From 1373cb6ecddbc7a5d32ef53548dedece7b283a0f Mon Sep 17 00:00:00 2001 From: Prateek Date: Thu, 28 Nov 2024 13:29:43 +0530 Subject: [PATCH] fix(throttling): shifting host apparmor alerts throttling to userspace Signed-off-by: Prateek --- KubeArmor/BPF/system_monitor.c | 6 ++++++ KubeArmor/feeder/feeder.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/KubeArmor/BPF/system_monitor.c b/KubeArmor/BPF/system_monitor.c index d1f76feff..fe239f29e 100644 --- a/KubeArmor/BPF/system_monitor.c +++ b/KubeArmor/BPF/system_monitor.c @@ -1067,6 +1067,12 @@ static __always_inline u32 init_context(sys_context_t *context) // To check if subsequent alerts should be dropped per container static __always_inline bool should_drop_alerts_per_container(sys_context_t *context, struct pt_regs *ctx, u32 types, args_t *args) { #if LINUX_VERSION_CODE > KERNEL_VERSION(5, 2, 0) + + // throttling for host in case of apparmor is handled in userspace + if (context->pid_id == 0 && context->mnt_id == 0) { + return false; + } + u64 current_timestamp = bpf_ktime_get_ns(); struct outer_key key = { diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go index 4cb9e1efb..9be7e5ecd 100644 --- a/KubeArmor/feeder/feeder.go +++ b/KubeArmor/feeder/feeder.go @@ -581,7 +581,7 @@ func (fd *Feeder) PushLog(log tp.Log) { if log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy" || log.Type == "SystemEvent" { // checking throttling condition for "Audit" alerts when enforcer is 'eBPF Monitor' - if cfg.GlobalCfg.AlertThrottling && strings.Contains(log.Action, "Audit") && log.Enforcer == "eBPF Monitor" { + if cfg.GlobalCfg.AlertThrottling && ((strings.Contains(log.Action, "Audit") && log.Enforcer == "eBPF Monitor") || (log.Type == "MatchedHostPolicy" && (log.Enforcer == "AppArmor" || log.Enforcer == "eBPF Monitor"))) { nsKey := fd.ContainerNsKey[log.ContainerID] alert, throttle := fd.ShouldDropAlertsPerContainer(nsKey.PidNs, nsKey.MntNs) if alert && throttle {