Feature/upper layer

chart/kubecop/crds/app-profile.crd.yaml

@@ -61,6 +61,8 @@ spec:
                               type: string
                           path:
                             type: string
+                          upperLayer:
+                            type: boolean
                     name:
                       type: string
                     opens:

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/gammazero/workerpool v1.1.3
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/inspektor-gadget/inspektor-gadget v0.26.0
-	github.com/kubescape/kapprofiler v0.0.59
+	github.com/kubescape/kapprofiler v0.0.60
 	github.com/prometheus/alertmanager v0.26.0
 	github.com/prometheus/client_golang v1.19.0
 	github.com/stretchr/testify v1.9.0

go.sum

@@ -243,8 +243,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubescape/kapprofiler v0.0.59 h1:3l6jcbX1PamA29A5tbbJSFG5wmLI0lFAk7I719jyhJ8=
-github.com/kubescape/kapprofiler v0.0.59/go.mod h1:5bV7/mL6fAylN9j+othkXbW6RG1m5thFwdsuUyN20vE=
+github.com/kubescape/kapprofiler v0.0.60 h1:beFkDs3kNU0I1YRKLvvh8pFxjllfa/CjFKT0mglFJMk=
+github.com/kubescape/kapprofiler v0.0.60/go.mod h1:5bV7/mL6fAylN9j+othkXbW6RG1m5thFwdsuUyN20vE=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=

pkg/engine/rule/r1001_exec_binary_not_in_base_image.go

@@ -2,12 +2,6 @@ package rule
 
 import (
 	"fmt"
-	"os"
-	"path/filepath"
-	"syscall"
-
-	"github.com/prometheus/procfs"
-	log "github.com/sirupsen/logrus"
 
 	"github.com/armosec/kubecop/pkg/approfilecache"
 	"github.com/kubescape/kapprofiler/pkg/tracing"
@@ -66,7 +60,7 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType tracing.EventT
 		return nil
 	}
 
-	if !IsExecBinaryInUpperLayer(execEvent) {
+	if !execEvent.UpperLayer {
 		return nil
 	}
 
@@ -79,84 +73,9 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType tracing.EventT
 	}
 }
 
-func IsExecBinaryInUpperLayer(execEvent *tracing.ExecveEvent) bool {
-	// Find a process with the same mount namespace ID as the exec event.
-	process, err := findProcessByMountNamespace(execEvent)
-	if err != nil {
-		//log.Printf("Error finding process by mount namespace: %s\n", err)
-		return false
-	}
-
-	// Get the overlay mount point for the process.
-	upperLayerPath, err := getOverlayMountPoint(process)
-	if err != nil {
-		return false
-	}
-
-	return fileExists(filepath.Join(upperLayerPath, execEvent.PathName))
-}
-
-func findProcessByMountNamespace(execEvent *tracing.ExecveEvent) (*procfs.Proc, error) {
-	procs, err := procfs.AllProcs()
-	if err != nil {
-		return nil, err
-	}
-
-	for _, proc := range procs {
-		// Check if the mount namespace ID matches the specified namespaceID
-		mountNamespaceId, err := getMountNamespaceID(proc.PID)
-		if err != nil {
-			log.Debugf("Error reading mount namespace ID for PID %d: %s\n", proc.PID, err)
-			continue
-		}
-
-		if mountNamespaceId == execEvent.MountNsID {
-			return &proc, nil
-		}
-
-	}
-
-	return nil, fmt.Errorf("no matching process found for mount namespace %d", execEvent.MountNsID)
-}
-
-func getMountNamespaceID(pid int) (uint64, error) {
-	nsPath := fmt.Sprintf("/proc/%d/ns/mnt", pid)
-
-	stat := syscall.Stat_t{}
-	err := syscall.Stat(nsPath, &stat)
-	if err != nil {
-		return 0, err
-	}
-
-	return stat.Ino, nil
-}
-
-func getOverlayMountPoint(process *procfs.Proc) (string, error) {
-	// Read the mount info for the process, and find the overlay mount point. (There should only be one?).
-	if mounts, err := process.MountInfo(); err == nil {
-		for _, mount := range mounts {
-			if mount.FSType == "overlay" {
-				return mount.SuperOptions["upperdir"], nil
-			}
-		}
-	}
-
-	return "", fmt.Errorf("failed to get mount point for pid %d", process.PID)
-}
-
-func fileExists(filePath string) bool {
-	info, err := os.Stat(filepath.Join("/host", filePath))
-	if os.IsNotExist(err) {
-		log.Debugf("File %s does not exist %s \n", filePath, err)
-		return false
-	}
-
-	return !info.IsDir()
-}
-
 func (rule *R1001ExecBinaryNotInBaseImage) Requirements() RuleRequirements {
 	return RuleRequirements{
-		EventTypes:             []tracing.EventType{tracing.ExecveEventType},
+		EventTypes:             R1001ExecBinaryNotInBaseImageRuleDescriptor.Requirements.EventTypes,
 		NeedApplicationProfile: false,
 	}
 }

pkg/engine/rule/r1001_exec_binary_not_in_base_image_test.go

@@ -21,8 +21,9 @@ func TestR1001ExecBinaryNotInBaseImage(t *testing.T) {
 			Namespace:   "test",
 			Timestamp:   0,
 		},
-		PathName: "/usr/bin/test",
-		Args:     []string{"test"},
+		PathName:   "/usr/bin/test",
+		Args:       []string{"test"},
+		UpperLayer: false,
 	}
 
 	// Test with non existing binary