Skip to content

Commit

Permalink
Improving fuzzers
Browse files Browse the repository at this point in the history 
Signed-off-by: prady0t <[email protected]>
  • Loading branch information
@prady0t
prady0t committed Nov 10, 2024
1 parent 2273d81 commit e279e50
Show file tree
Hide file tree
Showing 2 changed files with 205 additions and 91 deletions.
212 changes: 147 additions & 65 deletions KubeArmor/core/containerPolicy_fuzz_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ package core
import (
"context"
"testing"
"encoding/json"
tp "github.com/kubearmor/KubeArmor/KubeArmor/types"

"github.com/kubearmor/KubeArmor/KubeArmor/policy"
pb "github.com/kubearmor/KubeArmor/protobuf"
Expand All @@ -13,78 +15,146 @@ import (
func FuzzContainerPolicy(f *testing.F) {
Data1 := &pb.Policy{
Policy: []byte(`
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-group-1-proc-path-block
namespace: multiubuntu
spec:
selector:
matchLabels:
group: group-1
process:
matchPaths:
- path: /bin/sleep
action:
Block
{
"type": "ContainerPolicy",
"object": {
"apiVersion": "security.kubearmor.com/v1",
"kind": "KubeArmorPolicy",
"metadata": {
"name": "ksp-group-1-proc-path-block",
"namespace": "multiubuntu"
},
"spec": {
"selector": {
"matchLabels": {
"group": "group-1"
}
},
"process": {
"matchPaths": [
{
"path": "/bin/sleep"
}
]
},
"action": "Block"
}
}
}
`),
}
//ksp-group-2-allow-file-path-from-source-path.yaml
Data2 := &pb.Policy{
Policy: []byte(`
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-group-2-allow-file-path-from-source-path
namespace: multiubuntu
spec:
severity: 5
message: "allow /bin/cat to access /secret.txt"
selector:
matchLabels:
group: group-2
process:
matchDirectories:
- dir: /bin/
recursive: true
file:
matchPaths:
- path: /secret.txt
fromSource:
- path: /bin/cat
- path: /dev/tty
- path: /lib/terminfo/x/xterm
matchDirectories:
- dir: /pts/
recursive: true
- dir: /proc/
recursive: true
- dir: /dev/
recursive: true
- dir: /lib/x86_64-linux-gnu/
- dir: /bin/
action:
Allow
{
"type": "ContainerPolicy",
"object": {
"apiVersion": "security.kubearmor.com/v1",
"kind": "KubeArmorPolicy",
"metadata": {
"name": "ksp-group-2-allow-file-path-from-source-path",
"namespace": "multiubuntu"
},
"spec": {
"severity": 5,
"message": "allow /bin/cat to access /secret.txt",
"selector": {
"matchLabels": {
"group": "group-2"
}
},
"process": {
"matchDirectories": [
{
"dir": "/bin/",
"recursive": true
}
]
},
"file": {
"matchPaths": [
{
"path": "/secret.txt",
"fromSource": [
{
"path": "/bin/cat"
}
]
},
{
"path": "/dev/tty"
},
{
"path": "/lib/terminfo/x/xterm"
}
],
"matchDirectories": [
{
"dir": "/pts/",
"recursive": true
},
{
"dir": "/proc/",
"recursive": true
},
{
"dir": "/dev/",
"recursive": true
},
{
"dir": "/lib/x86_64-linux-gnu/"
},
{
"dir": "/bin/"
}
]
},
"action": "Allow"
}
}
}
`),
}

Data3 := &pb.Policy{
Policy: []byte(`
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-ubuntu-1-allow-net-tcp-from-source
namespace: multiubuntu
spec:
severity: 8
selector:
matchLabels:
container: ubuntu-1
network:
matchProtocols:
- protocol: tcp
fromSource:
- path: /usr/bin/curl
action: Allow
{
"type": "ContainerPolicy",
"object": {
"apiVersion": "security.kubearmor.com/v1",
"kind": "KubeArmorPolicy",
"metadata": {
"name": "ksp-ubuntu-1-allow-net-tcp-from-source",
"namespace": "multiubuntu"
},
"spec": {
"severity": 8,
"selector": {
"matchLabels": {
"container": "ubuntu-1"
}
},
"network": {
"matchProtocols": [
{
"protocol": "tcp",
"fromSource": [
{
"path": "/usr/bin/curl"
}
]
}
]
},
"action": "Allow"
}
}
}
`),
}

