Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(enforcer): enforce read only policies in bpflsm #971

Merged
merged 1 commit into from Nov 9, 2022
Merged

feat(enforcer): enforce read only policies in bpflsm #971

merged 1 commit into from Nov 9, 2022

Conversation

daemon1024
Copy link
Member

@daemon1024 daemon1024 commented Nov 8, 2022
edited

Purpose of PR?:

File access events go through file_open then file_permission, we only get to know about the mask in file_permission. This commit implements differentiating between read and write events in file_permission hook, rest of the enforcement is handled in file_open.

Ref #795

If the changes in this PR are manually verified, list down the scenarios covered::

Applied a read-only policy and verified behaviour.

Checklist:

  • New feature (non-breaking change which adds functionality)
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

TODO:

  • Refactor code to deduplicate logic

@daemon1024
feat(enforcer): enforce read only policies in bpflsm
3568c6d 
file access events go through file_open then file_permission, we only get to know about the mask in file_permission. This commit implements differentiating between read and write events in file_permission hook, rest of the enforcement is handled in file_open.

Signed-off-by: daemon1024 <barun.acharya@accuknox.com>
nyrahul
nyrahul approved these changes Nov 9, 2022
View reviewed changes
Copy link
Contributor

@nyrahul nyrahul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM. But it is difficult to do a thorough review of this PR. Currently we also do not have a way to automate BPF-LSM system tests.

I am ok to merge this PR based on manual tests. Yesterday I reached out to CNCF for more powerful GH Actions Runners and they will soon get back to us.

Ankurk99
Ankurk99 approved these changes Nov 9, 2022
View reviewed changes
Copy link
Member

@Ankurk99 Ankurk99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Ankurk99 Ankurk99 merged commit 7f70f8c into kubearmor:main Nov 9, 2022
@daemon1024 daemon1024 mentioned this pull request Feb 16, 2023
Open
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nyrahul nyrahul nyrahul approved these changes

@Ankurk99 Ankurk99 Ankurk99 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
v0.7 Backlog, Release Plan
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@daemon1024 @nyrahul @Ankurk99