Description
When node-agent builds an ApplicationProfile, exec entries are recorded from the exec event path chosen in userspace, typically argv[0]. If this path is a symlink, the profile stores the symlink path rather than the resolved executable path. This can cause downstream policy generation less precise.
For example, in an nginx container on Ubuntu, the profile may record /bin/sh even though /bin/sh resolves to /usr/bin/dash inside the container.
Environment
OS: Ubuntu 22.04 LTS
Version: sha256:fe7195e32d7e08c3b2102fabf9eea27799c717110d79c0872f0d1ab7fc151630
Installed via: Kubescape-operator Helm chart 1.30.2
Steps To Reproduce
- Deploy the node-agent in a Kubernetes cluster with
ApplicationProfileServiceEnabled: true
- Run an nginx-container (or any Debian/Ubuntu-based image where
/bin/sh is a symlink to /usr/bin/dash
- Wait for the learning period to complete and an ApplicationProfile to be generated
- Inspect the
execs field of the ApplicationProfile
Expected behavior
The ApplicationProfile should record /usr/bin/dash, the resolved executable path that actually runs in the container.
Actual Behavior
The ApplicationProfile records /bin/sh, which is a symlink path used by the process invocation.
Additional context
The underlying exec event handling appears to capture the invoked path from userspace, but the ApplicationProfile generation does not currently resolve the symlink path before storing the exec path. A possible fix would be to resolve the executable path in the container profile manager after receiving the exec event, with a fallback to the original path if resolution fails.
I am willing to implement this and submit a PR if the approach is acceptable.
Description
When node-agent builds an ApplicationProfile, exec entries are recorded from the exec event path chosen in userspace, typically argv[0]. If this path is a symlink, the profile stores the symlink path rather than the resolved executable path. This can cause downstream policy generation less precise.
For example, in an nginx container on Ubuntu, the profile may record
/bin/sheven though/bin/shresolves to/usr/bin/dashinside the container.Environment
OS: Ubuntu 22.04 LTS
Version: sha256:fe7195e32d7e08c3b2102fabf9eea27799c717110d79c0872f0d1ab7fc151630
Installed via: Kubescape-operator Helm chart 1.30.2
Steps To Reproduce
ApplicationProfileServiceEnabled: true/bin/shis a symlink to/usr/bin/dashexecsfield of the ApplicationProfileExpected behavior
The ApplicationProfile should record
/usr/bin/dash, the resolved executable path that actually runs in the container.Actual Behavior
The ApplicationProfile records
/bin/sh, which is a symlink path used by the process invocation.Additional context
The underlying exec event handling appears to capture the invoked path from userspace, but the ApplicationProfile generation does not currently resolve the symlink path before storing the exec path. A possible fix would be to resolve the executable path in the container profile manager after receiving the exec event, with a fallback to the original path if resolution fails.
I am willing to implement this and submit a PR if the approach is acceptable.