fix(throttling): shifting host apparmor alerts throttling to userspace

Signed-off-by: Prateek <[email protected]>
kubearmor · Nov 28, 2024 · 1373cb6 · 1373cb6
1 parent 9937d9d
commit 1373cb6
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c
@@ -1067,6 +1067,12 @@ static __always_inline u32 init_context(sys_context_t *context)
 // To check if subsequent alerts should be dropped per container
 static __always_inline bool should_drop_alerts_per_container(sys_context_t *context, struct pt_regs *ctx, u32 types, args_t *args) {
 #if LINUX_VERSION_CODE > KERNEL_VERSION(5, 2, 0)
+
+    // throttling for host in case of apparmor is handled in userspace
+    if (context->pid_id == 0 && context->mnt_id == 0) {
+        return false;
+    }
+
     u64 current_timestamp = bpf_ktime_get_ns();
 
     struct outer_key key = {

diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go
@@ -581,7 +581,7 @@ func (fd *Feeder) PushLog(log tp.Log) {
 	if log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy" || log.Type == "SystemEvent" {
 
 		// checking throttling condition for "Audit" alerts when enforcer is 'eBPF Monitor'
-		if cfg.GlobalCfg.AlertThrottling && strings.Contains(log.Action, "Audit") && log.Enforcer == "eBPF Monitor" {
+		if cfg.GlobalCfg.AlertThrottling && ((strings.Contains(log.Action, "Audit") && log.Enforcer == "eBPF Monitor") || (log.Type == "MatchedHostPolicy" && (log.Enforcer == "AppArmor" || log.Enforcer == "eBPF Monitor"))) {
 			nsKey := fd.ContainerNsKey[log.ContainerID]
 			alert, throttle := fd.ShouldDropAlertsPerContainer(nsKey.PidNs, nsKey.MntNs)
 			if alert && throttle {