added escape_to_host

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

examples/namespaced/escape-to-host-si-sib.yaml

@@ -0,0 +1,26 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: escape-to-host
+spec:
+  intent:
+    id: escapeToHost
+    description: "A attacker can breach container boundaries and can gain access to the host machine"
+    action: Block
+
+---
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntentBinding
+metadata:
+  name: escape-to-host-binding
+spec:
+  intents:
+    - name: escape-to-host
+  selector:
+    any:
+      - resources:
+          kind: Pod
+          namespace: default
+          matchLabels:
+            app: nginx   

pkg/adapter/idpool/idpool.go

@@ -16,11 +16,24 @@ const (
 	DNSManipulation           = "dnsManipulation"
 	NetPortExec               = "netPortExec"
 	SysPathExec               = "sysPathExec"
+	EscapeToHost              = "escapeToHost"
+	DisallowChRoot            = "disallowChRoot"
+	DisallowCapabilities      = "disallowCapabilities"
+	DisallowMatchPath         = "disallowMatchPath"
 )
 
 // KaIds are IDs supported by KubeArmor.
 var KaIds = []string{
-	SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation,
+	SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation, EscapeToHost,
+}
+
+// list of policies which satisfies the given ID by Kubearmor
+var KaIDPolicies = map[string][]string{
+	EscapeToHost: {
+		DisallowChRoot,
+		DisallowCapabilities,
+		DisallowMatchPath,
+	},
 }
 
 // NetPolIDs are IDs supported by Network Policy adapter.

pkg/adapter/nimbus-kubearmor/go.mod

@@ -2,8 +2,10 @@ module github.com/5GSEC/nimbus/pkg/adapter/nimbus-kubearmor
 
 go 1.21
 
+replace github.com/5GSEC/nimbus => ../../../
+
 require (
-	github.com/5GSEC/nimbus v0.0.0-20240305043055-359d519c1d9f
+	github.com/5GSEC/nimbus v0.0.0-20240313065715-b91563b0ccd3
 	github.com/go-logr/logr v1.4.1
 	github.com/kubearmor/KubeArmor/pkg/KubeArmorController v0.0.0-20240125171707-8e6641511fe3
 	k8s.io/apimachinery v0.29.1

pkg/adapter/nimbus-kubearmor/go.sum

@@ -1,5 +1,3 @@
-github.com/5GSEC/nimbus v0.0.0-20240305043055-359d519c1d9f h1:FOwBcqhGFm8RXXjgJTdBhjhb3k5UbaDOJ6TpK+5Zmvk=
-github.com/5GSEC/nimbus v0.0.0-20240305043055-359d519c1d9f/go.mod h1:FflBHoOu8LpzZJucobgLdGG4j+22A97JX8cXlNY1fXc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=

pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go

@@ -16,18 +16,33 @@ import (
 func BuildKspsFrom(logger logr.Logger, np *v1.NimbusPolicy) []kubearmorv1.KubeArmorPolicy {
 	// Build KSPs based on given IDs
 	var ksps []kubearmorv1.KubeArmorPolicy
+	var ksp kubearmorv1.KubeArmorPolicy
 	for _, nimbusRule := range np.Spec.NimbusRules {
 		id := nimbusRule.ID
 		if idpool.IsIdSupportedBy(id, "kubearmor") {
-			ksp := buildKspFor(id)
-			ksp.Name = np.Name + "-" + strings.ToLower(id)
-			ksp.Namespace = np.Namespace
-			ksp.Spec.Message = nimbusRule.Description
-			ksp.Spec.Selector.MatchLabels = np.Spec.Selector.MatchLabels
-			ksp.Spec.Action = kubearmorv1.ActionType(nimbusRule.Rule.RuleAction)
-			processRuleParams(&ksp, nimbusRule.Rule)
-			addManagedByAnnotation(&ksp)
-			ksps = append(ksps, ksp)
+			if _, ok := idpool.KaIDPolicies[id]; ok {
+				for _, policyName := range idpool.KaIDPolicies[id] {
+					ksp = buildKspFor(policyName)
+					ksp.Name = np.Name + "-" + strings.ToLower(id) + "-" + strings.ToLower(policyName)
+					ksp.Namespace = np.Namespace
+					ksp.Spec.Message = nimbusRule.Description
+					ksp.Spec.Selector.MatchLabels = np.Spec.Selector.MatchLabels
+					ksp.Spec.Action = kubearmorv1.ActionType(nimbusRule.Rule.RuleAction)
+					processRuleParams(&ksp, nimbusRule.Rule)
+					addManagedByAnnotation(&ksp)
+					ksps = append(ksps, ksp)
+				}
+			} else {
+				ksp = buildKspFor(id)
+				ksp.Name = np.Name + "-" + strings.ToLower(id)
+				ksp.Namespace = np.Namespace
+				ksp.Spec.Message = nimbusRule.Description
+				ksp.Spec.Selector.MatchLabels = np.Spec.Selector.MatchLabels
+				ksp.Spec.Action = kubearmorv1.ActionType(nimbusRule.Rule.RuleAction)
+				processRuleParams(&ksp, nimbusRule.Rule)
+				addManagedByAnnotation(&ksp)
+				ksps = append(ksps, ksp)
+			}	
 		} else {
 			logger.Info("KubeArmor does not support this ID", "ID", id,
 				"NimbusPolicy", np.Name, "NimbusPolicy.Namespace", np.Namespace)
@@ -45,6 +60,12 @@ func buildKspFor(id string) kubearmorv1.KubeArmorPolicy {
 		return unAuthorizedSaTokenAccessKsp()
 	case idpool.DNSManipulation:
 		return dnsManipulationKsp()
+	case idpool.DisallowChRoot:
+		return disallowChRoot()
+	case idpool.DisallowCapabilities:
+		return disallowCapabilities()
+	case idpool.DisallowMatchPath:
+		return disallowMatchPath()
 	default:
 		return kubearmorv1.KubeArmorPolicy{}
 	}
@@ -184,6 +205,166 @@ func swDeploymentToolsKsp() kubearmorv1.KubeArmorPolicy {
 	}
 }
 
