You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
make a device node on disk utilizing mknod, for gaining larger attack surface
Examples in container escape:
container starts with CAP_SYS_MODULE: inserting kernel module
container starting with CAP_SYS_ADMIN: mknod can make a device node on disk, providing debugfs a chance to overwrite host's filesystem, with ability from the dangerous CAP_SYS_ADMIN config: mknod syscall
ei @MagpieRYL thank you for that, I added these syscalls into our umbrella issue #1998!
You are right! these syscalls are not supported in Falco or at least they are supported in "generic" mode (i.e. you can see when these syscalls are called but not which are their parameters)
Here you can find a more detailed report https://github.com/falcosecurity/libs/blob/master/driver/report.md
the green ones are the "fully" supported
the yellow ones are supported only in "generic" mode
Btw since these syscalls can have a relevant syscall impact maybe a generic implementation is not enough we will work on that ASAP :)
Since Falco 0.35.0 all generic syscalls are exposed to Falco, simply write a Falco rule, including init_module, and finit_module and mknod and many more. Please note Andrea's comment around them being generic hence we do not log specific args, but for Falco you can still access all of the proc.* fields from the process that issued these system calls.
Motivation
Some intrusion method:
mknod
, for gaining larger attack surfaceExamples in container escape:
mknod
can make a device node on disk, providing debugfs a chance to overwrite host's filesystem, with ability from the dangerous CAP_SYS_ADMIN config: mknod syscallFeature
mknod
andinit_module
has not been supported.The text was updated successfully, but these errors were encountered: