[agent-smith] Parse net dev and create an infringement

gitpod-io · Jul 1, 2021 · 0168e35 · 0168e35
1 parent fb31733
commit 0168e35
Show file tree

Hide file tree

Showing 7 changed files with 72 additions and 428 deletions.
diff --git a/chart/templates/agent-smith-configmap.yaml b/chart/templates/agent-smith-configmap.yaml
@@ -22,9 +22,26 @@ data:
       "blacklists": {
         "very": {
           "signatures": [
-            {"name":"testtarget","domain":"process","kind":"elf","pattern":"YWdlbnRTbWl0aFRlc3RUYXJnZXQ=","regexp":false}
+            {
+              "name": "testtarget",
+              "domain": "process",
+              "kind": "elf",
+              "pattern": "YWdlbnRTbWl0aFRlc3RUYXJnZXQ=",
+              "regexp": false
+            }
           ]
         }
+      },
+      "egressTraffic": {
+        "dt": "2m",
+        "excessive": {
+          "baseBudget": "300Mi",
+          "perDtThreshold": "100Mi"
+        },
+        "veryExcessive": {
+          "baseBudget": "2Gi",
+          "perDtThreshold": "250Mi"
+        }
       }
     }
-{{- end -}}
+{{- end -}}
diff --git a/components/ee/agent-smith/BUILD.yaml b/components/ee/agent-smith/BUILD.yaml
@@ -59,5 +59,5 @@ scripts:
       - components/ee/agent-smith/cmd/testbed:app
       - components/ee/agent-smith/cmd/testtarget:app
     script: |
-      scp vm ./components-ee-agent-smith--falco-bpf-probe/probe.o ./components-ee-agent-smith--app/agent-smith ./components-ee-agent-smith--example-config/example-config.json ./components-ee-agent-smith-cmd-testbed--app/testbed ./components-ee-agent-smith-cmd-testtarget--app/testtarget root@localhost:/
+      scp -P 2222 -i ~/.ssh/id_rsa_vm -o StrictHostKeyChecking=no vm ./components-ee-agent-smith--falco-bpf-probe/probe.o ./components-ee-agent-smith--app/agent-smith ./components-ee-agent-smith--example-config/example-config.json ./components-ee-agent-smith-cmd-testbed--app/testbed ./components-ee-agent-smith-cmd-testtarget--app/testtarget root@localhost:/
       echo "copied agent-smith to /"
diff --git a/components/ee/agent-smith/README.md b/components/ee/agent-smith/README.md
@@ -43,6 +43,12 @@ ssh vm
 
 If you now go under the `/workspace` folder in the VM, you will find all your workspace stuff.
 
+If you want to compile with leeway and have the compiled artifacts in the VM you can do
+
+```
+leeway run components/ee/agent-smith:copy-to-qemu
+```
+
 ## Falco libs BPF probe development
 
 In case you need to do development of new features or fix bugs against the

diff --git a/components/ee/agent-smith/example-config.json b/components/ee/agent-smith/example-config.json
@@ -3,10 +3,26 @@
     "probePath": "./probe.o",
     "blacklists": {
         "very": {
-            "binaries": ["find"],
             "signatures": [
-                {"name":"testtarget","domain":"process","kind":"elf","pattern":"YWdlbnRTbWl0aFRlc3RUYXJnZXQ=","regexp":false}
+                {
+                    "name": "testtarget",
+                    "domain": "process",
+                    "kind": "elf",
+                    "pattern": "YWdlbnRTbWl0aFRlc3RUYXJnZXQ=",
+                    "regexp": false
+                }
             ]
         }
+    },
+    "egressTraffic": {
+        "dt": "2m",
+        "excessive": {
+            "baseBudget": "300Mi",
+            "perDtThreshold": "100Mi"
+        },
+        "veryExcessive": {
+            "baseBudget": "2Gi",
+            "perDtThreshold": "250Mi"
+        }
     }
-}
+}
diff --git a/components/ee/agent-smith/pkg/agent/agent.go b/components/ee/agent-smith/pkg/agent/agent.go
@@ -47,7 +47,6 @@ type Smith struct {
 	Config           Config
 	GitpodAPI        gitpod.APIInterface
 	EnforcementRules map[string]EnforcementRules
-	EgressTraffic    *EgressTraffic
 	metrics          *metrics
 
 	notifiedInfringements *lru.Cache
@@ -332,20 +331,20 @@ func (agent *Smith) Start(ctx context.Context, callback func(InfringingWorkspace
 					agent.pidsMap.Range(func(key, value interface{}) bool {
 						p := key.(int)
 						t := value.(time.Time)
-						infr, err := agent.checkEgressTrafficCallback(strconv.Itoa(p), t)
+						infr, err := agent.checkEgressTrafficCallback(p, t)
 						if err != nil {
-							log.WithError(err).Warnf("error checking egress for pid: %d", p)
 							return true
 						}
 						if infr == nil {
 							return true
 						}
+						var res []Infringement
 						v, err := getWorkspaceFromProcess(p)
 						if err != nil {
-							// this is not from a workspace, let's skip
 							return true
 						}
-						v.Infringements = append(v.Infringements, *infr)
+						res = append(res, *infr)
+						v.Infringements = res
 						ps, err := agent.Penalize(*v)
 						if err != nil {
 							log.WithError(err).WithField("infringement", v).Warn("error while reacting to infringement")
@@ -432,6 +431,12 @@ func (agent *Smith) cleanupDeadPidsCallback() {
 			return true
 		}
 
+		_, err = getWorkspaceFromProcess(p)
+		if err != nil {
+			agent.pidsMap.Delete(p)
+			return true
+		}
+
 		return true
 	})
 
@@ -796,15 +801,17 @@ func (agent *Smith) RegisterMetrics(reg prometheus.Registerer) error {
 	return agent.metrics.Register(reg)
 }
 
-func (agent *Smith) checkEgressTrafficCallback(pid string, pidCreationTime time.Time) (*Infringement, error) {
-	if agent.EgressTraffic == nil {
+func (agent *Smith) checkEgressTrafficCallback(pid int, pidCreationTime time.Time) (*Infringement, error) {
+	if agent.Config.EgressTraffic == nil {
 		return nil, nil
 	}
+
 	podLifetime := time.Since(pidCreationTime)
 	resp, err := network.GetEgressTraffic(pid)
 	if err != nil {
 		return nil, err
 	}
+
 	if resp <= 0 {
 		log.WithField("total egress bytes", resp).Warn("GetEgressTraffic returned <= 0 value")
 		return nil, nil
@@ -815,14 +822,14 @@ func (agent *Smith) checkEgressTrafficCallback(pid string, pidCreationTime time.
 		T *PerLevelEgressTraffic
 	}
 	levels := make([]level, 0, 2)
-	if agent.EgressTraffic.VeryExcessiveLevel != nil {
-		levels = append(levels, level{V: GradeKind(InfringementExcessiveEgress, InfringementSeverityVery), T: agent.EgressTraffic.VeryExcessiveLevel})
+	if agent.Config.EgressTraffic.VeryExcessiveLevel != nil {
+		levels = append(levels, level{V: GradeKind(InfringementExcessiveEgress, InfringementSeverityVery), T: agent.Config.EgressTraffic.VeryExcessiveLevel})
 	}
-	if agent.EgressTraffic.ExcessiveLevel != nil {
-		levels = append(levels, level{V: GradeKind(InfringementExcessiveEgress, InfringementSeverityAudit), T: agent.EgressTraffic.ExcessiveLevel})
+	if agent.Config.EgressTraffic.ExcessiveLevel != nil {
+		levels = append(levels, level{V: GradeKind(InfringementExcessiveEgress, InfringementSeverityAudit), T: agent.Config.EgressTraffic.ExcessiveLevel})
 	}
 
-	dt := int64(podLifetime / time.Duration(agent.EgressTraffic.WindowDuration))
+	dt := int64(podLifetime / time.Duration(agent.Config.EgressTraffic.WindowDuration))
 	for _, lvl := range levels {
 		allowance := dt*lvl.T.Threshold.Value() + lvl.T.BaseBudget.Value()
 		excess := resp - allowance