diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go index c5b6800253..9706720cf9 100644 --- a/KubeArmor/enforcer/appArmorProfile.go +++ b/KubeArmor/enforcer/appArmorProfile.go @@ -243,9 +243,7 @@ func (ae *AppArmorEnforcer) SetNetworkMatchProtocols(proto tp.NetworkProtocolTyp rule.Deny = deny rule.Allow = !deny if len(proto.FromSource) == 0 { - if proto.Protocol != "all" { - addRuletoMap(rule, proto.Protocol, prof.NetworkRules) - } + addRuletoMap(rule, proto.Protocol, prof.NetworkRules) return } @@ -267,9 +265,7 @@ func (ae *AppArmorEnforcer) SetNetworkMatchProtocols(proto tp.NetworkProtocolTyp prof.FromSource[source] = val } } - if proto.Protocol != "all" { - addRuletoMap(rule, proto.Protocol, prof.FromSource[source].NetworkRules) - } + addRuletoMap(rule, proto.Protocol, prof.FromSource[source].NetworkRules) } } @@ -391,9 +387,9 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo if len(secPolicy.Spec.Network.MatchProtocols) > 0 { for _, proto := range secPolicy.Spec.Network.MatchProtocols { if proto.Action == "Allow" { - ae.SetNetworkMatchProtocols(proto, &profile, false, defaultPosture.NetworkAction != "block" || proto.Protocol == "all") + ae.SetNetworkMatchProtocols(proto, &profile, false, defaultPosture.NetworkAction != "block") } else if proto.Action == "Block" { - ae.SetNetworkMatchProtocols(proto, &profile, true, true && proto.Protocol != "all") + ae.SetNetworkMatchProtocols(proto, &profile, true, true) } } } diff --git a/KubeArmor/enforcer/appArmorTemplate.go b/KubeArmor/enforcer/appArmorTemplate.go index 0913d5e39d..59420eb3ff 100644 --- a/KubeArmor/enforcer/appArmorTemplate.go +++ b/KubeArmor/enforcer/appArmorTemplate.go @@ -225,7 +225,11 @@ profile {{$v := $.Name | split "."}}{{$v._0}}_{{ regexReplaceAllLiteral "[^a-z A ## == Network START == ## {{- range $value, $data := .NetworkRules}} {{- if $data.Deny}} + {{- if eq $value "all" }} + deny network, + {{- else }} deny network {{$value}}, + {{- end}} {{- end}} {{- if $data.Allow}} network {{$value}}, diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o index 7d2cead750..b507a16ee9 100644 Binary files a/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o and b/KubeArmor/enforcer/bpflsm/enforcer_bpfeb.o differ diff --git a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o index af225eb2d5..b46dd4126e 100644 Binary files a/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o and b/KubeArmor/enforcer/bpflsm/enforcer_bpfel.o differ diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o index 80ff9b63b1..20f03deaa6 100644 Binary files a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o and b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfeb.o differ diff --git a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o index 0045eeffd0..e1b1cc1fde 100644 Binary files a/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o and b/KubeArmor/enforcer/bpflsm/enforcer_path_bpfel.o differ diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index 6ca0bd188b..617f656ace 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -59,9 +59,9 @@ func GetProtocolFromType(proto int32) string { } func fetchProtocol(resource string) string { - if strings.Contains(resource, "protocol=TCP") || (strings.Contains(resource, "SOCK_STREAM") && strings.Contains(resource, "protocol=0")) { + if strings.Contains(resource, "protocol=TCP") || (strings.Contains(resource, "SOCK_STREAM") && strings.Contains(resource, "protocol=HOPOPT")) { return "tcp" - } else if strings.Contains(resource, "protocol=UDP") || (strings.Contains(resource, "SOCK_DGRAM") && strings.Contains(resource, "protocol=0")) { + } else if strings.Contains(resource, "protocol=UDP") || (strings.Contains(resource, "SOCK_DGRAM") && strings.Contains(resource, "protocol=HOPOPT")) { return "udp" } else if strings.Contains(resource, "protocol=ICMP") { return "icmp" diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod index ddbe17a5e9..240fec5d18 100644 --- a/KubeArmor/go.mod +++ b/KubeArmor/go.mod @@ -65,7 +65,6 @@ require ( github.com/emicklei/go-restful/v3 v3.11.2 // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-logr/logr v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect diff --git a/pkg/KubeArmorController/config/rbac/role.yaml b/pkg/KubeArmorController/config/rbac/role.yaml index d79e4c7546..d67deff627 100644 --- a/pkg/KubeArmorController/config/rbac/role.yaml +++ b/pkg/KubeArmorController/config/rbac/role.yaml @@ -4,6 +4,74 @@ kind: ClusterRole metadata: name: manager-role rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "create","delete","update","list", "watch"] +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorclusterpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorclusterpolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorhostpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorhostpolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - security.kubearmor.com + resources: + - kubearmorpolicies/status + verbs: + - get + - patch + - update diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 37d48b5218..a172fcdfd2 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -266,6 +266,32 @@ var _ = Describe("Ksp", func() { }) + It("it can block all network traffic", func() { + + // Apply Policy + err := K8sApplyFile("multiubuntu/ksp-ubuntu-1-block-net-all.yaml") + Expect(err).To(BeNil()) + + // Start KubeArmor Logs + err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) + Expect(err).To(BeNil()) + AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "ping -c 1 127.0.0.1"}, + MatchRegexp("ping.*Permission denied"), true, + ) + + expect := protobuf.Alert{ + PolicyName: "ksp-ubuntu-1-block-net-all", + Severity: "8", + Action: "Block", + Result: "Permission denied", + } + + res, err := KarmorGetTargetAlert(5*time.Second, &expect) + Expect(err).To(BeNil()) + Expect(res.Found).To(BeTrue()) + + }) + }) Describe("Apply Capabilities Policy", func() { diff --git a/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml b/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml new file mode 100644 index 0000000000..8f64a1e628 --- /dev/null +++ b/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml @@ -0,0 +1,15 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-ubuntu-1-block-net-all + namespace: multiubuntu +spec: + severity: 8 + selector: + matchLabels: + container: ubuntu-1 + network: + matchProtocols: + - protocol: all + action: + Block \ No newline at end of file