Kubearmor host policy does not enforce process path matching

[brothersw]

Bug Report

General Information

• Environment description (GKE, VM-Kubeadm, vagrant-dev-env, minikube, microk8s, ...)

NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"

• Kernel version (run uname -a)

# uname -a
Linux karmor-ubuntu 5.4.0-182-generic #202-Ubuntu SMP Fri Apr 26 12:29:36 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

• Orchestration system version in use (e.g. kubectl version, ...)

# karmor version
karmor version 1.3.0 linux/amd64 BuildDate=2024-12-13T11:15:36Z
current version is the latest

• Link to relevant artifacts (policies, deployments scripts, ...)
  processes.yaml:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: process-block
spec:
  nodeSelector:
    matchLabels:
      kubearmor.io/hostname: "*" # Apply to all hosts
  process:
    matchPaths:
    - path: /nc
    - path: /bin/nc
  action:
    Block

• Target containers/pods
  Host policy

To Reproduce

1. Write the policy to a yaml file
2. Apply the policy
3. Restart my session for policy to take effect
4. Attempt to access /bin/nc

Expected behavior

I expect /bin/nc to be blocked from running, it is not. /nc when moving the file into /nc is properly blocked from running. matchPatterns also doesn't seem to work.

[rootxrishabh]

Hi @brothersw, thanks for opening the issue. /bin/nc is a symlink while /nc is not. Currently KubeArmor does not support enforcement on symlink.

[nyrahul]

Match patterns are not supported. what is the use case you are targeting?

@rootxrishabh if kubearmor has to block symbolic link execution what needs to be specified in the policy. My assumption is that one needs to specify the final resolved binary path.

Maybe we should add this as FAQ. Wdyt?

[rootxrishabh]

@nyrahul, we cannot enforce on the resolved as well as I just checked. We can add this as an FAQ. I can create a PR.