-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add securityContext * fix typo * update exploitation section * update monitoring section * udpate gcc install * update build path * update readme * add core pattern edge * update groovy entry * map container with node directly * update filename * add edge test * add dsl test * generate vertex test * add root condition * update links * fix traversal source test * add new line * Update docs/reference/attacks/CE_UMH_CORE_PATTERN.md Co-authored-by: jt-dd <[email protected]> * Update docs/reference/attacks/CE_UMH_CORE_PATTERN.md Co-authored-by: jt-dd <[email protected]> * Update CONTRIBUTING.md Co-authored-by: jt-dd <[email protected]> * resolve merge conflict * update bash command * fix typo * fix typo again --------- Co-authored-by: jt-dd <[email protected]>
- Loading branch information
1 parent
9b3f259
commit c532f89
Showing
9 changed files
with
135 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
package edge | ||
|
||
import ( | ||
"context" | ||
|
||
"github.com/DataDog/KubeHound/pkg/kubehound/graph/adapter" | ||
"github.com/DataDog/KubeHound/pkg/kubehound/graph/types" | ||
"github.com/DataDog/KubeHound/pkg/kubehound/models/converter" | ||
"github.com/DataDog/KubeHound/pkg/kubehound/models/shared" | ||
"github.com/DataDog/KubeHound/pkg/kubehound/storage/cache" | ||
"github.com/DataDog/KubeHound/pkg/kubehound/storage/storedb" | ||
"github.com/DataDog/KubeHound/pkg/kubehound/store/collections" | ||
"go.mongodb.org/mongo-driver/bson" | ||
) | ||
|
||
var ProcMountList = bson.A{ | ||
"/", | ||
"/proc", | ||
"/proc/sys", | ||
"/proc/sys/kernel", | ||
} | ||
|
||
func init() { | ||
Register(&EscapeCorePattern{}, RegisterDefault) | ||
} | ||
|
||
type EscapeCorePattern struct { | ||
BaseContainerEscape | ||
} | ||
|
||
func (e *EscapeCorePattern) Label() string { | ||
return "CE_UMH_CORE_PATTERN" | ||
} | ||
|
||
func (e *EscapeCorePattern) Name() string { | ||
return "ContainerEscapeCorePattern" | ||
} | ||
|
||
func (e *EscapeCorePattern) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error) { | ||
return containerEscapeProcessor(ctx, oic, e.Label(), entry) | ||
} | ||
|
||
func (e *EscapeCorePattern) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader, | ||
callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error { | ||
containers := adapter.MongoDB(store).Collection(collections.ContainerName) | ||
|
||
pipeline := []bson.M{ | ||
{ | ||
"$match": bson.M{ | ||
"k8.securitycontext.runasuser": 0, | ||
"runtime.runID": e.runtime.RunID.String(), | ||
"runtime.cluster": e.runtime.ClusterName, | ||
}, | ||
}, | ||
{ | ||
"$lookup": bson.M{ | ||
"as": "procMountContainers", | ||
"from": "volumes", | ||
"let": bson.M{ | ||
"rootContainerId": "$container_id", | ||
}, | ||
"pipeline": []bson.M{ | ||
{ | ||
"$match": bson.M{ | ||
"$and": bson.A{ | ||
bson.M{"$expr": bson.M{ | ||
"$eq": bson.A{ | ||
"$container_id", "$$rootContainerId", | ||
}, | ||
}}, | ||
}, | ||
"type": shared.VolumeTypeHost, | ||
"source": bson.M{ | ||
"$in": ProcMountList, | ||
}, | ||
"runtime.runID": e.runtime.RunID.String(), | ||
"runtime.cluster": e.runtime.ClusterName, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
"$project": bson.M{ | ||
"_id": 1, | ||
"node_id": 1, | ||
}, | ||
}, | ||
} | ||
|
||
cur, err := containers.Aggregate(ctx, pipeline) | ||
if err != nil { | ||
return err | ||
} | ||
defer cur.Close(ctx) | ||
|
||
return adapter.MongoCursorHandler[containerEscapeGroup](ctx, cur, callback, complete) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters