add matchArgs flag

Signed-off-by: Aryan-sharma11 <[email protected]>
kubearmor · Mar 7, 2025 · 8ff629d · 8ff629d
1 parent fd3ae5d
commit 8ff629d
Show file tree

Hide file tree

Showing 29 changed files with 56 additions and 2 deletions.
diff --git a/KubeArmor/BPF/enforcer.bpf.c b/KubeArmor/BPF/enforcer.bpf.c
@@ -226,7 +226,7 @@ int BPF_PROG(enforce_proc, struct linux_binprm *bprm, int ret) {
 
 decision:  
   if (match) {
-    if (val && (val->processmask & RULE_ARGSET)){ 
+    if (val && (val->processmask & RULE_ARGSET) && get_kubearmor_config(_MATCH_ARGS)){ 
       argmatch = matchArguments( num_of_args , &okey , store , pk);
       if(argmatch){
         // if arguments matches allow the process to be executed

diff --git a/KubeArmor/BPF/shared.h b/KubeArmor/BPF/shared.h
@@ -192,6 +192,7 @@ enum
     _ALERT_THROTTLING = 3,
     _MAX_ALERT_PER_SEC = 4,
     _THROTTLE_SEC = 5,
+    _MATCH_ARGS = 6,
 };
 
 struct kaconfig

diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c
@@ -343,6 +343,7 @@ enum
     _ALERT_THROTTLING = 3,
     _MAX_ALERT_PER_SEC = 4,
     _THROTTLE_SEC = 5,
+    _MATCH_ARGS = 6,
 };
 
 struct kaconfig
@@ -1309,7 +1310,7 @@ int kprobe__execve(struct pt_regs *ctx)
     unsigned long argv = READ_KERN(PT_REGS_PARM2(ctx2));
 #endif
 
-    if(get_kubearmor_config(_ENFORCER_BPFLSM)){
+    if(get_kubearmor_config(_ENFORCER_BPFLSM) && (get_kubearmor_config(_MATCH_ARGS))){
         save_cmd_args_to_buffer((const char *const *)argv);
     }
 

diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go
@@ -63,6 +63,7 @@ type KubearmorConfig struct {
 	MaxAlertPerSec    int32 // Maximum alerts allowed per second
 	ThrottleSec       int32 // Number of seconds for which subsequent alerts will be dropped
 	AnnotateResources bool  // enable annotations by kubearmor if kubearmor-controller is not present
+	MatchArgs         bool  // enable argument rules for policy
 
 	ProcFsMount string // path where procfs is hosted
 }
@@ -114,6 +115,7 @@ const (
 	ConfigThrottleSec                    string = "throttleSec"
 	ConfigAnnotateResources              string = "annotateResources"
 	ConfigProcFsMount                    string = "procfsMount"
+	ConfigArgMatching                    string = "matchArgs"
 )
 
 func readCmdLineParams() {
@@ -175,6 +177,8 @@ func readCmdLineParams() {
 
 	procFsMount := flag.String(ConfigProcFsMount, "/proc", "Path to the BPF filesystem to use for storing maps")
 
+	matchArgs := flag.Bool(ConfigArgMatching, true, "enabling Argument matching")
+
 	flags := []string{}
 	flag.VisitAll(func(f *flag.Flag) {
 		kv := fmt.Sprintf("%s:%v", f.Name, f.Value)
@@ -240,6 +244,8 @@ func readCmdLineParams() {
 
 	viper.SetDefault(ConfigAnnotateResources, *annotateResources)
 
+	viper.SetDefault(ConfigArgMatching, *matchArgs)
+
 	viper.SetDefault(ConfigProcFsMount, *procFsMount)
 }
 
@@ -359,4 +365,5 @@ func LoadDynamicConfig() {
 	GlobalCfg.AlertThrottling = viper.GetBool(ConfigAlertThrottling)
 	GlobalCfg.MaxAlertPerSec = int32(viper.GetInt(ConfigMaxAlertPerSec))
 	GlobalCfg.ThrottleSec = int32(viper.GetInt(ConfigThrottleSec))
+	GlobalCfg.MatchArgs = viper.GetBool(ConfigArgMatching)
 }
diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -2812,8 +2812,14 @@ func (dm *KubeArmorDaemon) WatchConfigMap() cache.InformerSynced {
 					}
 					cfg.GlobalCfg.ThrottleSec = int32(throttleSec)
 				}
+				if _, ok := cm.Data[cfg.ConfigArgMatching]; ok {
+					cfg.GlobalCfg.MatchArgs = (cm.Data[cfg.ConfigArgMatching] == "true")
+				}
+
 				dm.SystemMonitor.UpdateThrottlingConfig()
 
