Process policy with matchPaths/execname not effective with fromSource #1899
Description
Bug Report
When trying to limit process execution in matchPaths in BPF-LSM, the execname does NOT work if also parent process is specified via fromSource. Without parent process (just execname), it works. If a command is specified instead as an absolute path, both combinations (without and with fromSource) work as expected.
So the only misbehaviour is execname + fromSource.
General Information
-
Environment description (GKE, VM-Kubeadm, vagrant-dev-env, minikube, microk8s, ...)
EKS -
Kernel version (run
uname -a)
6.1.115-126.197.amzn2023.x86_64 -
Orchestration system version in use (e.g.
kubectl version, ...)
Client Version: v1.31.2
Kustomize Version: v5.4.2
Server Version: v1.30.6-eks-7f9249a
-
KubeArmor version:
kubearmor/kubearmor-operator:v1.4.3 -
Link to relevant artifacts (policies, deployments scripts, ...)
---
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: combined
spec:
action: Allow
process:
matchPaths:
- execname: zsh
- execname: bash
- execname: coreutils
### Works:
# - path: /usr/bin/curl
# fromSource:
# - path: /bin/bash
### Does NOT work: <--------------
- execname: curl
fromSource:
- path: /bin/bash
### Works:
# - path: /usr/bin/curl
### Works:
# - execname: curl
matchDirectories:
- dir: /usr/bin/
recursive: true
action: Block
selector:
matchLabels:
app.kubernetes.io/component: www- Target containers/pods
To Reproduce
- Create pod with label
app.kubernetes.io/component=www - Get inside container, run
bash - Apply policy where execname+fromSource is used
matchPaths:
- execname: curl
fromSource:
- path: /bin/bash
Execution of curl fails!
== Alert / 2024-11-21 14:37:36.194540 ==
ClusterName: default
HostName: ip-10-200-163-49.us-east-2.compute.internal
NamespaceName: vh-test4
PodName: deployment-57f57fd47-k4xtv
Labels: app.kubernetes.io/name=appenv.fortrabbit.com,app.kubernetes.io/component=www,app.kubernetes.io/instance=vh-test4,app.kubernetes.io/managed-by=appenv-operator
ContainerName: vh-test4
ContainerID: 51bd1062d352eab09bd6bbbe3101df3499aca13cf79cf4161e347da894595ef2
ContainerImage: ghcr.io/fortrabbit/k8s-php-83:in-912@sha256:36d87c9c495e8bffa59c7ad8a42cca96f2eb20dc2b3d68e2cb5548900fa12800
Type: MatchedPolicy
PolicyName: combined
Severity: 1
Source: /bin/bash
Resource: /usr/bin/curl
Operation: Process
Action: Block
Data: lsm=SECURITY_BPRM_CHECK
Enforcer: BPFLSM
Result: Permission denied
Cwd: /
HostPID: 59357
HostPPID: 49878
Owner: map[Name:deployment Namespace:vh-test4 Ref:Deployment]
PID: 9958
PPID: 9834
ParentProcessName: /bin/bash
ProcessName: /usr/bin/curl
UID: 1.645352099e+09
- Reapply policy where path+fromSource is used instead:
matchPaths:
- path: /usr/bin/curl
fromSource:
- path: /bin/bash
Execution of curl now proceeds.
Obviously there is some inconsitency when evaluating curl execution with fromSource between execname and path.
Expected behavior
When curl is allowed to run via execname with fromSource, it should allow running a process, but does not.
matchPaths:
- execname: curl
fromSource:
- path: /bin/bash