search

kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).
https://kubearmor.io/
Apache License 2.0
1.35k stars 335 forks source link

non-k8s: KubeArmor panics when not-enabled policy type is received #1787

Closed DelusionalOptimist closed 3 weeks ago

DelusionalOptimist commented 2 months ago

Bug Report

General Information

To Reproduce

  1. Modify make run target in KubeArmor's Makefile to something like below such that host policy is disabled:

    cd $(CURDIR); DEBUG=true sudo -E ./kubearmor -k8s=false -logPath=/tmp/kubearmor.log -enableKubeArmorPolicy -defaultFilePosture block -defaultCapabilitiesPosture block -defaultNetworkPosture block

  2. Once KubeArmor is running, send the below host policy by running karmor vm policy --gRPC=:32767 add <path-to-policy> :

    apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-block-sleep
spec:
  severity: 10
  message: "sleep was attempted to be executed"
  tags:
  - ALERT
  nodeSelector:
    matchLabels:
      kubearmor.io/hostname: '*'
  process:
    matchPaths:
    - path: /usr/bin/sleep
  action:
    Block

    You'll see that KubeArmor panics and dies with the below log:

         panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x189052c]

    goroutine 424 [running]:
    github.com/kubearmor/KubeArmor/KubeArmor/policy.(*PolicyServer).HostPolicy(0xc00460c3c0, {0x1c94900?, 0xc0039e5990?}, 0xc003be38c0)
            /usr/src/KubeArmor/KubeArmor/policy/policy.go:62 +0xac
    github.com/kubearmor/KubeArmor/protobuf._PolicyService_HostPolicy_Handler({0x1c94900, 0xc00460c3c0}, {0x22822a8, 0xc00471ef60}, 0xc004689780, 0x0)
            /usr/src/KubeArmor/protobuf/policy_grpc.pb.go:203 +0x1a6
    google.golang.org/grpc.(*Server).processUnaryRPC(0xc00022d200, {0x22822a8, 0xc00471eed0}, {0x228afa0, 0xc00472d080}, 0xc0048fe000, 0xc0046086c0, 0x335bd18, 0x0)
            /go/pkg/mod/google.golang.org/grpc@v1.63.2/server.go:1369 +0xdf8
    google.golang.org/grpc.(*Server).handleStream(0xc00022d200, {0x228afa0, 0xc00472d080}, 0xc0048fe000)
            /go/pkg/mod/google.golang.org/grpc@v1.63.2/server.go:1780 +0xe8b
    google.golang.org/grpc.(*Server).serveStreams.func2.1()
            /go/pkg/mod/google.golang.org/grpc@v1.63.2/server.go:1019 +0x8b
    created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 436
            /go/pkg/mod/google.golang.org/grpc@v1.63.2/server.go:1030 +0x125

Similar behavior is observed when container policy is disabled.

Expected behavior

KubeArmor should not panic and just log OR send back the response that policy enforcement for this kind (KubeArmorPolicy/KubeArmorHostPolicy) is not enabled.

DelusionalOptimist commented 2 months ago

Related to https://github.com/kubearmor/KubeArmor/issues/1321

itsCheithanya commented 2 months ago

I'm interested in working on this issue @DelusionalOptimist

shishir-11 commented 2 months ago

Hi , I was hoping to contribute to KubeArmor and had setup my environment and the github repo, can someone tell me how to get started further, how do i learn more about it , I haven't used it before and am finding the issue a bit confusing , where do i use the 1st step and what is it used for ?