-
Notifications
You must be signed in to change notification settings - Fork 217
Description
Disclaimer up front: This is not an issue when using the official dockerhub neuvector images.
In 1566650 there was a significant amount of changes to harden processes around the controller and other neuvector system containers. One specific process allow that changed was the healthprobe allow, which previously allowed cat
from any process path. With the changes here cat
is only allowed if it's specifically from /usr/bin/cat
.
On "rebased image builds" of NeuVector such as Ironbank - cat
may be provided from a different path or multicall binary (coreutils/busybox). In these cases the probes are blocked by th enforcer with logs like this (busybox):
2025-04-25T19:48:24.381|DEBU|AGT|probe.(*Probe).IsAllowedShieldProcess: SHD: - id=1ea58c91d3286c5ab569c2ede205150963d9f074239fcdfdaf719acd2ba24747 pid=17263 ppe=&{Name:cat Path:/usr/bin/busybox User:root Uid:0 Hash:[] Action:deny CfgType:0 CreatedAt:0001-01-01 00:00:00 +0000 UTC UpdatedAt:0001-01-01 00:00:00 +0000 UTC Uuid:00000000-0000-0000-0000-000000000000 DerivedGroup: AllowFileUpdate:false ProbeCmds:[]} proc=&{pname:runc ppath:/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc name:cat path:/usr/bin/busybox cmds:[cat /tmp/ready ] user:root pid:17263 ppid:17254 sid:1970 pgid:15722 ruid:0 euid:0 retry:0 inspectTimes:0 startTime:{wall:13977791853356992633 ext:29872800546 loc:0x4dc8fa0} lastScanTime:{wall:13977791853356992633 ext:29872800546 loc:0x4dc8fa0} scanTimes:0 reported:64 action:allow riskyChild:false riskType: execScanDone:false}
Or this (coreutils):
2025-04-25T20:45:14.319|DEBU|AGT|probe.(*Probe).IsAllowedShieldProcess: SHD: - id=c95d66a01fea6c59d66d10bcae084aacbde4025d0b35c3741085dfe05831aa07 pid=61161 ppe=&{Name:cat Path:/usr/bin/coreutils User:root Uid:0 Hash:[] Action:deny CfgType:0 CreatedAt:0001-01-01 00:00:00 +0000 UTC UpdatedAt:0001-01-01 00:00:00 +0000 UTC Uuid:00000000-0000-0000-0000-000000000000 DerivedGroup: AllowFileUpdate:false ProbeCmds:[]} proc=&{pname:runc ppath:/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc name:cat path:/usr/bin/coreutils cmds:[/usr/bin/coreutils --coreutils-prog-shebang=cat /usr/bin/cat /tmp/ready ] user:root pid:61161 ppid:61152 sid:1966 pgid:59414 ruid:0 euid:0 retry:0 inspectTimes:0 startTime:{wall:13977795514742820424 ext:62744828455 loc:0x4ed7240} lastScanTime:{wall:13977795514742820424 ext:62744828455 loc:0x4ed7240} scanTimes:0 reported:64 action:allow riskyChild:false riskType: execScanDone:false}
If there were a way to allow-list certain processes on the controller this would provide a route to allow the different cat path, but I haven't found a route to do this. I am deploying via the helm chart on EKS if it is helpful.