Expand All @@ -101,12 +171,24 @@ spec:
policy := &pb.Policy{
Policy: data,
}
policyEvent := tp.K8sKubeArmorPolicyEvent{}
if err := json.Unmarshal(data, &policyEvent); err != nil {
// Skip invalid JSON requests that may be generated during fuzz
t.Skip("invalid json")
}
res, err := p.ContainerPolicy(context.Background(), policy)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if res.Status != pb.PolicyStatus_Invalid && res.Status != pb.PolicyStatus_Applied && res.Status != pb.PolicyStatus_Modified {
t.Errorf("Unexpected status: %v, %v", res.Status, data)
if res.Status != pb.PolicyStatus_Applied && res.Status != pb.PolicyStatus_Modified {
if policyEvent.Object.Metadata.Name == "" && res.Status == pb.PolicyStatus_Invalid{
t.Skip("no name metadata")
}
if len(policyEvent.Object.Spec.Selector.MatchLabels) == 0 && res.Status == pb.PolicyStatus_Invalid{
t.Skip("No labels to match found on policy.")
}

t.Errorf("Unexpected status: %v", res.Status)
}
})
}
84 changes: 58 additions & 26 deletions KubeArmor/core/hostPolicy_fuzz_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,35 +7,58 @@ import (
"github.com/kubearmor/KubeArmor/KubeArmor/policy"
pb "github.com/kubearmor/KubeArmor/protobuf"
"testing"
"encoding/json"
tp "github.com/kubearmor/KubeArmor/KubeArmor/types"

)

func FuzzHostPolicy(f *testing.F) {
data := &pb.Policy{
Policy: []byte(`
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-cve-2019-14271
spec:
tags: ["CVE-2019-14271","docker-cp","libraries","docker-tar","root-code-execution"]
message: "Alert! Docker Binary Has Been Executed."
nodeSelector:
matchLabels:
kubernetes.io/hostname: gke-ubuntu #change with your hostname
process:
severity: 2
matchPaths:
- path: /usr/bin/docker
- path: /usr/sbin/chroot
- path: /usr/lib/tar
- path: /usr/lib/chmod
action: Block
file:
severity: 3
matchDirectories:
- dir: /lib/x86_64-linux-gnu/
- dir: /var/log/
action: Block
{
"type": "HostPolicy",
"object": {
"apiVersion": "security.kubearmor.com/v1",
"kind": "KubeArmorHostPolicy",
"metadata": {
"name": "hsp-cve-2019-14271"
},
"spec": {
"tags": [
"CVE-2019-14271",
"docker-cp",
"libraries",
"docker-tar",
"root-code-execution"
],
"message": "Alert! Docker Binary Has Been Executed.",
"nodeSelector": {
"matchLabels": {
"kubernetes.io/hostname": "gke-ubuntu"
}
},
"process": {
"severity": 2,
"matchPaths": [
{ "path": "/usr/bin/docker" },
{ "path": "/usr/sbin/chroot" },
{ "path": "/usr/lib/tar" },
{ "path": "/usr/lib/chmod" }
],
"action": "Block"
},
"file": {
"severity": 3,
"matchDirectories": [
{ "dir": "/lib/x86_64-linux-gnu/" },
{ "dir": "/var/log/" }
],
"action": "Block"
}
}
}
`),
}
dm := NewKubeArmorDaemon()
Expand All @@ -48,12 +71,21 @@ spec:
policy := &pb.Policy{
Policy: data,
}
policyEvent := tp.K8sKubeArmorPolicyEvent{}
if err := json.Unmarshal(data, &policyEvent); err != nil {
// Skip invalid JSON requests that may be generated during fuzz
t.Skip("invalid json")
}
res, err := p.HostPolicy(context.Background(), policy)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if res.Status != pb.PolicyStatus_Invalid && res.Status != pb.PolicyStatus_Applied {
t.Errorf("Unexpected status: %v, %v", res.Status, data)
if len(policyEvent.Object.Spec.Selector.MatchLabels) == 0 && res.Status == pb.PolicyStatus_Invalid{
t.Skip("No labels to match found on policy.")
}

if res.Status != pb.PolicyStatus_Applied {
t.Errorf("Unexpected status: %v", res.Status)
}
})
}

0 comments on commit e279e50

Please sign in to comment.