Skip to content

Commit 1742355

Browse files
roikolroikol
authored
disk_mount: don't whitelist runc process (#2659)
instead use the ContainerStarted context flag
1 parent f4048f9 commit 1742355

File tree

2 files changed

+22
-22
lines changed

2 files changed

+22
-22
lines changed

signatures/golang/disk_mount.go

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -56,12 +56,16 @@ func (sig *DiskMount) OnEvent(event protocol.Event) error {
5656

5757
case "security_sb_mount":
5858

59+
if !eventObj.ContextFlags.ContainerStarted {
60+
return nil
61+
}
62+
5963
deviceName, err := helpers.GetTraceeStringArgumentByName(eventObj, "dev_name")
6064
if err != nil {
6165
return nil
6266
}
6367

64-
if !isRunc(eventObj) && strings.HasPrefix(deviceName, sig.devDir) {
68+
if strings.HasPrefix(deviceName, sig.devDir) {
6569
metadata, err := sig.GetMetadata()
6670
if err != nil {
6771
return err
@@ -82,11 +86,3 @@ func (sig *DiskMount) OnSignal(s detect.Signal) error {
8286
return nil
8387
}
8488
func (sig *DiskMount) Close() {}
85-
86-
func isRunc(event trace.Event) bool {
87-
if event.ThreadID == 1 && strings.HasPrefix(event.ProcessName, "runc:") {
88-
return true
89-
}
90-
91-
return false
92-
}

signatures/golang/disk_mount_test.go

Lines changed: 17 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -20,9 +20,10 @@ func TestDiskMount(t *testing.T) {
2020
Name: "should trigger detection",
2121
Events: []trace.Event{
2222
{
23-
ProcessName: "mal",
24-
ThreadID: 8,
25-
EventName: "security_sb_mount",
23+
ProcessName: "mal",
24+
ThreadID: 8,
25+
ContextFlags: trace.ContextFlags{ContainerStarted: true},
26+
EventName: "security_sb_mount",
2627
Args: []trace.Argument{
2728
{
2829
ArgMeta: trace.ArgMeta{
@@ -37,9 +38,10 @@ func TestDiskMount(t *testing.T) {
3738
"TRC-1014": {
3839
Data: nil,
3940
Event: trace.Event{
40-
ProcessName: "mal",
41-
ThreadID: 8,
42-
EventName: "security_sb_mount",
41+
ProcessName: "mal",
42+
ThreadID: 8,
43+
ContextFlags: trace.ContextFlags{ContainerStarted: true},
44+
EventName: "security_sb_mount",
4345
Args: []trace.Argument{
4446
{
4547
ArgMeta: trace.ArgMeta{
@@ -68,12 +70,13 @@ func TestDiskMount(t *testing.T) {
6870
},
6971
},
7072
{
71-
Name: "should not trigger detection - runc",
73+
Name: "should not trigger detection - container not started",
7274
Events: []trace.Event{
7375
{
74-
ProcessName: "runc:[init]",
75-
ThreadID: 1,
76-
EventName: "security_sb_mount",
76+
ProcessName: "runc:[init]",
77+
ThreadID: 1,
78+
ContextFlags: trace.ContextFlags{ContainerStarted: false},
79+
EventName: "security_sb_mount",
7780
Args: []trace.Argument{
7881
{
7982
ArgMeta: trace.ArgMeta{
@@ -90,9 +93,10 @@ func TestDiskMount(t *testing.T) {
9093
Name: "should not trigger detection - wrong path",
9194
Events: []trace.Event{
9295
{
93-
ProcessName: "runc:[init]",
94-
ThreadID: 8,
95-
EventName: "security_sb_mount",
96+
ProcessName: "runc:[init]",
97+
ThreadID: 8,
98+
ContextFlags: trace.ContextFlags{ContainerStarted: true},
99+
EventName: "security_sb_mount",
96100
Args: []trace.Argument{
97101
{
98102
ArgMeta: trace.ArgMeta{

0 commit comments

Comments
 (0)