Merge pull request #1542 from Prateeknandle/mount

fix(bpf) : update prepend_path for handling mount of file path

KubeArmor/BPF/shared.h

@@ -174,7 +174,8 @@ static __always_inline bool prepend_path(struct path *path, bufs_t *string_p) {
       m = BPF_CORE_READ(mnt, mnt_parent);
       if (mnt != m) {
         dentry = BPF_CORE_READ(mnt, mnt_mountpoint);
-        mnt = m;
+        mnt = BPF_CORE_READ(mnt, mnt_parent);
+        vfsmnt = &mnt->mnt;
         continue;
       }
       break;

KubeArmor/BPF/system_monitor.c

@@ -674,7 +674,8 @@ static __always_inline bool prepend_path(struct path *path, bufs_t *string_p, in
             if (mnt != m)
             {
                 bpf_probe_read(&dentry, sizeof(struct dentry *), &mnt->mnt_mountpoint);
-                mnt = m;
+                bpf_probe_read(&mnt, sizeof(struct mount *), &mnt->mnt_parent);
+                vfsmnt = &mnt->mnt;
                 continue;
             }
 

tests/k8s_env/block/res/ksp-wordpress-allow-file.yaml

@@ -19,6 +19,8 @@ spec:
     - dir: /bin/
     - dir: /pts/
       recursive: true
+    - dir: /dev/
+      recursive: true
     matchPaths:
     - path: /root/.bashrc
     - path: /root/.bash_history

tests/k8s_env/configmap/manifests/ksp-unannotated-allow.yaml

@@ -23,6 +23,8 @@ spec:
     - dir: /usr/bin/
     - dir: /proc/
       recursive: true
+    - dir: /dev/
+      recursive: true
     matchPaths:
     - path: /dev/tty
     - path: /lib/terminfo/x/xterm

tests/k8s_env/ksp/multiubuntu/ksp-group-2-allow-file-path-from-source-path.yaml

@@ -25,6 +25,8 @@ spec:
         recursive: true
       - dir: /proc/
         recursive: true
+      - dir: /dev/
+        recursive: true
       - dir: /lib/x86_64-linux-gnu/
       - dir: /bin/
   action:

tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-3-allow-proc-dir.yaml

@@ -26,6 +26,8 @@ spec:
       recursive: true
     - dir: /proc/
       recursive: true
+    - dir: /dev/
+      recursive: true
     - dir: /lib/x86_64-linux-gnu/
     - dir: /bin/     
     # - dir: /etc/ # required to change root to user1 (coarse-grained way)

tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-3-allow-proc-path-owner.yaml

@@ -39,6 +39,8 @@ spec:
       recursive: true
     - dir: /bin/
       recursive: true  
+    - dir: /dev/
+      recursive: true  
   action:
     Allow
 

tests/k8s_env/smoke/res/ksp-wordpress-block-mount-file.yaml

@@ -0,0 +1,17 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: ksp-wordpress-block-mount-file
+  namespace: wordpress-mysql
+spec:
+  severity: 5
+  selector:
+    matchLabels:
+      app: wordpress
+  file:
+    matchDirectories:
+    - dir: /dev/shm/
+      readOnly: true
+      recursive: true
+  action:
+    Block

tests/k8s_env/smoke/smoke_test.go

@@ -268,6 +268,31 @@ var _ = Describe("Smoke", func() {
 			fmt.Printf("OUTPUT: %s\n", sout)
 			Expect(sout).To(MatchRegexp("/etc/shadow.*Permission denied"))
 		})
+
+		It("can block write access and only allow read access to mounted files", func() {
+			// Apply policy
+			err := K8sApplyFile("res/ksp-wordpress-block-mount-file.yaml")
+			Expect(err).To(BeNil())
+
+			// Start Kubearmor Logs
+			err = KarmorLogStart("policy", "wordpress-mysql", "File", wp)
+			Expect(err).To(BeNil())
+
+			// wait for policy creation
+			time.Sleep(5 * time.Second)
+
+			sout, _, err := K8sExecInPod(wp, "wordpress-mysql",
+				[]string{"bash", "-c", "touch /dev/shm/new"})
+			Expect(err).To(BeNil())
+			fmt.Printf("OUTPUT: %s\n", sout)
+			Expect(sout).To(ContainSubstring("Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(alerts[0].PolicyName).To(Equal("ksp-wordpress-block-mount-file"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+		})
 	})
 
 })