+				dm.SystemMonitor.UpdateMatchArgsConfig()
+
 				dm.Logger.Printf("Current Global Posture is %v", currentGlobalPosture)
 				dm.UpdateGlobalPosture(globalPosture)
 

diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o
diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o
diff --git a/KubeArmor/monitor/systemMonitor.go b/KubeArmor/monitor/systemMonitor.go
@@ -252,6 +252,7 @@ func (mon *SystemMonitor) initBPFMaps() error {
 	}
 
 	mon.UpdateThrottlingConfig()
+	mon.UpdateMatchArgsConfig()
 
 	return errors.Join(errviz, errconfig)
 }
@@ -302,6 +303,19 @@ func (mon *SystemMonitor) UpdateThrottlingConfig() {
 		cfg.GlobalCfg.MaxAlertPerSec,
 		cfg.GlobalCfg.ThrottleSec)
 }
+func (mon *SystemMonitor) UpdateMatchArgsConfig() {
+	if cfg.GlobalCfg.MatchArgs {
+		if err := mon.BpfConfigMap.Update(uint32(6), uint32(1), cle.UpdateAny); err != nil {
+			mon.Logger.Errf("Error Updating System Monitor Config Map to enable argument matching: %s", err.Error())
+		}
+	} else {
+		if err := mon.BpfConfigMap.Update(uint32(6), uint32(0), cle.UpdateAny); err != nil {
+			mon.Logger.Errf("Error Updating System Monitor Config Map to enable argument matching : %s", err.Error())
+		}
+	}
+
+	mon.Logger.Printf("Argument matching configured {matchArgs:%v}", cfg.GlobalCfg.AlertThrottling)
+}
 
 // UpdateNsKeyMap Function
 func (mon *SystemMonitor) UpdateNsKeyMap(action string, nsKey NsKey, visibility tp.Visibility) {

diff --git a/KubeArmor/presets/anonmapexec/anonmapexec_bpfeb.o b/KubeArmor/presets/anonmapexec/anonmapexec_bpfeb.o
diff --git a/KubeArmor/presets/anonmapexec/anonmapexec_bpfel.o b/KubeArmor/presets/anonmapexec/anonmapexec_bpfel.o
diff --git a/KubeArmor/presets/filelessexec/filelessexec_bpfeb.o b/KubeArmor/presets/filelessexec/filelessexec_bpfeb.o
diff --git a/KubeArmor/presets/filelessexec/filelessexec_bpfel.o b/KubeArmor/presets/filelessexec/filelessexec_bpfel.o
diff --git a/KubeArmor/presets/protectEnv/protectenv_bpfeb.o b/KubeArmor/presets/protectEnv/protectenv_bpfeb.o
diff --git a/KubeArmor/presets/protectEnv/protectenv_bpfel.o b/KubeArmor/presets/protectEnv/protectenv_bpfel.o
diff --git a/deployments/get/objects.go b/deployments/get/objects.go
@@ -829,6 +829,7 @@ func GetKubearmorConfigMap(namespace, name string) *corev1.ConfigMap {
 	data[cfg.ConfigAlertThrottling] = "true"
 	data[cfg.ConfigMaxAlertPerSec] = "10"
 	data[cfg.ConfigThrottleSec] = "30"
+	data[cfg.ConfigArgMatching] = "true"
 
 	return &corev1.ConfigMap{
 		TypeMeta: metav1.TypeMeta{

diff --git a/deployments/helm/KubeArmor/templates/configmap.yaml b/deployments/helm/KubeArmor/templates/configmap.yaml
@@ -7,6 +7,9 @@ data:
   alertThrottling: {{ .Values.kubearmorConfigMap.alertThrottling | quote }}
   maxAlertPerSec: {{ .Values.kubearmorConfigMap.maxAlertPerSec | quote }}
   throttleSec: {{ .Values.kubearmorConfigMap.throttleSec | quote }}
+  matchArgs: {{ .Values.kubearmorConfigMap.matchArgs | quote }}
+
+
 kind: ConfigMap
 metadata:
   labels:

diff --git a/deployments/helm/KubeArmor/values.yaml b/deployments/helm/KubeArmor/values.yaml
@@ -108,6 +108,7 @@ kubearmorConfigMap:
   alertThrottling: true
   maxAlertPerSec: 10
   throttleSec: 30
+  matchArgs: true
 
