Merge pull request #1859 from Prateeknandle/relative_path

fix(policyMatcher): handling relative path resource by joining it with cwd
kubearmor · Sep 9, 2024 · ae5f57c · ae5f57c
2 parents 70f5e89 + 817fe92
commit ae5f57c
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 11 deletions.
diff --git a/KubeArmor/Makefile b/KubeArmor/Makefile
@@ -113,7 +113,7 @@ ifeq (, $(shell which gosec))
 	rm -rf $$GOSEC_TMP_DIR ;\
 	}
 endif
-	cd $(CURDIR); gosec -exclude=G402 ./...
+	cd $(CURDIR); gosec -exclude=G402,G115 ./...
 
 .PHONY: local-release
 local-release: build

diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go
@@ -934,9 +934,17 @@ func matchResources(secPolicy tp.MatchPolicy, log tp.Log) bool {
 		if secPolicy.ResourceType == "Path" && secPolicy.Resource == firstLogResource {
 			return true
 		}
+
+		// check if the log's resource directory starts with the policy's resource directory
 		if secPolicy.ResourceType == "Directory" && (strings.HasPrefix(firstLogResourceDir, secPolicy.Resource) &&
+			// for non-recursive rule - check if the directory depth of the log matches the policy resource's depth
 			((!secPolicy.Recursive && firstLogResourceDirCount == strings.Count(secPolicy.Resource, "/")) ||
-				(secPolicy.Recursive && firstLogResourceDirCount >= strings.Count(secPolicy.Resource, "/")))) || (secPolicy.Resource == (log.Resource + "/")) {
+				// for recursive rule - check the log's directory is at the same or deeper level than the policy's resource
+				(secPolicy.Recursive && firstLogResourceDirCount >= strings.Count(secPolicy.Resource, "/")))) ||
+			// exact matching - check if the policy's resource is exactly the logged resource with a trailing slash
+			(secPolicy.Resource == (log.Resource + "/")) ||
+			// match if the policy is recursive and applies to the root directory
+			(secPolicy.Resource == "/" && secPolicy.Recursive) {
 			return true
 		}
 	}

diff --git a/KubeArmor/monitor/logUpdate.go b/KubeArmor/monitor/logUpdate.go
@@ -5,6 +5,7 @@ package monitor
 
 import (
 	"fmt"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -523,6 +524,11 @@ func (mon *SystemMonitor) UpdateLogs() {
 				continue
 			}
 
+			// fallback logic: in case we get relative path in log.Resource then we join cwd + resource to get pull path
+			if !strings.HasPrefix(strings.Split(log.Resource, " ")[0], "/") && log.Cwd != "/" {
+				log.Resource = filepath.Join(log.Cwd, log.Resource)
+			}
+
 			// get error message
 			if msg.ContextSys.Retval < 0 {
 				message := getErrorMessage(msg.ContextSys.Retval)

diff --git a/KubeArmor/monitor/systemMonitor.go b/KubeArmor/monitor/systemMonitor.go
@@ -786,13 +786,18 @@ func (mon *SystemMonitor) TraceSyscall() {
 						nodeArgs = val
 					}
 
+					// generate a log with the base information
+					log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false)
+
+					// fallback logic: in case we get relative path as execPath then we join cwd + execPath to get pull path
+					if !strings.HasPrefix(strings.Split(execPath, " ")[0], "/") && log.Cwd != "/" {
+						execPath = filepath.Join(log.Cwd, execPath)
+					}
+
 					// build a pid node
 					pidNode := mon.BuildPidNode(containerID, ctx, execPath, nodeArgs)
 					mon.AddActivePid(containerID, pidNode)
 
-					// generate a log with the base information
-					log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false)
-
 					// add arguments
 					log.Resource = execPath
 					if pidNode.Args != "" {
@@ -841,23 +846,31 @@ func (mon *SystemMonitor) TraceSyscall() {
 				continue
 			} else if ctx.EventID == SysExecveAt {
 				if len(args) == 4 { // enter
-					// build a pid node
-					pidNode := mon.BuildPidNode(containerID, ctx, args[1].(string), args[2].([]string))
-					mon.AddActivePid(containerID, pidNode)
+					var execPath string
 
 					// generate a log with the base information
 					log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false)
 
+					if val, ok := args[1].(string); ok {
+						execPath = val // procExecPath
+					}
+					// fallback logic: in case we get relative path in execPath then we join cwd + execPath to get pull path
+					if !strings.HasPrefix(strings.Split(execPath, " ")[0], "/") && log.Cwd != "/" {
+						execPath = filepath.Join(log.Cwd, execPath)
+					}
+
+					// build a pid node
+					pidNode := mon.BuildPidNode(containerID, ctx, execPath, args[2].([]string))
+					mon.AddActivePid(containerID, pidNode)
+
 					fd := ""
 					procExecFlag := ""
 
 					// add arguments
 					if val, ok := args[0].(int32); ok {
 						fd = strconv.Itoa(int(val))
 					}
-					if val, ok := args[1].(string); ok {
-						log.Resource = val // procExecPath
-					}
+					log.Resource = execPath
 					if val, ok := args[2].([]string); ok {
 						for idx, arg := range val { // procArgs
 							if idx == 0 {