Skip to content

Commit

Permalink
Merge pull request #1809 from Aryan-sharma11/fix-default-posture-logs
Browse files Browse the repository at this point in the history
fix: default posture logs for system generated permission denied events
  • Loading branch information
DelusionalOptimist authored Jul 23, 2024
2 parents 24e52b1 + 4fa3911 commit 3a0fb40
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 41 deletions.
31 changes: 13 additions & 18 deletions KubeArmor/feeder/policyMatcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -970,6 +970,19 @@ func setLogFields(log *tp.Log, existAllowPolicy bool, defaultPosture string, vis

return true
}
if existAllowPolicy && defaultPosture == "block" && (*log).Result != "Passed" {
if containerEvent {
(*log).Type = "MatchedPolicy"
} else {
(*log).Type = "MatchedHostPolicy"
}

(*log).PolicyName = "DefaultPosture"
(*log).Enforcer = "eBPF Monitor"
(*log).Action = "Block"

return true
}

if containerEvent {
// return here as container events are dropped in kernel space
Expand Down Expand Up @@ -1003,7 +1016,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
existFileAllowPolicy := false
existNetworkAllowPolicy := false
existCapabilitiesAllowPolicy := false

fd.DefaultPosturesLock.Lock()
defer fd.DefaultPosturesLock.Unlock()
if log.Result == "Passed" || log.Result == "Operation not permitted" || log.Result == "Permission denied" {
Expand Down Expand Up @@ -1036,7 +1048,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {
continue
}
}

switch log.Operation {
case "Process", "File":
if secPolicy.Operation != log.Operation {
Expand Down Expand Up @@ -1672,22 +1683,6 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log {

fd.SecurityPoliciesLock.RUnlock()

if log.PolicyName == "" && log.Result != "Passed" {
// default posture (block) or native policy
// no matched policy, but result = blocked -> default posture

log.Type = "MatchedPolicy"

log.PolicyName = "DefaultPosture"

log.Severity = ""
log.Tags = ""
log.ATags = []string{}
log.Message = ""

log.Enforcer = fd.Enforcer
log.Action = "Block"
}
}

if log.ContainerID != "" { // container
Expand Down
16 changes: 4 additions & 12 deletions tests/k8s_env/ksp/ksp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1947,18 +1947,10 @@ var _ = Describe("Ksp", func() {
AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "cat /etc/hostname"},
MatchRegexp("hostname.*Permission denied"), true,
)

expect := protobuf.Alert{
PolicyName: "DefaultPosture",
Severity: "",
Action: "Block",
Result: "Permission denied",
Resource: "hostname",
}

res, err := KarmorGetTargetAlert(5*time.Second, &expect)
Expect(err).To(BeNil())
Expect(res.Found).To(BeTrue())
/*
skip matching alerts as kubearmor doesn't generate
alerts for apparmor managed policy
*/
})

It("it can allow readonly access to a file path", func() {
Expand Down
12 changes: 1 addition & 11 deletions tests/k8s_env/privileged/privileged_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -235,17 +235,7 @@ var _ = Describe("Ksp", func() {
[]string{"bash", "-c", "umount /var/run/secrets/kubernetes.io/serviceaccount"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)

expect = &protobuf.Alert{
PolicyName: "DefaultPosture",
Action: "Block",
Result: "Operation not permitted",
Data: "syscall=SYS_UMOUNT2",
}

res, err := KarmorGetTargetAlert(5*time.Second, expect)
Expect(err).To(BeNil())
Expect(res.Found).To(BeTrue())
Expect(sout).To(MatchRegexp("umount.*must be superuser to unmount"))
})

It("won't block umount by default for all capabilities enabled containers", func() {
Expand Down

0 comments on commit 3a0fb40

Please sign in to comment.