New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rule to detect successful unprivileged userfaultfd events #1675
rule to detect successful unprivileged userfaultfd events #1675
Conversation
|
/milestone 0.29.0 (tentatively) |
|
I have updated #1669 |
| @@ -3054,6 +3054,16 @@ | |||
| priority: WARNING | |||
| tags: [container, cis, mitre_lateral_movement] | |||
|
|
|||
| - rule: Unprivileged Delegation of Page Faults Handling to a Userspace Process | |||
| desc: Detect a successful unprivileged userfaultfd syscall which might act as an attack primitive to exploit other bugs | |||
| condition: > | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just had another thought,
- Maybe we should limit the attack scenario in container as gaining into the node is a high privileged access.
- If we can assume the attack scenario in container, we may want to detect
userfaultfdby all users including root, especially people still runrootcontainers quite commonly nowadays.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@leodido let me know what you think
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…ting kernel module injections from containers Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <derek0405@gmail.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
…to act as a gate Co-authored-by: Kaizhe Huang <derek0405@gmail.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
…exclude processes known to use userfaultfd syscall Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Co-authored-by: Kaizhe Huang <derek0405@gmail.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
bfbcbd3
to
3ac8122
Compare
|
Rebased to let the CI pick latest changes (needed) from the master branch |
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
|
/hold cancel |
|
/milestone 0.29.1 |
What type of PR is this?
/kind feature
/kind rule-update
/kind rule-create
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
Adds a rule to alert the Falco users about the delegation of page faults to user-space through an unprivileged successful userfaultfd call.
Which issue(s) this PR fixes:
Refs #676
Special notes for your reviewer:
To try it out you need to build Falco against this branch in libs.
Holding this PR until that branch is merged into libs.
/hold
Also, while doing this PR I took the chance to include a simple addition on the rule detecting kernel module injections from containers: it was missing the container info in the output, I added it.
Does this PR introduce a user-facing change?: