Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DAC_READ_SEARCH for CIDR cert expiry tests #86

Merged
merged 2 commits into from Oct 11, 2023
Merged

Add DAC_READ_SEARCH for CIDR cert expiry tests #86

merged 2 commits into from Oct 11, 2023

Conversation

rowezuniga
Copy link
Contributor

Background

Certificate expiry experiments with CIDRs are failing due to a permission error when reading the sockets of a process.

Changes

Add the linux capability DAC_READ_SEARCH to enable this.

@rowezuniga rowezuniga requested review from a team as code owners October 11, 2023 18:34
philgebhardt
philgebhardt reviewed Oct 11, 2023
View reviewed changes
gremlin/values.yaml Outdated Show resolved Hide resolved
@rowezuniga @philgebhardt
Update gremlin/values.yaml
4992ee3 
Co-authored-by: Phil Gebhardt <phil@gremlin.com>
@rowezuniga rowezuniga merged commit bf52589 into master Oct 11, 2023
philgebhardt
philgebhardt reviewed Oct 12, 2023
View reviewed changes
gremlin/values.yaml
- NET_ADMIN # Required to run network attacks
- SYS_BOOT # Required to run Shutdown attacks
- SYS_TIME # Required to run Time Travel attacks
- DAC_READ_SEARCH # Required to run Certificate Expiry attacks, and dependency discovery features
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gremlin has required this permission since 2.25.0 for service discovery features to work properly. Since most container runtimes provide DAC_OVERRIDE by default, issues stemming from its absence went unnoticed.

@gremsam
Copy link
Contributor

gremsam commented Oct 30, 2023

might want to update: https://github.com/gremlin/helm/blob/master/gremlin/agent_apparmor.profile#L60C30-L60C30
it has the perm but it's currently under ServiceDiscovery when it should be under Needed to execute attacks

@rowezuniga
Copy link
Contributor Author

might want to update: https://github.com/gremlin/helm/blob/master/gremlin/agent_apparmor.profile#L60C30-L60C30 it has the perm but it's currently under ServiceDiscovery when it should be under Needed to execute attacks

How does this look? https://github.com/gremlin/helm/pull/87/files

@thefirstofthe300 thefirstofthe300 deleted the en-5144/dac-read-search branch January 3, 2024 22:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@philgebhardt philgebhardt philgebhardt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@rowezuniga @gremsam @philgebhardt