Snitch should not mount entire host rootfs

kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).

https://kubearmor.io/

Apache License 2.0

1.49k stars 343 forks source link

Snitch should not mount entire host rootfs #1705

Closed DelusionalOptimist closed 4 months ago

DelusionalOptimist commented 7 months ago

Feature Request

Short Description KubeArmor snitch currently mounts the entire rootfs of the host - ref

Describe the solution you'd like

We should specify the host path volume mounts at a more granular level. For example:

For detecting container runtimes /var/run should be enough
For apparmor profiles /etc/apparmor.d should be enough

and so on...

We may use older KubeArmor daemonset for reference on the same.

rksharma95 commented 7 months ago

/var/run, /run to detect container runtime /sys/kernel/for btf, securityfs /sys/module/apparmor/parameters/enabled ref: https://kubernetes.io/docs/tutorials/security/apparmor/#before-you-begin /var/lib/kubelet/seccomp for seccomp

Utkar5hM commented 7 months ago

I would like to work on this.

DelusionalOptimist commented 4 months ago

Fixed in https://github.com/kubearmor/KubeArmor/pull/1658

DelusionalOptimist commented 4 months ago

@Utkar5hM please checkout issues with "good first issue" or "help wanted" label and let us know so that we can assign. Thanks : )