Uploaded image for project: 'Kogito'
  1. Kogito
  2. KOGITO-8088

Gain All Capabilities Using Unshare

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Done
    • Icon: Major Major
    • 1.29.0.Final
    • None
    • Operator
    • None
    • False
    • None
    • False
    • ---
    • ---
    • 2022 Week 38-40 (from Sept 19), 2022 Week 41-43 (from Oct 10)

      Kubernetes by default doesn't apply any Seccomp or AppArmor/SELinux profile restrictions when the
      pod is scheduled to run.
      Hence, such a pod by default gets free access to dangerous system calls that allow it to escalate
      privileges and gain necessary capabilities such as CAP_SYS_ADMIN for further attack.
      Steps to Reproduce:Exec into the pod and notice that pod doesn't have CAP_SYS_ADMIN privileges assigned
      2. Make unshare system call 'unshare -Urm'
      3. Below screenshot shows that the pod has gained CAP_SYS_ADMIN privileges after the use of
      unshare.

              rhn-support-fspolti Filippe Spolti
              aparedes@redhat.com Adriel Paredes
              Jakub Schwan Jakub Schwan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: