Skip to content

feat(preset): add protectProc preset #2017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Aryan-sharma11 merged 5 commits into from
Jun 10, 2025
Merged

feat(preset): add protectProc preset #2017

Aryan-sharma11 merged 5 commits into from
Jun 10, 2025

Conversation

@rksharma95
Copy link
Collaborator

@rksharma95 rksharma95 commented Mar 26, 2025
edited
Loading

adds a preset protectProc that can enforce (audit or block) policy on /proc directory access by non-owner process.

example ksp policy:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-nginx-presets
spec:
  presets:
  - action: Block
    name: protectProc
  selector:
    matchLabels:
      app: nginx
  severity: 3

simulating policy violation:

kubectl exec -it nginx-5678bf4f67-l4hcg -- bash
root@nginx-5678bf4f67-l4hcg:/# sleep 1000&
[1] 263
root@nginx-5678bf4f67-l4hcg:/# ls /proc/263
ls: cannot open directory '/proc/263': Permission denied

alert generated for policy violation

== Alert / 2025-03-26 12:45:58.285429 ==
ClusterName: default
HostName: archlinux
NamespaceName: default
PodName: nginx-5678bf4f67-l4hcg
Labels: app=nginx
ContainerName: nginx
ContainerID: 70aca5b90adececbe559ec9981fa2920c063319e9133d1c12e067b62b42b1080
ContainerImage: docker.io/library/nginx:latest@sha256:124b44bfc9ccd1f3cedf4b592d4d1e8bddb78b51ec2ed5056c52d3692baebc19
Type: MatchedPolicy
PolicyName: ksp-nginx-presets
Source: /usr/bin/ls
Resource: /proc/263
Operation: File
Enforcer: PRESET-ProtectProcPreset
Result: Passed
Cwd: /
HostPID: 152784
HostPPID: 152681
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 275
PPID: 152681
UID: 0

Does this PR introduce a breaking change?

If the changes in this PR are manually verified, list down the scenarios covered::

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

  • Bug fix. Fixes #
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

@rksharma95 rksharma95 force-pushed the feat-proc-preset branch 2 times, most recently from 6e70439 to 4ac1ba4 Compare March 26, 2025 12:52
@rksharma95 rksharma95 moved this to P1- PR Ready for review in Release v1.6 Mar 26, 2025
@soorya-knox soorya-knox moved this from P1- PR Ready for review to In Progress in Release v1.6 Mar 27, 2025
@rksharma95
Copy link
Collaborator Author

rksharma95 commented Apr 2, 2025

denying symlink /proc/* access

root@nginx-676b6c5bbc-frx9l:/tmp# ls -l /proc/41/fd/0
lrwx------ 1 root root 64 Apr  2 08:14 /proc/41/fd/0 -> /dev/pts/0
root@nginx-676b6c5bbc-frx9l:/tmp# cat /proc/41/fd/0
cat: /proc/41/fd/0: Permission denied
root@nginx-676b6c5bbc-frx9l:/tmp# cat /proc/self/fd/0
hello
hello
^C

alert

== Alert / 2025-04-02 08:31:10.185986 ==
ClusterName: default
HostName: archlinux
NamespaceName: default
PodName: nginx-676b6c5bbc-frx9l
Labels: app=nginx
ContainerName: nginx
ContainerID: 05eb0693b5363458e09f5c1b9644a9eea9ae61377751776fb8d55bbc8d0bc2eb
ContainerImage: docker.io/library/nginx:latest@sha256:124b44bfc9ccd1f3cedf4b592d4d1e8bddb78b51ec2ed5056c52d3692baebc19
Type: MatchedPolicy
PolicyName: ksp-nginx-protect-proc-preset
Source: /usr/bin/cat /proc/41/fd/0
Resource: /proc/41/fd/0
Operation: File
Enforcer: PRESET-ProtectProcPreset
Result: Permission denied
Cwd: /
HostPID: 145285
HostPPID: 140744
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 964
PPID: 140744
ParentProcessName: /usr/bin/bash
ProcessName: /usr/bin/cat
UID: 0

@rksharma95 rksharma95 moved this from In Progress to P0 - PR Ready for review in Release v1.6 Apr 2, 2025
Aryan-sharma11
Aryan-sharma11 requested changes Apr 3, 2025
View reviewed changes
Copy link
Member

@Aryan-sharma11 Aryan-sharma11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, minor nits to address

Aryan-sharma11
Aryan-sharma11 previously approved these changes Apr 4, 2025
View reviewed changes
@rksharma95 rksharma95 force-pushed the feat-proc-preset branch 3 times, most recently from 645ab46 to e855867 Compare May 16, 2025 12:54
Aryan-sharma11
Aryan-sharma11 previously approved these changes May 19, 2025
View reviewed changes
@soorya-knox soorya-knox requested a review from rootxrishabh June 5, 2025 06:10
@Aryan-sharma11 Aryan-sharma11 merged commit af87732 into kubearmor:main Jun 10, 2025
21 checks passed
@soorya-knox soorya-knox moved this from P0 - PR Ready for review to Done in Release v1.6 Jun 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aryan-sharma11 Aryan-sharma11 Aryan-sharma11 approved these changes

@rootxrishabh rootxrishabh rootxrishabh approved these changes

@daemon1024 daemon1024 Awaiting requested review from daemon1024

@Prateeknandle Prateeknandle Awaiting requested review from Prateeknandle

Assignees

No one assigned

Labels

None yet

Projects

Release v1.6
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rksharma95 @Aryan-sharma11 @rootxrishabh