fix C-0074

Signed-off-by: kooomix <[email protected]>
kubescape · Mar 26, 2024 · f5e71ba · f5e71ba
1 parent 3f87f91
commit f5e71ba
Show file tree

Hide file tree

Showing 10 changed files with 54 additions and 27 deletions.
diff --git a/rules/containers-mounting-docker-socket/raw.rego b/rules/containers-mounting-docker-socket/raw.rego
@@ -7,12 +7,15 @@ deny[msga] {
     volume := pod.spec.volumes[i]
 	host_path := volume.hostPath
     is_runtime_socket_mounting(host_path)
-	path := sprintf("spec.volumes[%v].hostPath.path", [format_int(i, 10)])
+	path := sprintf("spec.volumes[%v]", [format_int(i, 10)])
+	volumeMounts := pod.spec.containers[j].volumeMounts
+	pathMounts = volume_mounts(volume.name, volumeMounts, sprintf("spec.containers[%v]", [j]))
+	finalPath := array.concat([path], pathMounts)
     msga := {
 		"alertMessage": sprintf("volume: %v in pod: %v has mounting to Docker internals.", [volume.name, pod.metadata.name]),
 		"packagename": "armo_builtins",
-		"deletePaths": [path],
-		"failedPaths": [path],
+		"deletePaths":finalPath,
+		"failedPaths": finalPath,
 		"fixPaths":[],
 		"alertScore": 5,
 		"alertObject": {
@@ -30,12 +33,15 @@ deny[msga] {
     volume := wl.spec.template.spec.volumes[i]
 	host_path := volume.hostPath
     is_runtime_socket_mounting(host_path)
-	path := sprintf("spec.template.spec.volumes[%v].hostPath.path", [format_int(i, 10)])
+	path := sprintf("spec.template.spec.volumes[%v]", [format_int(i, 10)])
+	volumeMounts := wl.spec.template.spec.containers[j].volumeMounts
+	pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.template.spec.containers[%v]", [j]))
+	finalPath := array.concat([path], pathMounts)
 	msga := {
 		"alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
-		"deletePaths": [path],
-		"failedPaths": [path],
+		"deletePaths": finalPath,
+		"failedPaths": finalPath,
 		"fixPaths":[],
 		"alertScore": 5,
 		"alertObject": {
@@ -51,12 +57,15 @@ deny[msga] {
 	volume = wl.spec.jobTemplate.spec.template.spec.volumes[i]
     host_path := volume.hostPath
     is_runtime_socket_mounting(host_path)
-	path := sprintf("spec.jobTemplate.spec.template.spec.volumes[%v].hostPath.path", [format_int(i, 10)])
+	path := sprintf("spec.jobTemplate.spec.template.spec.volumes[%v]", [format_int(i, 10)])
+	volumeMounts := wl.spec.jobTemplate.spec.template.spec.containers[j].volumeMounts
+	pathMounts = volume_mounts(volume.name,volumeMounts, sprintf("spec.jobTemplate.spec.template.spec.containers[%v]", [j]))
+	finalPath := array.concat([path], pathMounts)
     msga := {
 		"alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
-		"deletePaths": [path],
-		"failedPaths": [path],
+		"deletePaths": finalPath,
+		"failedPaths": finalPath,
 		"fixPaths":[],
 		"alertScore": 5,
 		"alertObject": {
@@ -65,6 +74,10 @@ deny[msga] {
 	}
 }
 
+volume_mounts(name, volume_mounts, str) = [path] {
+	name == volume_mounts[j].name
+	path := sprintf("%s.volumeMounts[%v]", [str, j])
+} else = []
 
 is_runtime_socket_mounting(host_path) {
 	host_path.path == "/var/run/docker.sock"

