From de5f4a66b0d10fa0ced532a679d7ad74bc0091be Mon Sep 17 00:00:00 2001 From: Prateek Date: Tue, 3 Sep 2024 20:11:34 +0530 Subject: [PATCH 1/2] fix(policyMatcher): handling relative path resource by joining it with cwd Signed-off-by: Prateek --- KubeArmor/feeder/policyMatcher.go | 10 +++++++++- KubeArmor/monitor/logUpdate.go | 6 ++++++ KubeArmor/monitor/systemMonitor.go | 31 +++++++++++++++++++++--------- 3 files changed, 37 insertions(+), 10 deletions(-) diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index f77cff3b56..88f9c1d46f 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -934,9 +934,17 @@ func matchResources(secPolicy tp.MatchPolicy, log tp.Log) bool { if secPolicy.ResourceType == "Path" && secPolicy.Resource == firstLogResource { return true } + + // check if the log's resource directory starts with the policy's resource directory if secPolicy.ResourceType == "Directory" && (strings.HasPrefix(firstLogResourceDir, secPolicy.Resource) && + // for non-recursive rule - check if the directory depth of the log matches the policy resource's depth ((!secPolicy.Recursive && firstLogResourceDirCount == strings.Count(secPolicy.Resource, "/")) || - (secPolicy.Recursive && firstLogResourceDirCount >= strings.Count(secPolicy.Resource, "/")))) || (secPolicy.Resource == (log.Resource + "/")) { + // for recursive rule - check the log's directory is at the same or deeper level than the policy's resource + (secPolicy.Recursive && firstLogResourceDirCount >= strings.Count(secPolicy.Resource, "/")))) || + // exact matching - check if the policy's resource is exactly the logged resource with a trailing slash + (secPolicy.Resource == (log.Resource + "/")) || + // match if the policy is recursive and applies to the root directory + (secPolicy.Resource == "/" && secPolicy.Recursive) { return true } } diff --git a/KubeArmor/monitor/logUpdate.go b/KubeArmor/monitor/logUpdate.go index 619979a9b5..a1d4951fe6 100644 --- a/KubeArmor/monitor/logUpdate.go +++ b/KubeArmor/monitor/logUpdate.go @@ -5,6 +5,7 @@ package monitor import ( "fmt" + "path/filepath" "strconv" "strings" @@ -523,6 +524,11 @@ func (mon *SystemMonitor) UpdateLogs() { continue } + // fallback logic: in case we get relative path in log.Resource then we join cwd + resource to get pull path + if !strings.HasPrefix(strings.Split(log.Resource, " ")[0], "/") && log.Cwd != "/" { + log.Resource = filepath.Join(log.Cwd, log.Resource) + } + // get error message if msg.ContextSys.Retval < 0 { message := getErrorMessage(msg.ContextSys.Retval) diff --git a/KubeArmor/monitor/systemMonitor.go b/KubeArmor/monitor/systemMonitor.go index c791f36d73..c246c874bb 100644 --- a/KubeArmor/monitor/systemMonitor.go +++ b/KubeArmor/monitor/systemMonitor.go @@ -786,13 +786,18 @@ func (mon *SystemMonitor) TraceSyscall() { nodeArgs = val } + // generate a log with the base information + log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false) + + // fallback logic: in case we get relative path as execPath then we join cwd + execPath to get pull path + if !strings.HasPrefix(strings.Split(execPath, " ")[0], "/") && log.Cwd != "/" { + execPath = filepath.Join(log.Cwd, execPath) + } + // build a pid node pidNode := mon.BuildPidNode(containerID, ctx, execPath, nodeArgs) mon.AddActivePid(containerID, pidNode) - // generate a log with the base information - log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false) - // add arguments log.Resource = execPath if pidNode.Args != "" { @@ -841,13 +846,23 @@ func (mon *SystemMonitor) TraceSyscall() { continue } else if ctx.EventID == SysExecveAt { if len(args) == 4 { // enter - // build a pid node - pidNode := mon.BuildPidNode(containerID, ctx, args[1].(string), args[2].([]string)) - mon.AddActivePid(containerID, pidNode) + var execPath string // generate a log with the base information log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false) + if val, ok := args[1].(string); ok { + execPath = val // procExecPath + } + // fallback logic: in case we get relative path in execPath then we join cwd + execPath to get pull path + if !strings.HasPrefix(strings.Split(execPath, " ")[0], "/") && log.Cwd != "/" { + execPath = filepath.Join(log.Cwd, execPath) + } + + // build a pid node + pidNode := mon.BuildPidNode(containerID, ctx, execPath, args[2].([]string)) + mon.AddActivePid(containerID, pidNode) + fd := "" procExecFlag := "" @@ -855,9 +870,7 @@ func (mon *SystemMonitor) TraceSyscall() { if val, ok := args[0].(int32); ok { fd = strconv.Itoa(int(val)) } - if val, ok := args[1].(string); ok { - log.Resource = val // procExecPath - } + log.Resource = execPath if val, ok := args[2].([]string); ok { for idx, arg := range val { // procArgs if idx == 0 { From 817fe92688385d5607bec1274ac86da1aa2d5a4a Mon Sep 17 00:00:00 2001 From: Prateek Date: Mon, 9 Sep 2024 11:00:58 +0530 Subject: [PATCH 2/2] fix(ci):ignoring G115 rule from gosec Signed-off-by: Prateek --- KubeArmor/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile index 8ed13c0456..364c198a4a 100644 --- a/KubeArmor/Makefile +++ b/KubeArmor/Makefile @@ -113,7 +113,7 @@ ifeq (, $(shell which gosec)) rm -rf $$GOSEC_TMP_DIR ;\ } endif - cd $(CURDIR); gosec -exclude=G402 ./... + cd $(CURDIR); gosec -exclude=G402,G115 ./... .PHONY: local-release local-release: build