Merge pull request #10 from kondukto-io/feature/add-dns-support

Feature/add dns support
kondukto-io · Jun 11, 2024 · d9719ab · d9719ab
2 parents 9dbb140 + e43ea5e
commit d9719ab
Show file tree

Hide file tree

Showing 12 changed files with 135,765 additions and 342 deletions.
diff --git a/Readme.md b/Readme.md
@@ -2,7 +2,7 @@
 
 `kntrl` is an eBPF based runtime agent that monitors and prevents anomalous behaviour defined by you on your pipeline. kntrl achieves this by monitoring kernel calls, and denying access as soon as your defined behaviour is detected. Refer to this [presentation](https://docs.google.com/presentation/d/1nmbqGfIxp9UyxlfT5EJyQsEWtQaXVoWD9Qjj1MJevuk/edit?usp=sharing) to dive deeper into how we are achieving what kntrl does.
 
-It can work as a single binary (`kntrl`) or with a docker runner (`docker.io/kondukto/kntrl:0.1.0`).
+It can work as a single binary (`kntrl`) or with a docker runner (`docker.io/kondukto/kntrl:0.1.2`).
 
 ## Installation
 ### Linux 
@@ -17,7 +17,7 @@ docker pull kondukto/kntrl:latest
 
 To pull a specific version:
 ```
-docker pull kondukto/kntrl:0.1.0
+docker pull kondukto/kntrl:0.1.2
 ```
 
 ## Using kntrl
@@ -39,7 +39,7 @@ OR with the docker:
     --cgroupns=host \
     --volume=/sys/kernel/debug:/sys/kernel/debug:ro \
     --volume /tmp:/tmp \
-    --rm docker.io/kondukto/kntrl:0.1.0 run --mode=trace --allowed-hosts=kondukto.io,download.kondukto.io 
+    --rm docker.io/kondukto/kntrl:0.1.2 run --mode=trace --allowed-hosts=kondukto.io,download.kondukto.io 
 ```
 
 This action will deploy kntrl into any GitHub Actions build.
@@ -87,7 +87,7 @@ The agent supports the following parameters:
   --cgroupns=host \
   --volume=/sys/kernel/debug:/sys/kernel/debug:ro \
   --volume /tmp:/tmp \
-  --rm docker.io/kondukto/kntrl:0.1.0 \
+  --rm docker.io/kondukto/kntrl:0.1.2 \
   --mode=monitor 
 ```
 
@@ -101,7 +101,7 @@ The agent supports the following parameters:
   --cgroupns=host \
   --volume=/sys/kernel/debug:/sys/kernel/debug:ro \
   --volume /tmp:/tmp \
-  --rm docker.io/kondukto/kntrl:0.1.0 \
+  --rm docker.io/kondukto/kntrl:0.1.2 \
   --mode=trace --allowed-hosts=download.kondukto.io, .github.com  
 ```
 

diff --git a/bpf/headers/common.h b/bpf/headers/common.h
diff --git a/bpf/headers/dns.h b/bpf/headers/dns.h
@@ -0,0 +1,37 @@
+#include "vmlinux.h"
+
+#define MAX_DNS_NAME_LENGTH 256
+
+struct dns_hdr
+{
+    uint16_t transaction_id;
+    uint8_t rd : 1;      //Recursion desired
+    uint8_t tc : 1;      //Truncated
+    uint8_t aa : 1;      //Authoritive answer
+    uint8_t opcode : 4;  //Opcode
+    uint8_t qr : 1;      //Query/response flag
+    uint8_t rcode : 4;   //Response code
+    uint8_t cd : 1;      //Checking disabled
+    uint8_t ad : 1;      //Authenticated data
+    uint8_t z : 1;       //Z reserved bit
+    uint8_t ra : 1;      //Recursion available
+    uint16_t q_count;    //Number of questions
+    uint16_t ans_count;  //Number of answer RRs
+    uint16_t auth_count; //Number of authority RRs
+    uint16_t add_count;  //Number of resource RRs
+};
+
+//Used as a generic DNS response
+struct dns_response {
+   uint16_t query_pointer;
+   uint16_t record_type;
+   uint16_t class;
+   uint32_t ttl;
+   uint16_t data_length;
+} __attribute__((packed));
+
+struct dns_query {
+    uint16_t record_type;
+    uint16_t class;
+    char name[MAX_DNS_NAME_LENGTH];
+};
diff --git a/bpf/headers/tcp.h b/bpf/headers/tcp.h