Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Enhancement: Is warning/disabling limited to only a subset of system calls? #1614

Open
dejavudwh opened this issue Feb 7, 2024 · 1 comment
Open

Feature Enhancement: Is warning/disabling limited to only a subset of system calls? #1614

dejavudwh opened this issue Feb 7, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@dejavudwh
Copy link

Is warning/disabling restricted to the system calls involved in the KubeArmor/KubeArmor/BPF/system_monitor.c file?

If so, is it possible to hook into raw_tracepoint/sys_enter, disable the system calls of the current process based on the system call number and the binary executable file path information of the task_struct, and then pass some key information to user space for further processing?"
@dejavudwh dejavudwh added the enhancement New feature or request label Feb 7, 2024
@daemon1024
Copy link
Member

@dejavudwh KubeArmor does not allow custom syscalls. We have predefines set of hooks which are safe to work with to do enforcement. We specifically use BPF LSM for that.

I believe if you create a Block Policy for the process you want to Block. KubeArmor should already be blocking it without needing to hook into sys_enter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daemon1024 @dejavudwh