diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go index e62cb5d6..b5d144c6 100644 --- a/pkg/applicationprofilemanager/v1/applicationprofile_manager.go +++ b/pkg/applicationprofilemanager/v1/applicationprofile_manager.go @@ -715,10 +715,6 @@ func (am *ApplicationProfileManager) ReportCapability(k8sContainerID, capability } func (am *ApplicationProfileManager) ReportFileExec(k8sContainerID, path string, args []string) { - // skip empty path - if path == "" { - return - } if err := am.waitForContainer(k8sContainerID); err != nil { return } diff --git a/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go b/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go index 49cc02d5..94af9b3d 100644 --- a/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go +++ b/pkg/applicationprofilemanager/v1/applicationprofile_manager_test.go @@ -61,7 +61,6 @@ func TestApplicationProfileManager(t *testing.T) { // report capability go am.ReportCapability("ns/pod/cont", "NET_BIND_SERVICE") // report file exec - go am.ReportFileExec("ns/pod/cont", "", []string{"ls"}) // will not be reported go am.ReportFileExec("ns/pod/cont", "/bin/bash", []string{"-c", "ls"}) go am.ReportFileExec("ns/pod/cont", "/bin/bash", []string{"-c", "ls"}) // duplicate - not reported go am.ReportFileExec("ns/pod/cont", "/bin/bash", []string{"-c", "ls", "-l"}) // additional arg - reported diff --git a/pkg/containerwatcher/v1/container_watcher.go b/pkg/containerwatcher/v1/container_watcher.go index 96d03c1d..9080d69e 100644 --- a/pkg/containerwatcher/v1/container_watcher.go +++ b/pkg/containerwatcher/v1/container_watcher.go @@ -207,8 +207,15 @@ func CreateIGContainerWatcher(cfg config.Config, applicationProfileManager appli path := event.Comm if len(event.Args) > 0 { - path = event.Args[0] + if event.Args[0] != "" { + path = event.Args[0] + } } + + if path == "" { + return + } + metrics.ReportEvent(utils.ExecveEventType) processManager.ReportEvent(utils.ExecveEventType, &event) applicationProfileManager.ReportFileExec(k8sContainerID, path, event.Args) diff --git a/pkg/ruleengine/v1/helpers.go b/pkg/ruleengine/v1/helpers.go index 9cd5c84f..70baa642 100644 --- a/pkg/ruleengine/v1/helpers.go +++ b/pkg/ruleengine/v1/helpers.go @@ -33,7 +33,9 @@ var ( func getExecPathFromEvent(event *tracerexectype.Event) string { if len(event.Args) > 0 { - return event.Args[0] + if event.Args[0] != "" { + return event.Args[0] + } } return event.Comm } diff --git a/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go b/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go index 7eff76af..5981cd12 100644 --- a/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go +++ b/pkg/ruleengine/v1/r0001_unexpected_process_launched_test.go @@ -82,6 +82,19 @@ func TestR0001UnexpectedProcessLaunched(t *testing.T) { t.Errorf("Expected ruleResult to not be nil since exec is not whitelisted") } + // Test /bin/sh + profile.Spec.Containers[0].Execs = append(profile.Spec.Containers[0].Execs, v1beta1.ExecCalls{ + Path: "/bin/sh", + Args: []string{"/bin/sh", "-s", "unix:cmd"}, + }) + objCache.SetApplicationProfile(profile) + + e.Comm = "sh" + e.Args = []string{"/bin/sh", "-s", "unix:cmd"} + ruleResult = r.ProcessEvent(utils.ExecveEventType, e, &objCache) + if ruleResult != nil { + t.Errorf("Expected ruleResult to be nil since exec is whitelisted") + } } func TestR0001UnexpectedProcessLaunchedArgCompare(t *testing.T) { diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index b81d6e3b..7dded0a6 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -441,7 +441,9 @@ func GetHostFilePathFromEvent(event K8sEvent, containerPid uint32) (string, erro // Get the path of the executable from the given event. func GetExecPathFromEvent(event *tracerexectype.Event) string { if len(event.Args) > 0 { - return event.Args[0] + if event.Args[0] != "" { + return event.Args[0] + } } return event.Comm }