policylibrary: add a catch all for setuid root

Signed-off-by: Djalal Harouni <[email protected]>
cilium · Nov 12, 2023 · 963e070 · 963e070
1 parent dda3bb6
commit 963e070
Showing 1 changed file with 246 additions and 0 deletions.
diff --git a/examples/policylibrary/privileges/privileges-setuid-root.yaml b/examples/policylibrary/privileges/privileges-setuid-root.yaml
@@ -0,0 +1,246 @@
+# This 'privileges-setuid-root' Tracing Policy monitors processes trying
+# to change their uids/gids to user root.
+#
+#  __sys_setuid
+#    - __x64_sys_setuid
+#    - __ia32_sys_setuid
+#    - __x64_sys_setuid16
+#    - __ia32_sys_setuid16
+#
+#  __sys_setgid
+#    - __x64_sys_setgid
+#    - __ia32_sys_setgid
+#    - __x64_sys_setgid16
+#    - __ia32_sys_setgid16
+#
+#  __sys_setreuid
+#    - __x64_sys_setreuid
+#    - __ia32_sys_setreuid
+#    - __x64_sys_setreuid16
+#    - __ia32_sys_setreuid16
+#
+#  __sys_setregid
+#    - __x64_sys_setregid
+#    - __ia32_sys_setregid
+#    - __x64_sys_setregid16
+#    - __ia32_sys_setregid16
+#
+# __sys_setresuid
+#    - __x64_sys_setresuid
+#    - __ia32_sys_setresuid
+#    - __x64_sys_setresuid16
+#    - __ia32_sys_setresuid16
+#
+# __sys_setresgid
+#    - __x64_sys_setresgid
+#    - __ia32_sys_setresgid
+#    - __x64_sys_setresgid16
+#    - __ia32_sys_setresgid16
+#
+# __sys_setfsuid
+#    - __x64_sys_setfsuid
+#    - __ia32_sys_setfsuid
+#    - __x64_sys_setfsuid16
+#    - __ia32_sys_setfsuid16
+#
+# __sys_setfsgid
+#    - __x64_sys_setfsgid
+#    - __ia32_sys_setfsgid
+#    - __x64_sys_setfsgid16
+#    - __ia32_sys_setfsgid16
+#
+
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "privileges-setuid-root.yaml"
+spec:
+  kprobes:
+  - call: "__sys_setuid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+  - call: "__sys_setgid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+  - call: "__sys_setreuid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+  - call: "__sys_setregid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+  - call: "__sys_setresuid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "int"
+    - index: 2
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 1 # We care about the effective user id to reduce noise
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+    - matchArgs:
+      - index: 2
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+  - call: "__sys_setresgid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    - index: 1
+      type: "int"
+    - index: 2
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 1 # We care about the effective group id to reduce noise
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+    - matchArgs:
+      - index: 2
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+  - call: "__sys_setfsuid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min
+  - call: "__sys_setfsgid"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "0"
+      matchActions:
+      - action: Post
+        rateLimit: "1m"  # Rate limit messages to 1min