Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apparmor allow based policies not working as expected. #954

Closed
achrefbensaad opened this issue Oct 27, 2022 · 0 comments · Fixed by #962
Closed

Apparmor allow based policies not working as expected. #954

achrefbensaad opened this issue Oct 27, 2022 · 0 comments · Fixed by #962
Assignees
@achrefbensaad
Labels
bug Something isn't working enhancement New feature or request

Comments

@achrefbensaad
Copy link
Member

Description

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-1080768273
  namespace: default
spec:
  action: Allow
  file:
    matchDirectories:
    - dir: /
      fromSource:
      - path: /bin/bash
      recursive: true
    - dir: /etc/
      fromSource:
      - path: /bin/cat
      recursive: true
  process:
    matchPaths:
    - path: /bin/bash
    - path: /bin/cat
  selector:
    matchLabels:
      app: default
  severity: 1

Applying the following yaml policy should allow us to:

  • run bash without seeing any error messages
  • cat will get access only to /etc/**

Acutual behavior

  • Bash is working as expteced
  • Executing cat command, yeilds a permission denied error.

Proposed behavior for AppArmor allow based policies

We will be using apparmor domain transitions to enforce prolicies for each binary.

White listed processes

For white listed processes we are going to enforce the following rules:

  • If a process is allowed but no file access is granted, we will allow the process to run but no file/dir access is granted.
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-xxxxxxx
  namespace: default
spec:
  action: Allow
  process:
    matchPaths:
    - path: /bin/bash
    - path: /bin/cat
  selector:
    matchLabels:
      app: default
  severity: 1

The above policy should generate the following psedo-apparmor profile

## == Managed by KubeArmor == ##

#include <tunables/global>

profile kubearmor-default-deploy01-c1 flags=(attach_disconnected,mediate_deleted) {
	#include <abstractions/base>

	network,
	capability,

	/bin/bash px -> kubearmor-default-deploy01-c1-XXXXX-bash,
    /bin/cat px -> kubearmor-default-deploy01-c1-XXXXX-cat,
}

profile kubearmor-default-deploy01-c1-XXXXX-bash flags=(attach_disconnected,mediate_deleted) {
}

profile kubearmor-default-deploy01-c1-XXXXX-cat flags=(attach_disconnected,mediate_deleted) {
}
  • If from source is used to whitelist, a perticular process. The whitelisted process shoud NOT inherit access from the parent process.
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-xxxxxxx
  namespace: default
spec:
  action: Allow
  process:
    matchPaths:
    - path: /bin/cat
      fromSource:
      - path: /bin/bash
    - path: /bin/bash
  selector:
    matchLabels:
      app: default
  severity: 1

The above policy should generate the following psedo-apparmor profile

## == Managed by KubeArmor == ##

#include <tunables/global>

profile kubearmor-default-deploy01-c1 flags=(attach_disconnected,mediate_deleted) {
	#include <abstractions/base>

	network,
	capability,

	/bin/bash px -> kubearmor-default-deploy01-c1-XXXXX-bash,
}

profile kubearmor-default-deploy01-c1-XXXXX-bash flags=(attach_disconnected,mediate_deleted) {
    /bin/cat px -> kubearmor-default-deploy01-c1-XXXXX-cat,
}

profile kubearmor-default-deploy01-c1-XXXXX-cat flags=(attach_disconnected,mediate_deleted) {
}

bash should be explicitly defined in the whitelisted processes, else cat will never be able to run.
@achrefbensaad achrefbensaad added bug Something isn't working enhancement New feature or request labels Oct 27, 2022
@achrefbensaad achrefbensaad self-assigned this Oct 27, 2022
@achrefbensaad achrefbensaad mentioned this issue Nov 2, 2022
Merged
7 tasks
@nyrahul nyrahul moved this to 🏗 In progress in v0.7 Backlog, Release Plan Nov 3, 2022
@Ankurk99 Ankurk99 moved this from 🏗 In progress to 👀 In review in v0.7 Backlog, Release Plan Nov 4, 2022
Ankurk99 added a commit that referenced this issue Nov 8, 2022
@Ankurk99
Merge pull request #962 from achrefbensaad/update-apparmor
b1b7f7c 
Fixes #954
Fixes undefined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@achrefbensaad achrefbensaad

Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(enforcer): Apparmor policies not working as expected achrefbensaad/KubeArmor
1 participant
@achrefbensaad