forked from kubearmor/KubeArmor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ksp-ubuntu-3-proc-path-owner-allow.yaml
48 lines (46 loc) · 1.29 KB
/
ksp-ubuntu-3-proc-path-owner-allow.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-ubuntu-3-proc-path-owner-allow
namespace: multiubuntu
spec:
severity: 7
selector:
matchLabels:
container: ubuntu-3
process:
matchPaths:
- path: /home/user1/hello
ownerOnly: true
matchDirectories:
- dir: /bin/ # required to change root to user1
recursive: true
- dir: /usr/bin/ # used in changing accounts
recursive: true
file:
matchPaths:
- path: /root/.bashrc # used by root
- path: /root/.bash_history # used by root
- path: /home/user1/.profile # used by user1
- path: /home/user1/.bashrc # used by user1
- path: /run/utmp # required to change root to user1
- path: /dev/tty
matchDirectories:
- dir: /etc/ # required to change root to user1 (coarse-grained way)
recursive: true
- dir: /proc/ # required to change root to user1 (coarse-grained way)
recursive: true
- dir: /lib/ # used by root and user1
recursive: true
- dir: /sys/ # used by root and user1
recursive: true
- dir: /pts/ # used by root and user1
recursive: true
action:
Allow
# multiubuntu_test_14
# test
# $ /home/user1/hello
# bash: /home/user1/hello: Permission denied
# $ su - user1 -c "/home/user1/hello"
# helloworld