Feature Enhancement: Is warning/disabling limited to only a subset of system calls？

kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).

https://kubearmor.io/

Apache License 2.0

1.49k stars 342 forks source link

Feature Enhancement: Is warning/disabling limited to only a subset of system calls？ #1614

Open dejavudwh opened 8 months ago

dejavudwh commented 8 months ago

Is warning/disabling restricted to the system calls involved in the KubeArmor/KubeArmor/BPF/system_monitor.c file?

If so, is it possible to hook into raw_tracepoint/sys_enter, disable the system calls of the current process based on the system call number and the binary executable file path information of the task_struct, and then pass some key information to user space for further processing?"

daemon1024 commented 8 months ago

@dejavudwh KubeArmor does not allow custom syscalls. We have predefines set of hooks which are safe to work with to do enforcement. We specifically use BPF LSM for that.

I believe if you create a Block Policy for the process you want to Block. KubeArmor should already be blocking it without needing to hook into sys_enter.