diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index f77cff3b56..88f9c1d46f 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -934,9 +934,17 @@ func matchResources(secPolicy tp.MatchPolicy, log tp.Log) bool { if secPolicy.ResourceType == "Path" && secPolicy.Resource == firstLogResource { return true } + + // check if the log's resource directory starts with the policy's resource directory if secPolicy.ResourceType == "Directory" && (strings.HasPrefix(firstLogResourceDir, secPolicy.Resource) && + // for non-recursive rule - check if the directory depth of the log matches the policy resource's depth ((!secPolicy.Recursive && firstLogResourceDirCount == strings.Count(secPolicy.Resource, "/")) || - (secPolicy.Recursive && firstLogResourceDirCount >= strings.Count(secPolicy.Resource, "/")))) || (secPolicy.Resource == (log.Resource + "/")) { + // for recursive rule - check the log's directory is at the same or deeper level than the policy's resource + (secPolicy.Recursive && firstLogResourceDirCount >= strings.Count(secPolicy.Resource, "/")))) || + // exact matching - check if the policy's resource is exactly the logged resource with a trailing slash + (secPolicy.Resource == (log.Resource + "/")) || + // match if the policy is recursive and applies to the root directory + (secPolicy.Resource == "/" && secPolicy.Recursive) { return true } } diff --git a/KubeArmor/monitor/logUpdate.go b/KubeArmor/monitor/logUpdate.go index 619979a9b5..a1d4951fe6 100644 --- a/KubeArmor/monitor/logUpdate.go +++ b/KubeArmor/monitor/logUpdate.go @@ -5,6 +5,7 @@ package monitor import ( "fmt" + "path/filepath" "strconv" "strings" @@ -523,6 +524,11 @@ func (mon *SystemMonitor) UpdateLogs() { continue } + // fallback logic: in case we get relative path in log.Resource then we join cwd + resource to get pull path + if !strings.HasPrefix(strings.Split(log.Resource, " ")[0], "/") && log.Cwd != "/" { + log.Resource = filepath.Join(log.Cwd, log.Resource) + } + // get error message if msg.ContextSys.Retval < 0 { message := getErrorMessage(msg.ContextSys.Retval) diff --git a/KubeArmor/monitor/systemMonitor.go b/KubeArmor/monitor/systemMonitor.go index c791f36d73..c246c874bb 100644 --- a/KubeArmor/monitor/systemMonitor.go +++ b/KubeArmor/monitor/systemMonitor.go @@ -786,13 +786,18 @@ func (mon *SystemMonitor) TraceSyscall() { nodeArgs = val } + // generate a log with the base information + log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false) + + // fallback logic: in case we get relative path as execPath then we join cwd + execPath to get pull path + if !strings.HasPrefix(strings.Split(execPath, " ")[0], "/") && log.Cwd != "/" { + execPath = filepath.Join(log.Cwd, execPath) + } + // build a pid node pidNode := mon.BuildPidNode(containerID, ctx, execPath, nodeArgs) mon.AddActivePid(containerID, pidNode) - // generate a log with the base information - log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false) - // add arguments log.Resource = execPath if pidNode.Args != "" { @@ -841,13 +846,23 @@ func (mon *SystemMonitor) TraceSyscall() { continue } else if ctx.EventID == SysExecveAt { if len(args) == 4 { // enter - // build a pid node - pidNode := mon.BuildPidNode(containerID, ctx, args[1].(string), args[2].([]string)) - mon.AddActivePid(containerID, pidNode) + var execPath string // generate a log with the base information log := mon.BuildLogBase(ctx.EventID, ContextCombined{ContainerID: containerID, ContextSys: ctx}, false) + if val, ok := args[1].(string); ok { + execPath = val // procExecPath + } + // fallback logic: in case we get relative path in execPath then we join cwd + execPath to get pull path + if !strings.HasPrefix(strings.Split(execPath, " ")[0], "/") && log.Cwd != "/" { + execPath = filepath.Join(log.Cwd, execPath) + } + + // build a pid node + pidNode := mon.BuildPidNode(containerID, ctx, execPath, args[2].([]string)) + mon.AddActivePid(containerID, pidNode) + fd := "" procExecFlag := "" @@ -855,9 +870,7 @@ func (mon *SystemMonitor) TraceSyscall() { if val, ok := args[0].(int32); ok { fd = strconv.Itoa(int(val)) } - if val, ok := args[1].(string); ok { - log.Resource = val // procExecPath - } + log.Resource = execPath if val, ok := args[2].([]string); ok { for idx, arg := range val { // procArgs if idx == 0 {