From 67333bb74144479bef391a7c04da61181a8c87bf Mon Sep 17 00:00:00 2001 From: Amit Schendel Date: Thu, 11 Jul 2024 07:13:26 +0000 Subject: [PATCH] Adding java exception on ld_preload rule Signed-off-by: Amit Schendel --- pkg/ruleengine/v1/r1011_ld_preload_hook.go | 6 ++++++ .../v1/r1011_ld_preload_hook_test.go | 21 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook.go b/pkg/ruleengine/v1/r1011_ld_preload_hook.go index d073a010..c64c726e 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook.go @@ -20,6 +20,7 @@ const ( R1011ID = "R1011" R1011Name = "LD_PRELOAD Hook" LD_PRELOAD_FILE = "/etc/ld.so.preload" + JAVA_COMM = "java" ) var LD_PRELOAD_ENV_VARS = []string{"LD_PRELOAD", "LD_AUDIT", "LD_LIBRARY_PATH"} @@ -62,6 +63,11 @@ func (rule *R1011LdPreloadHook) DeleteRule() { } func (rule *R1011LdPreloadHook) handleExecEvent(execEvent *tracerexectype.Event, k8sObjCache objectcache.K8sObjectCache) ruleengine.RuleFailure { + // Java is a special case, we don't want to alert on it because it uses LD_LIBRARY_PATH. + if execEvent.Comm == JAVA_COMM { + return nil + } + envVars, err := utils.GetProcessEnv(int(execEvent.Pid)) if err != nil { logger.L().Debug("Failed to get process environment variables", helpers.Error(err)) diff --git a/pkg/ruleengine/v1/r1011_ld_preload_hook_test.go b/pkg/ruleengine/v1/r1011_ld_preload_hook_test.go index b36c6225..38d77904 100644 --- a/pkg/ruleengine/v1/r1011_ld_preload_hook_test.go +++ b/pkg/ruleengine/v1/r1011_ld_preload_hook_test.go @@ -5,6 +5,7 @@ import ( "github.com/kubescape/node-agent/pkg/utils" + tracerexectype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/exec/types" traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types" eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types" corev1 "k8s.io/api/core/v1" @@ -83,4 +84,24 @@ func TestR1011LdPreloadHook(t *testing.T) { if ruleResult != nil { t.Errorf("Expected ruleResult to be nil since LD_PRELOAD is set in pod spec") } + + // Create open event + e2 := &tracerexectype.Event{ + Event: eventtypes.Event{ + CommonData: eventtypes.CommonData{ + K8s: eventtypes.K8sMetadata{ + BasicK8sMetadata: eventtypes.BasicK8sMetadata{ + ContainerName: "test", + }, + }, + }, + }, + Comm: "java", + } + // Test with exec event + ruleResult = r.ProcessEvent(utils.ExecveEventType, e2, &RuleObjectCacheMock{}) + if ruleResult != nil { + t.Errorf("Expected ruleResult to be nil since exec event is on java") + } + }