Merge pull request #415 from kubescape/bugfix/empty-exec

Bugfix/empty exec
kubescape · Nov 26, 2024 · 1b532d6 · 1b532d6
2 parents 41468e4 + 52b9628
commit 1b532d6
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 8 deletions.
diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go
@@ -715,10 +715,6 @@ func (am *ApplicationProfileManager) ReportCapability(k8sContainerID, capability
 }
 
 func (am *ApplicationProfileManager) ReportFileExec(k8sContainerID, path string, args []string) {
-	// skip empty path
-	if path == "" {
-		return
-	}
 	if err := am.waitForContainer(k8sContainerID); err != nil {
 		return
 	}

diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go
@@ -61,7 +61,6 @@ func TestApplicationProfileManager(t *testing.T) {
 	// report capability
 	go am.ReportCapability("ns/pod/cont", "NET_BIND_SERVICE")
 	// report file exec
-	go am.ReportFileExec("ns/pod/cont", "", []string{"ls"}) // will not be reported
 	go am.ReportFileExec("ns/pod/cont", "/bin/bash", []string{"-c", "ls"})
 	go am.ReportFileExec("ns/pod/cont", "/bin/bash", []string{"-c", "ls"})       // duplicate - not reported
 	go am.ReportFileExec("ns/pod/cont", "/bin/bash", []string{"-c", "ls", "-l"}) // additional arg - reported

diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go
@@ -207,8 +207,15 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli
 
 		path := event.Comm
 		if len(event.Args) > 0 {
-			path = event.Args[0]
+			if event.Args[0] != "" {
+				path = event.Args[0]
+			}
 		}
+
+		if path == "" {
+			return
+		}
+
 		metrics.ReportEvent(utils.ExecveEventType)
 		processManager.ReportEvent(utils.ExecveEventType, &event)
 		applicationProfileManager.ReportFileExec(k8sContainerID, path, event.Args)

diff --git a/pkg/ruleengine/v1/helpers.go b/pkg/ruleengine/v1/helpers.go
@@ -33,7 +33,9 @@ var (
 
 func getExecPathFromEvent(event *tracerexectype.Event) string {
 	if len(event.Args) > 0 {
-		return event.Args[0]
+		if event.Args[0] != "" {
+			return event.Args[0]
+		}
 	}
 	return event.Comm
 }

diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go
@@ -82,6 +82,19 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) {
 		t.Errorf("Expected ruleResult to not be nil since exec is not whitelisted")
 	}
 
+	// Test /bin/sh
+	profile.Spec.Containers[0].Execs = append(profile.Spec.Containers[0].Execs, v1beta1.ExecCalls{
+		Path: "/bin/sh",
+		Args: []string{"/bin/sh", "-s", "unix:cmd"},
+	})
+	objCache.SetApplicationProfile(profile)
+
+	e.Comm = "sh"
+	e.Args = []string{"/bin/sh", "-s", "unix:cmd"}
+	ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &objCache)
+	if ruleResult != nil {
+		t.Errorf("Expected ruleResult to be nil since exec is whitelisted")
+	}
 }
 
 func TestR0001UnexpectedProcessLaunchedArgCompare(t *testing.T) {

diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
@@ -441,7 +441,9 @@ func GetHostFilePathFromEvent(event K8sEvent, containerPid uint32) (string, erro
 // Get the path of the executable from the given event.
 func GetExecPathFromEvent(event *tracerexectype.Event) string {
 	if len(event.Args) > 0 {
-		return event.Args[0]
+		if event.Args[0] != "" {
+			return event.Args[0]
+		}
 	}
 	return event.Comm
 }