Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCTP socket type not supported hence Open5GS AMF failing #1807

Open
nyrahul opened this issue Jul 14, 2024 · 0 comments
Open

SCTP socket type not supported hence Open5GS AMF failing #1807

nyrahul opened this issue Jul 14, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@nyrahul
Copy link
Contributor

nyrahul commented Jul 14, 2024

Bug Report

In context to 5G based workloads, I was getting "Data":"lsm=SOCKET_ACCEPT unknown" and the corresponding network call was denied. I suspect that this could be because it is a SCTP socket.

General Information

❯ k get nodes -o wide
NAME                          STATUS   ROLES    AGE     VERSION                INTERNAL-IP   EXTERNAL-IP   OS-IMAGE         KERNEL-VERSION                  CONTAINER-RUNTIME
ip-10-1-30-183.ec2.internal   Ready    <none>   5h42m   v1.27.12-eks-ae9a62a   10.1.30.183   <none>        Amazon Linux 2   5.10.219-208.866.amzn2.x86_64   containerd://1.7.11
  • Environment description (GKE, VM-Kubeadm, vagrant-dev-env, minikube, microk8s, ...)
    EKS Amazon Linux 2
  • Kernel version (run uname -a)
    5.10.219-208.866.amzn2.x86_64
  • Orchestration system version in use (e.g. kubectl version, ...)
    v1.27.12-eks-ae9a62a
  • Link to relevant artifacts (policies, deployments scripts, ...)
    Policy used:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: open5gs-amf-zero-trust
  namespace: open5gs
spec:
  action: Allow
  file:
    matchDirectories:
    - dir: /
      recursive: true
    - dir: /open5gs/
      recursive: true
      action: Block
      severity: 10
      message: unauthorized access to open5GS data
    - dir: /open5gs/
      recursive: true
      fromSource:
      - path: /usr/bin/open5gs-amfd
  network:
    matchProtocols:
    - fromSource:
      - path: /usr/bin/open5gs-amfd
      - path: /usr/bin/perl
      - path: /usr/lib/apt/methods/http
      - path: /usr/lib/apt/methods/https
      - path: /usr/lib/apt/methods/store
      - path: /usr/sbin/usermod
      protocol: raw
    - fromSource:
      - path: /usr/bin/open5gs-amfd
      - path: /usr/bin/perl
      - path: /usr/lib/apt/methods/http
      - path: /usr/lib/apt/methods/https
      - path: /usr/lib/apt/methods/store
      - path: /usr/sbin/usermod
      protocol: tcp
    - fromSource:
      - path: /usr/bin/open5gs-amfd
      - path: /usr/bin/perl
      - path: /usr/lib/apt/methods/https
      - path: /usr/lib/apt/methods/store
      - path: /usr/sbin/usermod
      protocol: icmp
    - fromSource:
      - path: /usr/bin/open5gs-amfd
      - path: /usr/bin/perl
      - path: /usr/lib/apt/methods/https
      - path: /usr/lib/apt/methods/store
      - path: /usr/sbin/usermod
      protocol: udp
  process:
    matchPaths:
    - path: /bin/sh
    - path: /usr/bin/containerd-shim-runc-v2
    - path: /usr/bin/dash
    - path: /usr/bin/dirname
    - path: /usr/bin/dpkg
    - path: /usr/bin/gpgv
    - path: /usr/bin/mktemp
    - path: /usr/bin/open5gs-amfd
    - path: /usr/bin/perl
    - path: /usr/bin/sh
    - path: /usr/lib/apt/methods/http
    - path: /usr/lib/apt/methods/https
    - path: /usr/lib/apt/methods/store
    - path: /usr/sbin/usermod
  selector:
    matchLabels:
      epc-mode: amf-1
      epc-prom: enabled
  severity: 1
  • Target containers/pods
    deployment/core5g-amf-1-deployment

To Reproduce

  1. Install Open5GS on EKS cluster
  2. Apply the given least permissive kubearmor policy
  3. You would start seeing the network socket calls failing

Expected behavior
Open5GS AMF Network calls should not fail.

A description of what you expected to happen.

Screenshots

{
  "Action": "Block",
  "ClusterName": "EKS-5GC-Telco",
  "ContainerID": "b556b1b888f1382df304f79deb4cb539ec8fb085545dfbde3386ab950cc58ce0",
  "ContainerImage": "975050082972.dkr.ecr.us-east-1.amazonaws.com/ecr-cdk-stack-myopen5gs41a0c7ec-rcfbesuhqyuc:v265@sha256:1a9962289afca078bb327d4d41723185e9bf0d74913e7b92145df99ff62e167e",
  "ContainerName": "amf",
  "Cwd": "/",
  "Data": "lsm=SOCKET_ACCEPT unknown",
  "Enforcer": "BPFLSM",
  "HostName": "ip-10-1-30-183.ec2.internal",
  "HostPID": 165390,
  "HostPPID": 161818,
  "Labels": "epc-prom=enabled,epc-mode=amf-1",
  "NamespaceName": "open5gs",
  "Operation": "Network",
  "Owner": {
    "Name": "core5g-amf-1-deployment",
    "Namespace": "open5gs",
    "Ref": "Deployment"
  },
  "PID": 336,
  "PPID": 1,
  "PodName": "core5g-amf-1-deployment-858fd8c74-b89h2",
  "PolicyName": "DefaultPosture",
  "ProcessName": "/usr/bin/open5gs-amfd",
  "Resource": "unknown",
  "Result": "Permission denied",
  "Source": "/usr/bin/open5gs-amfd",
  "Timestamp": 1720983437,
  "Type": "MatchedPolicy",
  "UID": 0,
  "UpdatedTime": "2024-07-14T18:57:17.605Z",
  "_id": "66942232d5f4854cd277c61a",
  "cluster_id": "32687",
  "component_name": "kubearmor",
  "instanceGroup": "0",
  "instanceID": "0",
  "tenant_id": "5053",
  "workload": "1"
}
@nyrahul nyrahul added the bug Something isn't working label Jul 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nyrahul