Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

non-k8s: KubeArmor panics when not-enabled policy type is received #1787

Open
DelusionalOptimist opened this issue Jun 21, 2024 · 3 comments · May be fixed by #1789
Open

non-k8s: KubeArmor panics when not-enabled policy type is received #1787

DelusionalOptimist opened this issue Jun 21, 2024 · 3 comments · May be fixed by #1789
Assignees
@itsCheithanya
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed

Comments

@DelusionalOptimist
Copy link
Member

DelusionalOptimist commented Jun 21, 2024
edited
Loading

Bug Report

General Information

  • Environment description - Any environment
  • Kernel version - Not relevant
  • Orchestration system version in use - Not relevant

To Reproduce

  1. Modify make run target in KubeArmor's Makefile to something like below such that host policy is disabled:

    cd $(CURDIR); DEBUG=true sudo -E ./kubearmor -k8s=false -logPath=/tmp/kubearmor.log -enableKubeArmorPolicy -defaultFilePosture block -defaultCapabilitiesPosture block -defaultNetworkPosture block

  2. Once KubeArmor is running, send the below host policy by running karmor vm policy --gRPC=:32767 add <path-to-policy> :

    apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-block-sleep
spec:
  severity: 10
  message: "sleep was attempted to be executed"
  tags:
  - ALERT
  nodeSelector:
    matchLabels:
      kubearmor.io/hostname: '*'
  process:
    matchPaths:
    - path: /usr/bin/sleep
  action:
    Block

    You'll see that KubeArmor panics and dies with the below log:

         panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x189052c]

    goroutine 424 [running]:
    github.com/kubearmor/KubeArmor/KubeArmor/policy.(*PolicyServer).HostPolicy(0xc00460c3c0, {0x1c94900?, 0xc0039e5990?}, 0xc003be38c0)
            /usr/src/KubeArmor/KubeArmor/policy/policy.go:62 +0xac
    github.com/kubearmor/KubeArmor/protobuf._PolicyService_HostPolicy_Handler({0x1c94900, 0xc00460c3c0}, {0x22822a8, 0xc00471ef60}, 0xc004689780, 0x0)
            /usr/src/KubeArmor/protobuf/policy_grpc.pb.go:203 +0x1a6
    google.golang.org/grpc.(*Server).processUnaryRPC(0xc00022d200, {0x22822a8, 0xc00471eed0}, {0x228afa0, 0xc00472d080}, 0xc0048fe000, 0xc0046086c0, 0x335bd18, 0x0)
            /go/pkg/mod/google.golang.org/[email protected]/server.go:1369 +0xdf8
    google.golang.org/grpc.(*Server).handleStream(0xc00022d200, {0x228afa0, 0xc00472d080}, 0xc0048fe000)
            /go/pkg/mod/google.golang.org/[email protected]/server.go:1780 +0xe8b
    google.golang.org/grpc.(*Server).serveStreams.func2.1()
            /go/pkg/mod/google.golang.org/[email protected]/server.go:1019 +0x8b
    created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 436
            /go/pkg/mod/google.golang.org/[email protected]/server.go:1030 +0x125

Similar behavior is observed when container policy is disabled.

Expected behavior

KubeArmor should not panic and just log OR send back the response that policy enforcement for this kind (KubeArmorPolicy/KubeArmorHostPolicy) is not enabled.
@DelusionalOptimist DelusionalOptimist added the bug Something isn't working label Jun 21, 2024
@DelusionalOptimist
Copy link
Member Author

Related to #1321

@DelusionalOptimist DelusionalOptimist added good first issue Good for newcomers help wanted Extra attention is needed labels Jun 21, 2024
@itsCheithanya
Copy link

I'm interested in working on this issue @DelusionalOptimist

@shishir-11
Copy link

Hi , I was hoping to contribute to KubeArmor and had setup my environment and the github repo, can someone tell me how to get started further, how do i learn more about it , I haven't used it before and am finding the issue a bit confusing , where do i use the 1st step and what is it used for ?

itsCheithanya added a commit to itsCheithanya/KubeArmor that referenced this issue Jun 24, 2024
@itsCheithanya
Fixes bug kubearmor#1787 when not-enabled policy type is received
1450852 
Signed-off-by: Cheithanya <[email protected]>
@itsCheithanya itsCheithanya linked a pull request Jun 24, 2024 that will close this issue
Open
7 tasks
itsCheithanya added a commit to itsCheithanya/KubeArmor that referenced this issue Jun 28, 2024
@itsCheithanya
Fixes bug kubearmor#1787 when not-enabled policy type is received
3a1cfe1 
Signed-off-by: Cheithanya <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@itsCheithanya itsCheithanya

Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
3 participants
@DelusionalOptimist @itsCheithanya @shishir-11