Skip to content

Commit

Permalink
Merge pull request #1875 from prady0t/fuzz-Container-Policy
Browse files Browse the repository at this point in the history
Fuzzer for ContainerPolicy
  • Loading branch information
DelusionalOptimist authored Oct 16, 2024
2 parents 96cabf0 + 4d24fe9 commit 8147d52
Show file tree
Hide file tree
Showing 4 changed files with 126 additions and 13 deletions.
112 changes: 112 additions & 0 deletions KubeArmor/core/containerPolicy_fuzz_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2024 Authors of KubeArmor
package core

import (
"context"
"testing"

"github.com/kubearmor/KubeArmor/KubeArmor/policy"
pb "github.com/kubearmor/KubeArmor/protobuf"
)

func FuzzContainerPolicy(f *testing.F) {
Data1 := &pb.Policy{
Policy: []byte(`
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-group-1-proc-path-block
namespace: multiubuntu
spec:
selector:
matchLabels:
group: group-1
process:
matchPaths:
- path: /bin/sleep
action:
Block
`),
}
//ksp-group-2-allow-file-path-from-source-path.yaml
Data2 := &pb.Policy{
Policy: []byte(`
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-group-2-allow-file-path-from-source-path
namespace: multiubuntu
spec:
severity: 5
message: "allow /bin/cat to access /secret.txt"
selector:
matchLabels:
group: group-2
process:
matchDirectories:
- dir: /bin/
recursive: true
file:
matchPaths:
- path: /secret.txt
fromSource:
- path: /bin/cat
- path: /dev/tty
- path: /lib/terminfo/x/xterm
matchDirectories:
- dir: /pts/
recursive: true
- dir: /proc/
recursive: true
- dir: /dev/
recursive: true
- dir: /lib/x86_64-linux-gnu/
- dir: /bin/
action:
Allow
`),
}
Data3 := &pb.Policy{
Policy: []byte(`
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-ubuntu-1-allow-net-tcp-from-source
namespace: multiubuntu
spec:
severity: 8
selector:
matchLabels:
container: ubuntu-1
network:
matchProtocols:
- protocol: tcp
fromSource:
- path: /usr/bin/curl
action: Allow
`),
}

f.Add(Data1.Policy)
f.Add(Data2.Policy)
f.Add(Data3.Policy)
dm := NewKubeArmorDaemon()

f.Fuzz(func(t *testing.T, data []byte) {
p := &policy.PolicyServer{
UpdateContainerPolicy: dm.ParseAndUpdateContainerSecurityPolicy,
ContainerPolicyEnabled: true,
}
policy := &pb.Policy{
Policy: data,
}
res, err := p.ContainerPolicy(context.Background(), policy)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if res.Status != pb.PolicyStatus_Invalid && res.Status != pb.PolicyStatus_Applied && res.Status != pb.PolicyStatus_Modified {
t.Errorf("Unexpected status: %v, %v", res.Status, data)
}
})
}
20 changes: 10 additions & 10 deletions KubeArmor/core/unorchestratedUpdates.go
Original file line number Diff line number Diff line change
Expand Up @@ -179,16 +179,16 @@ func (dm *KubeArmorDaemon) handlePolicyEvent(eventType string, createEndPoint bo
}
} else { // DELETED
// update security policies after policy deletion
dm.EndPoints[endpointIdx] = newPoint

dm.Logger.UpdateSecurityPolicies("DELETED", newPoint)
dm.RuntimeEnforcer.UpdateSecurityPolicies(newPoint)

// delete endpoint if no containers or policies
if len(newPoint.Containers) == 0 && len(newPoint.SecurityPolicies) == 0 {
dm.EndPoints = append(dm.EndPoints[:endpointIdx], dm.EndPoints[endpointIdx+1:]...)
// since the length of endpoints slice reduced
endpointIdx--
if endpointIdx >= 0 {
dm.EndPoints[endpointIdx] = newPoint
dm.Logger.UpdateSecurityPolicies("DELETED", newPoint)
dm.RuntimeEnforcer.UpdateSecurityPolicies(newPoint)
// delete endpoint if no containers or policies
if len(newPoint.Containers) == 0 && len(newPoint.SecurityPolicies) == 0 {
dm.EndPoints = append(dm.EndPoints[:endpointIdx], dm.EndPoints[endpointIdx+1:]...)
// since the length of endpoints slice reduced
endpointIdx--
}
}
}

Expand Down
5 changes: 3 additions & 2 deletions KubeArmor/feeder/policyMatcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -266,8 +266,9 @@ func (fd *Feeder) UpdateSecurityPolicies(action string, endPoint tp.EndPoint) {
name := endPoint.NamespaceName + "_" + endPoint.EndPointName

if action == "DELETED" {
delete(fd.SecurityPolicies, name)
return
if _, ok := fd.SecurityPolicies[name]; ok {
delete(fd.SecurityPolicies, name)
}
}

// ADDED | MODIFIED
Expand Down
2 changes: 1 addition & 1 deletion KubeArmor/monitor/syscalls_arm64.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ const (
SocketConnect = 462
SocketAccept = 463

Capable = 464
Capable = 464
DropAlert = 0
)

Expand Down

0 comments on commit 8147d52

Please sign in to comment.