diff --git a/rules/containers-mounting-docker-socket/test/cronjob-containerd/expected.json b/rules/containers-mounting-docker-socket/test/cronjob-containerd/expected.json
@@ -2,10 +2,13 @@
     {
         "alertMessage": "volume: test-volume in CronJob: hello has mounting to Docker internals.",
         "deletePaths": [
-            "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path"
+            "spec.jobTemplate.spec.template.spec.volumes[0]",
+            "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]"
+
         ],
         "failedPaths": [
-            "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path"
+            "spec.jobTemplate.spec.template.spec.volumes[0]",
+            "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/containers-mounting-docker-socket/test/cronjob-crio/expected.json b/rules/containers-mounting-docker-socket/test/cronjob-crio/expected.json
@@ -2,10 +2,12 @@
     {
         "alertMessage": "volume: test-volume in CronJob: hello has mounting to Docker internals.",
         "deletePaths": [
-            "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path"
+            "spec.jobTemplate.spec.template.spec.volumes[0]",
+            "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]"
         ],
         "failedPaths": [
-            "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path"
+            "spec.jobTemplate.spec.template.spec.volumes[0]",
+            "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/containers-mounting-docker-socket/test/cronjob/expected.json b/rules/containers-mounting-docker-socket/test/cronjob/expected.json
@@ -2,10 +2,13 @@
     {
         "alertMessage": "volume: test-volume in CronJob: hello has mounting to Docker internals.",
         "deletePaths": [
-            "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path"
+            "spec.jobTemplate.spec.template.spec.volumes[0]",
+            "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]"
+
         ],
         "failedPaths": [
-            "spec.jobTemplate.spec.template.spec.volumes[0].hostPath.path"
+            "spec.jobTemplate.spec.template.spec.volumes[0]",
+            "spec.jobTemplate.spec.template.spec.containers[0].volumeMounts[0]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/containers-mounting-docker-socket/test/pod-containerd/expected.json b/rules/containers-mounting-docker-socket/test/pod-containerd/expected.json
@@ -2,10 +2,12 @@
     {
         "alertMessage": "volume: test-volume in pod: test-pd has mounting to Docker internals.",
         "deletePaths": [
-            "spec.volumes[0].hostPath.path"
+            "spec.volumes[0]",
+            "spec.containers[0].volumeMounts[0]"
         ],
         "failedPaths": [
-            "spec.volumes[0].hostPath.path"
+            "spec.volumes[0]",
+            "spec.containers[0].volumeMounts[0]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/containers-mounting-docker-socket/test/pod-crio/expected.json b/rules/containers-mounting-docker-socket/test/pod-crio/expected.json
@@ -2,10 +2,12 @@
     {
         "alertMessage": "volume: test-volume in pod: test-pd has mounting to Docker internals.",
         "deletePaths": [
-            "spec.volumes[0].hostPath.path"
+            "spec.volumes[0]",
+            "spec.containers[0].volumeMounts[0]"
         ],
         "failedPaths": [
-            "spec.volumes[0].hostPath.path"
+            "spec.volumes[0]",
+            "spec.containers[0].volumeMounts[0]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/containers-mounting-docker-socket/test/pod/expected.json b/rules/containers-mounting-docker-socket/test/pod/expected.json
@@ -2,10 +2,12 @@
     {
         "alertMessage": "volume: test-volume in pod: test-pd has mounting to Docker internals.",
         "deletePaths": [
-            "spec.volumes[0].hostPath.path"
+            "spec.volumes[0]",
+            "spec.containers[0].volumeMounts[0]"
         ],
         "failedPaths": [
-            "spec.volumes[0].hostPath.path"
+            "spec.volumes[0]",
+            "spec.containers[0].volumeMounts[0]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/containers-mounting-docker-socket/test/workloads-containerd/expected.json b/rules/containers-mounting-docker-socket/test/workloads-containerd/expected.json
@@ -2,10 +2,10 @@
     {
         "alertMessage": "volume: test-volume2 in Deployment: my-deployment has mounting to Docker internals.",
         "deletePaths": [
-            "spec.template.spec.volumes[1].hostPath.path"
+            "spec.template.spec.volumes[1]"
         ],
         "failedPaths": [
-            "spec.template.spec.volumes[1].hostPath.path"
+            "spec.template.spec.volumes[1]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/containers-mounting-docker-socket/test/workloads-crio/expected.json b/rules/containers-mounting-docker-socket/test/workloads-crio/expected.json
@@ -2,10 +2,10 @@
     {
         "alertMessage": "volume: test-volume2 in Deployment: my-deployment has mounting to Docker internals.",
         "deletePaths": [
-            "spec.template.spec.volumes[1].hostPath.path"
+            "spec.template.spec.volumes[1]"
         ],
         "failedPaths": [
-            "spec.template.spec.volumes[1].hostPath.path"
+            "spec.template.spec.volumes[1]"
         ],
         "fixPaths": [],
         "ruleStatus": "",

diff --git a/rules/containers-mounting-docker-socket/test/workloads/expected.json b/rules/containers-mounting-docker-socket/test/workloads/expected.json
@@ -2,10 +2,10 @@
     {
         "alertMessage": "volume: test-volume2 in Deployment: my-deployment has mounting to Docker internals.",
         "deletePaths": [
-            "spec.template.spec.volumes[1].hostPath.path"
+            "spec.template.spec.volumes[1]"
         ],
         "failedPaths": [
-            "spec.template.spec.volumes[1].hostPath.path"
+            "spec.template.spec.volumes[1]"
         ],
         "fixPaths": [],
         "ruleStatus": "",