tp.EndPoint)

UpdateSecurityPolicies Function

type SELinuxEnforcer 

type SELinuxEnforcer struct {
	// logs
	Logger *fd.Feeder

	SELinuxProfiles     map[string]int
	SELinuxProfilesLock *sync.Mutex

	SELinuxContextTemplates string
}

SELinuxEnforcer Structure

func NewSELinuxEnforcer 

func NewSELinuxEnforcer(logger *fd.Feeder) *SELinuxEnforcer

NewSELinuxEnforcer Function

func (*SELinuxEnforcer) DestroySELinuxEnforcer 

func (se *SELinuxEnforcer) DestroySELinuxEnforcer() error

DestroySELinuxEnforcer Function

func (*SELinuxEnforcer) GenerateSELinuxProfile 

func (se *SELinuxEnforcer) GenerateSELinuxProfile(endPoint tp.EndPoint, profileName string, securityPolicies []tp.SecurityPolicy) (int, string, bool)

GenerateSELinuxProfile Function

func (*SELinuxEnforcer) RegisterSELinuxProfile 

func (se *SELinuxEnforcer) RegisterSELinuxProfile(containerName string, hostVolumes []tp.HostVolumeMount, profileName string) bool

RegisterSELinuxProfile Function

func (*SELinuxEnforcer) UnregisterSELinuxProfile 

func (se *SELinuxEnforcer) UnregisterSELinuxProfile(profileName string) bool

UnregisterSELinuxProfile Function

func (*SELinuxEnforcer) UpdateHostSecurityPolicies 

func (se *SELinuxEnforcer) UpdateHostSecurityPolicies(secPolicies []tp.HostSecurityPolicy)

UpdateHostSecurityPolicies Function

func (*SELinuxEnforcer) UpdateSELinuxProfile 

func (se *SELinuxEnforcer) UpdateSELinuxProfile(endPoint tp.EndPoint, seLinuxProfile string, securityPolicies []tp.SecurityPolicy)

UpdateSELinuxProfile Function

func (*SELinuxEnforcer) UpdateSecurityPolicies 

func (se *SELinuxEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint)

UpdateSecurityPolicies Function

type SocketConnectMapElement 

type SocketConnectMapElement struct {
	Key   [8]byte
	Value [MAX_POLICY_VALUES]uint64
}

func (*SocketConnectMapElement) KeyPointer 

func (skcnme *SocketConnectMapElement) KeyPointer() unsafe.Pointer

func (*SocketConnectMapElement) MapName 

func (skcnme *SocketConnectMapElement) MapName() string

func (*SocketConnectMapElement) SetFoundValue 

func (skcnme *SocketConnectMapElement) SetFoundValue(value []byte)

func (*SocketConnectMapElement) SetKey 

func (skcnme *SocketConnectMapElement) SetKey(IPCIDR [8]byte)

func (*SocketConnectMapElement) SetValue 

func (skcnme *SocketConnectMapElement) SetValue(pidNSIDs [MAX_POLICY_VALUES]uint64)

func (*SocketConnectMapElement) ValuePointer 

func (skcnme *SocketConnectMapElement) ValuePointer() unsafe.Pointer

type SocketSendmsgMapElement 

type SocketSendmsgMapElement struct {
	Key   [8]byte
	Value [MAX_POLICY_VALUES]uint64
}

func (*SocketSendmsgMapElement) KeyPointer 

func (sksmsgme *SocketSendmsgMapElement) KeyPointer() unsafe.Pointer

func (*SocketSendmsgMapElement) MapName 

func (sksmsgme *SocketSendmsgMapElement) MapName() string

func (*SocketSendmsgMapElement) SetFoundValue 

func (sksmsgme *SocketSendmsgMapElement) SetFoundValue(value []byte)

func (*SocketSendmsgMapElement) SetKey 

func (sksmsgme *SocketSendmsgMapElement) SetKey(IPCIDR [8]byte)

func (*SocketSendmsgMapElement) SetValue 

func (sksmsgme *SocketSendmsgMapElement) SetValue(pidNSIDs [MAX_POLICY_VALUES]uint64)

func (*SocketSendmsgMapElement) ValuePointer 

func (sksmsgme *SocketSendmsgMapElement) ValuePointer() unsafe.Pointer

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.