+func disallowCapabilities() kubearmorv1.KubeArmorPolicy {
+	return kubearmorv1.KubeArmorPolicy{
+		Spec: kubearmorv1.KubeArmorPolicySpec{
+			Capabilities: kubearmorv1.CapabilitiesType{
+				MatchCapabilities: []kubearmorv1.MatchCapabilitiesType{
+					{
+						Capability: "sys_admin",
+					},
+					{
+						Capability: "sys_ptrace",
+					},
+					{
+						Capability: "sys_module",
+					},
+					{
+						Capability: "dac_read_search",
+					},
+					{
+						Capability: "dac_override",
+					},
+				},
+			},
+		},
+	}
+}
+
+func disallowChRoot() kubearmorv1.KubeArmorPolicy {
+	return kubearmorv1.KubeArmorPolicy{
+		Spec: kubearmorv1.KubeArmorPolicySpec{
+			Process: kubearmorv1.ProcessType{
+				MatchPaths: []kubearmorv1.ProcessPathType{
+					{
+						Path: "/usr/sbin/chroot",
+					},
+					{
+						Path: "/sbin/chroot",
+					},
+				},
+			},
+		},
+	}
+}
+
+
+func disallowMatchPath() kubearmorv1.KubeArmorPolicy {
+	return kubearmorv1.KubeArmorPolicy{
+		Spec: kubearmorv1.KubeArmorPolicySpec{
+			Process: kubearmorv1.ProcessType{
+				MatchPaths: []kubearmorv1.ProcessPathType{
+					{
+						Path: "/usr/bin/apt",
+					},
+					{
+						Path: "/usr/bin/apt-get",
+					},
+					{
+						Path: "/bin/apt-get",
+					},
+					{
+						Path: "/bin/apt",
+					},
+					{
+						Path: "/sbin/apk",
+					},
+					{
+						Path: "/usr/bin/dpkg",
+					},
+					{
+						Path: "/bin/dpkg",
+					},
+					{
+						Path: "/usr/bin/gdebi",
+					},
+					{
+						Path: "/bin/gdebi",
+					},
+					{
+						Path: "/usr/bin/make",
+					},
+					{
+						Path: "/bin/make",
+					},
+					{
+						Path: "/usr/bin/yum",
+					},
+					{
+						Path: "/bin/yum",
+					},
+					{
+						Path: "/usr/bin/rpm",
+					},
+					{
+						Path: "/bin/rpm",
+					},
+					{
+						Path: "/usr/bin/dnf",
+					},
+					{
+						Path: "/bin/dnf",
+					},
+					{
+						Path: "/usr/bin/pacman",
+					},
+					{
+						Path: "/bin/pacman",
+					},
+					{
+						Path: "/sbin/pacman",
+					},
+					{
+						Path: "/usr/bin/makepkg",
+					},
+					{
+						Path: "/bin/makepkg",
+					},
+					{
+						Path: "/sbin/makepkg",
+					},
+					{
+						Path: "/usr/bin/yaourt",
+					},
+					{
+						Path: "/usr/sbin/yaourt",
+					},
+					{
+						Path: "/bin/yaourt",
+					},
+					{
+						Path: "/sbin/yaourt",
+					},
+					{
+						Path: "/usr/bin/zypper",
+					},
+					{
+						Path: "/bin/zypper",
+					},
+					{
+						Path: "/usr/bin/curl",
+					},
+					{
+						Path: "/bin/curl",
+					},
+					{
+						Path: "/usr/local/bin/curl",
+					},
+					{
+						Path: "/usr/bin/wget",
+					},
+					{
+						Path: "/bin/wget",
+					},
+					{
+						Path: "/usr/local/bin/curl",
+					},
+				},	
+			},
+		},
+	}
+}
+
 func addManagedByAnnotation(ksp *kubearmorv1.KubeArmorPolicy) {
 	ksp.Annotations = make(map[string]string)
 	ksp.Annotations["app.kubernetes.io/managed-by"] = "nimbus-kubearmor"