From c29634aed9e976a7051adf2363053d69956e1593 Mon Sep 17 00:00:00 2001 From: Djalal Harouni Date: Fri, 3 Nov 2023 00:33:33 +0100 Subject: [PATCH] policylibrary: add a catch all for setuid root Signed-off-by: Djalal Harouni --- examples/policylibrary/setuid-root.yaml | 220 ++++++++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 examples/policylibrary/setuid-root.yaml diff --git a/examples/policylibrary/setuid-root.yaml b/examples/policylibrary/setuid-root.yaml new file mode 100644 index 00000000000..24d72d6ec23 --- /dev/null +++ b/examples/policylibrary/setuid-root.yaml @@ -0,0 +1,220 @@ +# This 'setuid-root' Tracing Policy monitors processes trying to change +# their uids/gids to user root. +# +# __sys_setuid +# - __x64_sys_setuid +# - __ia32_sys_setuid +# - __x64_sys_setuid16 +# - __ia32_sys_setuid16 +# +# __sys_setgid +# - __x64_sys_setgid +# - __ia32_sys_setgid +# - __x64_sys_setgid16 +# - __ia32_sys_setgid16 +# +# __sys_setreuid +# - __x64_sys_setreuid +# - __ia32_sys_setreuid +# - __x64_sys_setreuid16 +# - __ia32_sys_setreuid16 +# +# __sys_setregid +# - __x64_sys_setregid +# - __ia32_sys_setregid +# - __x64_sys_setregid16 +# - __ia32_sys_setregid16 +# +# __sys_setresuid +# - __x64_sys_setresuid +# - __ia32_sys_setresuid +# - __x64_sys_setresuid16 +# - __ia32_sys_setresuid16 +# +# __sys_setresgid +# - __x64_sys_setresgid +# - __ia32_sys_setresgid +# - __x64_sys_setresgid16 +# - __ia32_sys_setresgid16 +# +# __sys_setfsuid +# - __x64_sys_setfsuid +# - __ia32_sys_setfsuid +# - __x64_sys_setfsuid16 +# - __ia32_sys_setfsuid16 +# +# __sys_setfsgid +# - __x64_sys_setfsgid +# - __ia32_sys_setfsgid +# - __x64_sys_setfsgid16 +# - __ia32_sys_setfsgid16 +# + +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "setuid-root.yaml" +spec: + kprobes: + - call: "__sys_setuid" + syscall: false + return: true + args: + - index: 0 + type: "int" + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Equal" + values: + - "0" + - call: "__sys_setgid" + syscall: false + return: true + args: + - index: 0 + type: "int" + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Equal" + values: + - "0" + - call: "__sys_setreuid" + syscall: false + return: true + args: + - index: 0 + type: "int" + - index: 1 + type: "int" + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Equal" + values: + - "0" + - matchArgs: + - index: 1 + operator: "Equal" + values: + - "0" + - call: "__sys_setregid" + syscall: false + return: true + args: + - index: 0 + type: "int" + - index: 1 + type: "int" + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Equal" + values: + - "0" + - matchArgs: + - index: 1 + operator: "Equal" + values: + - "0" + - call: "__sys_setresuid" + syscall: false + return: true + args: + - index: 0 + type: "int" + - index: 1 + type: "int" + - index: 2 + type: "int" + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Equal" + values: + - "0" + - matchArgs: + - index: 1 + operator: "Equal" + values: + - "0" + - matchArgs: + - index: 2 + operator: "Equal" + values: + - "0" + - call: "__sys_setresgid" + syscall: false + return: true + args: + - index: 0 + type: "int" + - index: 1 + type: "int" + - index: 2 + type: "int" + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Equal" + values: + - "0" + - matchArgs: + - index: 1 + operator: "Equal" + values: + - "0" + - matchArgs: + - index: 2 + operator: "Equal" + values: + - "0" + - call: "__sys_setfsuid" + syscall: false + return: true + args: + - index: 0 + type: "int" + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Equal" + values: + - "0" + - call: "__sys_setfsgid" + syscall: false + return: true + args: + - index: 0 + type: "int" + returnArg: + index: 0 + type: "int" + selectors: + - matchArgs: + - index: 0 + operator: "Equal" + values: + - "0"