Comments (2)
TODO: Check if it can be attacked.
With default kubelet config this is not called and so can't be attacked
This is not called in a default config as it is called by:
// Ensures the system container is created and all non-kernel threads and process 1
// without a container are moved to it.
//
// The reason of leaving kernel threads at root cgroup is that we don't want to tie the
// execution of these threads with to-be defined /system quota and create priority inversions.
//
func ensureSystemCgroups(rootCgroupPath string, manager *fs.Manager) error {
which is called only if SystemCgroups
kubelet config is set - https://github.com/kubernetes/kubernetes/blob/v1.13.5/pkg/kubelet/cm/container_manager_linux.go#L441-L450 is not hit. - which is not set in default config.
Related config:
// SystemCgroups is absolute name of cgroups in which to place
// all non-kernel processes that are not already in a container. Empty
// for no container. Rolling back the flag requires a reboot.
SystemCgroups
So to be more clear: in default config the cm.ensureStateFunc
is not set to the ensureSystemCgroups
and so isKernelPid
is not called.
When is isKernelPid
called? Can it be attacked with different config?
E.g. if we specify --system-cgroups=/lol --cgroup-root=/
flags to Kubelet.
But on my testing setup, I ended up with no processes that were moved to the cgroup:
I0410 09:49:06.672083 8297 container_manager_linux.go:887] Found 86 PIDs in root, 86 of them are not to be moved
i.e. all system processes found were kernel processes.
Since user processes end up in e.g. /user.slice
cgroup I don't think there is a way to attack it:
root@ubuntu-bionic:/home/vagrant# cat /proc/self/cgroup
12:devices:/user.slice
11:pids:/user.slice/user-1000.slice/session-3.scope
10:cpu,cpuacct:/user.slice
9:freezer:/
8:rdma:/
7:blkio:/user.slice
6:perf_event:/
5:memory:/user.slice
4:hugetlb:/
3:cpuset:/
2:net_cls,net_prio:/
1:name=systemd:/user.slice/user-1000.slice/session-3.scope
0::/user.slice/user-1000.slice/session-3.scope
Possible recommendation
It seems they should check if error is ENOENT
:
root@dc:/home/dc# strace -e readlink readlink /proc/104/exe
readlink("/proc/104/exe", 0x5597a6567400, 64) = -1 ENOENT (No such file or directory)```
from audit-kubernetes.
Btw - removing a process doesn't make readlink return an error.
dc@dc:~/gohacks$ cp /bin/bash .
dc@dc:~/gohacks$ ./bash
dc@dc:~/gohacks$ rm bash
dc@dc:~/gohacks$ go build is_kernel_pid
dc@dc:~/gohacks$ ./is_kernel_pid $$
readlink='/home/dc/gohacks/bash (deleted)', err='<nil>'
isKernelPid(1328) = false
package main
import (
"fmt"
"strconv"
"os"
)
func main() {
pid, _ := strconv.Atoi(os.Args[1])
fmt.Printf("isKernelPid(%d) = %v\n", pid, isKernelPid(pid))
}
// Determines whether the specified PID is a kernel PID.
func isKernelPid(pid int) bool {
// Kernel threads have no associated executable.
a, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", pid))
fmt.Printf("readlink='%v', err='%v'\n", a, err)
return err != nil
}```
from audit-kubernetes.
Related Issues (20)
- Kubelet crash if a command fails to yield an stdout value
- Kubelet can be used to enumerate the host network via liveness probes
- Directory traversal of /var/log/ on a host running kube-apiserver HOT 1
- Potential overflows in DaemonSet status
- Potential method of preventing a Deployment from completing via ReplicationController interference
- As a Malicious Internal User… HOT 1
- As an Internal Attacker... HOT 5
- As An External Attacker… HOT 1
- Encryption recommendations not in accordance with best practices HOT 1
- `kubectl cp` has insecurities when communicating with a malicious pod HOT 2
- Network tracking issue
- Custom tempFile code HOT 2
- Go services seed math/random from system time
- iSCSI Volume Storage Cleartext Secrets in Logs HOT 2
- Kubernetes does not facilitate certificate revocation HOT 1
- Excessive Resource Consumption - kube-apiserver HOT 1
- HTTPS not authenticated in many communication channels HOT 1
- Improper Chunked Response Handling
- Excessive Resource Consumption - CoreDNS
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-kubernetes.