-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bypass research issues #1810
Bypass research issues #1810
Conversation
Welcome @sberkovich! It looks like this is your first PR to falcosecurity/falco 🎉 |
9d73727
to
6ee8296
Compare
66018a2
to
a555565
Compare
a555565
to
9c3fa54
Compare
After the conversation with @leogr removing the commit that extended the sensitive directories macro. This leaves the symlinks creation rule open for bypass (see original research), but may result in too many FPs as circleci tests showed. Note: reconsider expanding sensitive directory macro in the future to "contains" /etc/ and /root/ |
/assign @mstemm |
/kind rule-update |
9c3fa54
to
e31a771
Compare
Hey @sberkovich Could you rebase, please? |
e31a771
to
596ed53
Compare
596ed53
to
571c038
Compare
571c038
to
45d93bc
Compare
Guys, I'd love to get it into 0.31. Any more feedback? I'll commit as much time as needed. |
New rule to prevent hardlink bypass and symlink rule set to WARNING for consistency Signed-off-by: Shay Berkovich <[email protected]> Co-authored-by: Meera Balsara <[email protected]>
…protocols Signed-off-by: Shay Berkovich <[email protected]> Co-authored-by: Meera Balsara <[email protected]>
…mmon CVE-2021-3156 exploit Signed-off-by: Shay Berkovich <[email protected]> Co-authored-by: Meera Balsara <[email protected]>
45d93bc
to
ee3deac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
LGTM label has been added. Git tree hash: 273efa984b5053069a6d6cfa0c28c95aa6b4d9d6
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Kaizhe, leogr, sberkovich The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind rule-update
/kind rule-create
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
This PR is a result of the bypass research published
here(for now kept private). The research introduced several new bypass techniques and expanded on several already-known bypasses.Which issue(s) this PR fixes:
This PR touches five existing rules and introduces one new rule.
Special notes for your reviewer:
This PR does not cover the bypasses found in the original research fully. Rather it follows a low-hanging fruit approach and focuses on syntactical fixes that do not require structural changes to the rule engine or kernel probes.
Does this PR introduce a user-facing change?: