Skip to content

Commit

Permalink
Merge pull request #1859 from Prateeknandle/relative_path
Browse files Browse the repository at this point in the history
fix(policyMatcher): handling relative path resource by joining it with cwd
  • Loading branch information
Aryan-sharma11 authored Sep 9, 2024
2 parents 70f5e89 + 817fe92 commit ae5f57c
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 11 deletions.
2 changes: 1 addition & 1 deletion KubeArmor/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ ifeq (, $(shell which gosec))
rm -rf $$GOSEC_TMP_DIR ;\
}
endif
cd $(CURDIR); gosec -exclude=G402 ./...
cd $(CURDIR); gosec -exclude=G402,G115 ./...

.PHONY: local-release
local-release: build
Expand Down
10 changes: 9 additions & 1 deletion KubeArmor/feeder/policyMatcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -934,9 +934,17 @@ func matchResources(secPolicy tp.MatchPolicy, log tp.Log) bool {
if secPolicy.ResourceType == "Path" && secPolicy.Resource == firstLogResource {
return true
}

// check if the log's resource directory starts with the policy's resource directory
if secPolicy.ResourceType == "Directory" && (strings.HasPrefix(firstLogResourceDir, secPolicy.Resource) &&
// for non-recursive rule - check if the directory depth of the log matches the policy resource's depth
((!secPolicy.Recursive && firstLogResourceDirCount == strings.Count(secPolicy.Resource, "/")) ||
(secPolicy.Recursive && firstLogResourceDirCount >= strings.Count(secPolicy.Resource, "/")))) || (secPolicy.Resource == (log.Resource + "/")) {
// for recursive rule - check the log's directory is at the same or deeper level than the policy's resource
(secPolicy.Recursive && firstLogResourceDirCount >= strings.Count(secPolicy.Resource, "/")))) ||
// exact matching - check if the policy's resource is exactly the logged resource with a trailing slash
(secPolicy.Resource == (log.Resource + "/")) ||
// match if the policy is recursive and applies to the root directory
(secPolicy.Resource == "/" && secPolicy.Recursive) {
return true
}
}
Expand Down
6 changes: 6 additions & 0 deletions KubeArmor/monitor/logUpdate.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package monitor

import (
"fmt"
"path/filepath"
"strconv"
"strings"

Expand Down Expand Up @@ -523,6 +524,11 @@ func (mon *SystemMonitor) UpdateLogs() {
continue
}

// fallback logic: in case we get relative path in log.Resource then we join cwd + resource to get pull path
if !strings.HasPrefix(strings.Split(log.Resource, " ")[0], "/") && log.Cwd != "/" {
log.Resource = filepath.Join(log.Cwd, log.Resource)
}

// get error message
if msg.ContextSys.Retval < 0 {
message := getErrorMessage(msg.ContextSys.Retval)
Expand Down
31 changes: 22 additions & 9 deletions KubeArmor/monitor/systemMonitor.go
Original file line number Diff line number Diff line change
Expand Up @@ -786,13 +786,18 @@ func (mon *SystemMonitor) TraceSyscall() {
nodeArgs = val
}

// generate a log with the base information
log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false)

// fallback logic: in case we get relative path as execPath then we join cwd + execPath to get pull path
if !strings.HasPrefix(strings.Split(execPath, " ")[0], "/") && log.Cwd != "/" {
execPath = filepath.Join(log.Cwd, execPath)
}

// build a pid node
pidNode := mon.BuildPidNode(containerID, ctx, execPath, nodeArgs)
mon.AddActivePid(containerID, pidNode)

// generate a log with the base information
log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false)

// add arguments
log.Resource = execPath
if pidNode.Args != "" {
Expand Down Expand Up @@ -841,23 +846,31 @@ func (mon *SystemMonitor) TraceSyscall() {
continue
} else if ctx.EventID == SysExecveAt {
if len(args) == 4 { // enter
// build a pid node
pidNode := mon.BuildPidNode(containerID, ctx, args[1].(string), args[2].([]string))
mon.AddActivePid(containerID, pidNode)
var execPath string

// generate a log with the base information
log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false)

if val, ok := args[1].(string); ok {
execPath = val // procExecPath
}
// fallback logic: in case we get relative path in execPath then we join cwd + execPath to get pull path
if !strings.HasPrefix(strings.Split(execPath, " ")[0], "/") && log.Cwd != "/" {
execPath = filepath.Join(log.Cwd, execPath)
}

// build a pid node
pidNode := mon.BuildPidNode(containerID, ctx, execPath, args[2].([]string))
mon.AddActivePid(containerID, pidNode)

fd := ""
procExecFlag := ""

// add arguments
if val, ok := args[0].(int32); ok {
fd = strconv.Itoa(int(val))
}
if val, ok := args[1].(string); ok {
log.Resource = val // procExecPath
}
log.Resource = execPath
if val, ok := args[2].([]string); ok {
for idx, arg := range val { // procArgs
if idx == 0 {
Expand Down

0 comments on commit ae5f57c

Please sign in to comment.