 #volume mounts and volumes
 kubearmor:

diff --git a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml
@@ -72,6 +72,8 @@ spec:
                 type: object
               alertThrottling:
                 type: boolean
+              matchArgs:
+                type: boolean
               defaultCapabilitiesPosture:
                 enum:
                 - audit

diff --git a/deployments/helm/KubeArmorOperator/values.yaml b/deployments/helm/KubeArmorOperator/values.yaml
@@ -58,6 +58,7 @@ kubearmorConfig:
   alertThrottling: true
   maxAlertPerSec: 10
   throttleSec: 30
+  matchArgs: true
 
 # DO NOT CHANGE THIS VALUES 
 # changing these values will require code changes with the operator

diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml
@@ -71,6 +71,8 @@ spec:
                 type: object
               alertThrottling:
                 type: boolean
+              matchArgs:
+                type: boolean
               defaultCapabilitiesPosture:
                 enum:
                 - audit

diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go
@@ -116,6 +116,8 @@ type KubeArmorConfigSpec struct {
 	Adapters Adapters `json:"adapters,omitempty"`
 
 	EnableNRI bool `json:"enableNRI,omitempty"`
+
+	MatchArgs bool `json:"matchArgs,omitempty"`
 }
 
 // KubeArmorConfigStatus defines the observed state of KubeArmorConfig

diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go
@@ -87,6 +87,7 @@ var (
 	ConfigMaxAlertPerSec             string = "maxAlertPerSec"
 	ConfigThrottleSec                string = "throttleSec"
 	ConfigEnableNRI                  string = "enableNRI"
+	ConfigArgMatching                string = "matchArgs"
 
 	GlobalImagePullSecrets []corev1.LocalObjectReference = []corev1.LocalObjectReference{}
 	GlobalTolerations      []corev1.Toleration           = []corev1.Toleration{}
@@ -152,6 +153,7 @@ var (
 	AlertThrottling       bool   = true
 	DefaultMaxAlertPerSec string = "10"
 	DefaultThrottleSec    string = "30"
+	MatchArgs             bool   = true
 
 	// recommend policies
 	RecommendedPolicies opv1.RecommendedPolicies = opv1.RecommendedPolicies{
@@ -198,6 +200,7 @@ var ConfigMapData = map[string]string{
 	ConfigAlertThrottling:            "true",
 	ConfigMaxAlertPerSec:             "10",
 	ConfigThrottleSec:                "30",
+	ConfigArgMatching:                "true",
 }
 
 var ConfigDefaultSeccompEnabled = "false"

diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml
@@ -72,6 +72,8 @@ spec:
                 type: object
               alertThrottling:
                 type: boolean
+              matchArgs:
+                type: boolean
               defaultCapabilitiesPosture:
                 enum:
                 - audit

diff --git a/pkg/KubeArmorOperator/config/samples/kubearmor-coverage.yaml b/pkg/KubeArmorOperator/config/samples/kubearmor-coverage.yaml
@@ -18,6 +18,7 @@ spec:
   alertThrottling: false
   maxAlertPerSec: 10
   throttleSec: 30
+  matchArgs: true
   kubearmorImage:
     image: kubearmor/kubearmor-test:latest
     imagePullPolicy: Never

diff --git a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml b/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml
@@ -18,6 +18,7 @@ spec:
   alertThrottling: false
   maxAlertPerSec: 10
   throttleSec: 30
+  matchArgs: true
   kubearmorImage:
     image: kubearmor/kubearmor:latest
     imagePullPolicy: Never

diff --git a/pkg/KubeArmorOperator/config/samples/sample-config.yml b/pkg/KubeArmorOperator/config/samples/sample-config.yml
@@ -21,6 +21,7 @@ spec:
   alertThrottling: true
   maxAlertPerSec: 10
   throttleSec: 30
+  matchArgs: true
   kubearmorImage:
     image: kubearmor/kubearmor:stable
     imagePullPolicy: Always

diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go
@@ -1298,6 +1298,11 @@ func UpdateConfigMapData(config *opv1.KubeArmorConfigSpec) bool {
 	if config.ThrottleSec == 0 {
 		ThrottleSec = common.DefaultThrottleSec
 	}
+	MatchArgsEnabled := strconv.FormatBool(config.MatchArgs)
+	if common.ConfigMapData[common.ConfigArgMatching] != MatchArgsEnabled {
+		common.ConfigMapData[common.ConfigArgMatching] = MatchArgsEnabled
+		updated = true
+	}
 	if common.ConfigMapData[common.ConfigThrottleSec] != ThrottleSec {
 		common.ConfigMapData[common.ConfigThrottleSec] = ThrottleSec
 		updated = true